← Back to home

Data Processing Addendum

Privacy Automated LLC

Last updated: June 4, 2026

Customers: This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer" or "Controller") and Privacy Automated LLC ("Privacy Automated," "we," "us," or "Processor"). It governs our processing of Customer Personal Data on your behalf in connection with the Services.

Acceptance: This DPA is automatically incorporated into and forms part of the Terms of Service for every paying Customer. No counter-signature is required for it to take effect; however, if your procurement process requires a signed copy, email info@privacyautomated.ai and we will provide one promptly.

1. Definitions

Capitalized terms not defined here have the meanings given in the Terms of Service or in the applicable Data Protection Laws. For the avoidance of doubt:

  • "Customer Personal Data" means any Personal Data that Customer or its Authorized Users submit to, generate within, or instruct Privacy Automated to process through the Services.
  • "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data under this DPA, including: (i) the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and supplementing member-state laws; (ii) the UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"); (iii) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA") and its implementing regulations; (iv) the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and any substantially similar provincial legislation; and (v) any other privacy or data protection law in a jurisdiction where Customer is established or where Customer Personal Data originates.
  • "Personal Data," "Controller," "Processor," "Process / Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" have the meanings given in the GDPR. Equivalent terms under other Data Protection Laws (e.g., "Personal Information," "Business," "Service Provider," "Consumer" under CCPA/CPRA; "Personal Information," "Organization" under PIPEDA) are deemed included.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 (the "EU SCCs"), and, for transfers subject to UK GDPR, the International Data Transfer Addendum issued by the UK Information Commissioner (the "UK IDTA").
  • "Sub-processor" means any third party engaged by Privacy Automated to Process Customer Personal Data on its behalf.

2. Roles and Scope of Processing

2.1 Roles. Customer is the Controller of Customer Personal Data. Privacy Automated is the Processor and processes Customer Personal Data solely on Customer's documented instructions and for the purposes set out in this DPA and Annex 1.

2.2 Customer instructions. Customer's instructions consist of (a) the Terms of Service, (b) this DPA, (c) Customer's use of the Services through documented Service functionality (for example: uploading a policy document, configuring a department-contact, triggering a DPIA, or routing a DSAR), and (d) any other written instructions agreed in writing by both parties. If we believe an instruction violates Data Protection Laws, we will inform Customer promptly and may suspend processing under that instruction.

2.3 CCPA/CPRA: Service Provider role. For Customer Personal Data subject to CCPA/CPRA, Privacy Automated is a "Service Provider" as defined under Cal. Civ. Code § 1798.140. Privacy Automated will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific business purpose of providing the Services to Customer or as otherwise permitted by CCPA/CPRA; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between Privacy Automated and Customer; or (d) combine Customer Personal Data with Personal Information that Privacy Automated receives from or on behalf of any other person, or that Privacy Automated collects from its own interaction with the Consumer, except as permitted by CCPA/CPRA.

2.4 PIPEDA: Accountability. For Customer Personal Data subject to PIPEDA, Customer remains accountable for Personal Data transferred to Privacy Automated. Privacy Automated will provide a comparable level of protection while the Personal Data is in our custody, consistent with PIPEDA's 10 Fair Information Principles, and will not process the Personal Data for any purpose other than that for which it was originally collected and as instructed by Customer.

2.5 Scope. The subject matter, duration, nature, purpose, categories of data, and categories of data subjects of the processing are described in Annex 1 (Details of Processing).

3. Privacy Automated's Obligations

3.1 Compliance. Privacy Automated will Process Customer Personal Data in accordance with Data Protection Laws applicable to it as a Processor / Service Provider.

3.2 Confidentiality of personnel. Privacy Automated will ensure that any personnel authorized to Process Customer Personal Data (a) are bound by written confidentiality obligations, (b) have received appropriate training on the protection of Personal Data, and (c) only access Customer Personal Data on a need-to-know basis to deliver the Services.

3.3 Security measures. Privacy Automated has implemented and will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The measures in effect as of the date of this DPA are summarised in Annex 2 (Technical and Organizational Measures).

3.4 Cooperation. Taking into account the nature of the processing, Privacy Automated will provide reasonable assistance to Customer (through appropriate technical and organizational measures, including features of the Services) to enable Customer to:

  • (a) respond to requests from Data Subjects exercising their rights (including access, rectification, erasure, restriction, portability, and objection);
  • (b) ensure compliance with its obligations under Articles 32 to 36 of the GDPR (security, breach notification, DPIAs, and prior consultation);
  • (c) respond to inquiries and investigations by Supervisory Authorities.

3.5 Records of Processing. Privacy Automated will maintain records of its Processing of Customer Personal Data as required by Article 30(2) of the GDPR.

4. Sub-processors

4.1 General authorization. Customer provides Privacy Automated with general written authorization to engage Sub-processors to assist in providing the Services, subject to the conditions below.

4.2 Current Sub-processors. The current list of Sub-processors authorized for processing Customer Personal Data is published at privacyautomated.ai/subprocessors. Customer agrees that the Sub-processors listed at that URL as of the effective date of Customer's subscription are pre-authorized.

4.3 New Sub-processors. Before engaging a new Sub-processor, Privacy Automated will (a) update the published list at least fifteen (15) days in advance and, where Customer has subscribed to Sub-processor change notifications, send Customer an email notification; (b) impose written obligations on the Sub-processor that are no less protective than this DPA; and (c) remain liable for the acts and omissions of the Sub-processor in respect of Customer Personal Data.

4.4 Objection right. Customer may object to a new Sub-processor on reasonable data-protection grounds by emailing info@privacyautomated.ai within fifteen (15) days of notification. The parties will work in good faith to resolve the objection. If Privacy Automated cannot reasonably accommodate the objection, Customer may terminate the affected portion of the Services and receive a pro-rata refund of prepaid Fees for the unused portion.

5. International Transfers

5.1 Location of Processing. The primary application and database infrastructure for the Services is hosted in the European Union (Hetzner Cloud, Falkenstein, Germany). Off-site encrypted backups are stored in the United States (Backblaze B2, US-East), AES-256 encrypted client-side before upload. Certain Sub-processors providing identity, payment, transactional email, language-model inference, and source-code hosting are located in the United States (error monitoring runs on Sentry's EU region in Frankfurt), as identified in the published Sub-processor list. Privacy Automated will Process Customer Personal Data outside the country of origin only where lawful transfer mechanisms apply.

5.2 EU SCCs. For any transfer of Customer Personal Data from the EEA to a country not deemed adequate by the European Commission, the parties incorporate the EU SCCs by reference, with Module Two (Controller to Processor) selected for direct Customer-to-Privacy-Automated transfers and Module Three (Processor to Processor) for any onward transfers to Sub-processors. The following selections apply: Clause 7 (docking clause) is included; Clause 9(a) Option 2 (general written authorization) applies, with a fifteen (15) day notice period; Clause 11(a) (independent dispute resolution) does not apply; Clause 17 Option 1 (governing law of an EU Member State) applies with Ireland as the governing law; Clause 18(b) (forum) designates the courts of Ireland; Annex I, II, and III to the EU SCCs are populated by reference to Annexes 1 and 2 of this DPA and the Sub-processor list at privacyautomated.ai/subprocessors.

5.3 UK IDTA. For transfers subject to UK GDPR, the UK IDTA is incorporated by reference and the selections above apply, with "ICO" replacing references to EU supervisory authorities and English law and the English courts replacing references to Irish law and the Irish courts.

5.4 Supplementary measures. The technical and organizational measures in Annex 2, together with the contractual commitments in this DPA, constitute the supplementary measures referenced in the European Data Protection Board's Recommendations 01/2020.

6. Personal Data Breaches

6.1 Notification. Privacy Automated will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 Content. The notification will include, to the extent then known: (a) a description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of the Privacy Automated point of contact; (c) a description of the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its possible adverse effects.

6.3 Cooperation. Privacy Automated will cooperate with Customer's reasonable investigation and reporting obligations and will document the breach in a manner that allows Customer to demonstrate compliance with Article 33 of the GDPR (and equivalent provisions of other Data Protection Laws).

7. Audits

7.1 Documentation. Privacy Automated will make available to Customer information necessary to demonstrate compliance with this DPA, including the materials at privacyautomated.ai/security, our then-current security documentation, and our written responses to Customer security questionnaires submitted with reasonable advance notice.

7.2 On-site audits. If the documentation referenced in Section 7.1 is insufficient to satisfy a Supervisory Authority requirement, Customer may, no more than once per twelve-month period and subject to reasonable confidentiality and operational security requirements, request an on-site audit at Customer's expense. Customer must give at least thirty (30) days' written notice and, in good faith, attempt to limit any audit to the minimum necessary scope.

8. Deletion or Return of Customer Personal Data

8.1 On termination. Upon termination or expiration of the Services, Privacy Automated will, at Customer's choice, make Customer Personal Data available for export through the Services for thirty (30) days after the termination effective date, after which we will delete all Customer Personal Data from our active systems within thirty (30) further days, subject to Section 8.2.

8.2 Backups. Customer Personal Data may persist in encrypted, immutable backups beyond the timelines in Section 8.1; such backup copies will be deleted in accordance with our backup retention policy (currently thirty-five (35) days) and will not be Processed for any purpose other than as required to restore the Services in the event of a system failure or to meet a documented legal obligation.

8.3 Legal retention. Where Privacy Automated is required by applicable law to retain Customer Personal Data beyond the timelines above (for example, financial-records retention), the data will be archived, access-controlled, and Processed only for the retention purpose until lawful deletion is permitted.

9. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability to a Data Subject under Data Protection Laws.

10. Insurance

10.1 Coverage. Throughout the term of this DPA, Privacy Automated will maintain, at its own expense and with insurers having an A.M. Best rating of A- or better (or equivalent), Technology Errors & Omissions / Cyber Liability insurance with limits of not less than US$3,000,000 per claim and US$3,000,000 in the annual aggregate, covering: technology errors and omissions; network security and privacy liability (including breach of this DPA); regulatory investigations, proceedings, fines, and penalties to the extent insurable under applicable law; breach response and forensic expenses; and cyber extortion.

10.2 Certificate of insurance. Upon Customer's reasonable written request, Privacy Automated will provide a certificate of insurance evidencing the foregoing coverage. The provision of a certificate of insurance does not create rights of any kind on Customer's behalf against Privacy Automated's insurer and does not modify the coverage afforded by the policies referenced.

10.3 Limits not a cap on liability. The coverage limits in this Section 10 are minimum maintenance requirements only and do not limit, expand, or otherwise modify Privacy Automated's liability under this DPA or the Terms of Service. Privacy Automated's liability remains subject to the limitations and exclusions of liability set out in the Terms of Service.

11. General

11.1 Conflict. In the event of any conflict between this DPA and the Terms of Service with respect to the Processing of Customer Personal Data, this DPA controls.

11.2 Governing law. Except for transfers governed by the SCCs (which are subject to the governing law specified in Section 5.2), this DPA is governed by the law specified in the Terms of Service.

11.3 Severability. If any provision of this DPA is held invalid or unenforceable, the remainder of this DPA continues in full force and effect.

11.4 No third-party beneficiaries. Except as expressly provided in the SCCs (where applicable), this DPA does not confer any rights on any third party.

Annex 1 — Details of Processing

Subject matter: Provision of the Privacy Automated SaaS platform, including AI-assisted privacy operations (Q&A, DPIA/PIA generation, DSAR routing, vendor inventory, records of processing).

Duration: The term of Customer's subscription, plus the retention periods set out in Section 8.

Nature and purpose: Storage; retrieval; AI-assisted drafting, classification, and routing; verbatim capture of each call to a third-party large-language-model API made on Customer's behalf, together with the model's response, for the purposes of inspection, replay, and quality assurance (further detail below); email correspondence on Customer's behalf with internal teams and (where Customer instructs) external Data Subjects; audit logging; backup; analytics for service operation.

Categories of Data Subjects: Customer's own personnel (employees, contractors); Customer's customers, prospects, and applicants whose Personal Data Customer chooses to submit to the Services; Customer's vendors' personnel referenced in Customer's records.

Categories of Personal Data: Determined by Customer; typically contact information (name, business email, phone), employment data, vendor / supplier metadata, content of inbound privacy-question emails, content of DSARs and Customer's responses, and any Personal Data Customer chooses to upload as part of policies or DPIAs.

Special categories: Customer should not submit special-category data (Art. 9 GDPR) unless explicitly required by a specific DPIA or DSAR. Where submitted, Customer warrants it has a lawful basis under Article 9.

Language-model call captures. Each call the Services make to a third-party large-language-model API on Customer's behalf — including Q&A inference, the multi-label hard-block classifier, the grounding judge, the privacy-assessment intent classifier, intake suggester, intake-reply parser, duplicate-check, and the full DPIA / PIA generation step — is recorded as a workspace-scoped "capture record." A capture record contains the system prompt sent to the model, the message list (which may include Customer Personal Data, for example where a user has included Personal Data in a question), the model name and request parameters, and the raw response text. Capture records exist solely to enable Customer-driven inspection, model-output replay against the same model, and per-record erasure. Each capture record is stored under the same workspace-scoped row-level-security policy as all other Customer Personal Data (Annex 2). Customer's workspace administrators may, through Services endpoints, (i) list and inspect captures in their workspace, (ii) replay any individual capture against the same model, (iii) search captures by content for a Data Subject identifier in order to identify captures responsive to an Article 17 erasure request, and (iv) delete any individual capture. Capture records cascade-delete upon deletion of the workspace.

Frequency: Continuous, while the Services are active.

Retention. Customer Personal Data other than the capture records above is retained for the term of the subscription, then per Section 8. Capture records are retained for the per-workspace TTL configured in the Services (default ninety (90) days from the capture timestamp). A daily background task deletes capture records past the workspace's configured TTL. Customer may shorten the TTL via workspace settings, subject to a minimum of seven (7) days while the replay feature is enabled. Capture records may also be deleted individually before the TTL elapses via the workspace-admin per-capture deletion endpoint, and are cascade-deleted with the workspace.

Recipients: Privacy Automated personnel on a need-to-know basis; authorized Sub-processors per privacyautomated.ai/subprocessors.

Annex 2 — Technical and Organizational Measures

Full detail is published at privacyautomated.ai/security. In summary, Privacy Automated maintains:

  • Tenant isolation. Row-level security (RLS) on every customer-data table, enforced at the database role level; non-superuser database role for application traffic; automated tests that fail the build on any RLS regression.
  • Encryption. TLS 1.2+ for data in transit (HSTS, modern ciphers). AES-256 encryption at rest for the primary database and for off-site backups.
  • Authentication. Identity provided by Clerk (SOC 2 Type II); SSO, organization-scoped access, optional MFA available to Customer admins.
  • Access control. Principle of least privilege; production access restricted to authorized personnel; per-resource audit logging of access and changes.
  • Logging and monitoring. Workspace-scoped audit trail of significant events; LLM operation accounting with per-workspace spend caps; dead-man's-switch monitoring of the backup pipeline.
  • Backup and disaster recovery. Encrypted, geographically off-site daily backups (Backblaze B2, US-East); documented restore drill, performed and verified prior to GA.
  • Secure development. Code review for all changes; automated regression tests covering tenant isolation, authentication, and authorization; staging environment for pre-production validation; rapid rollback on failed deploy.
  • AI guardrails. Multi-label intent classifier blocks prompt-injection and out-of-policy questions; independent judge model on every Q&A; conservative escalation to human review on low confidence; per-workspace AI ops and spend caps.
  • Language-model call captures. Each language-model call is recorded as a workspace-scoped capture record (system prompt, message list, request parameters, raw response). Captures are stored in a row-level-security-enforced table; a default per-workspace retention of ninety (90) days is enforced by a daily background prune task; Customer workspace administrators may delete individual captures via a per-record deletion endpoint (the mechanism by which Customer fulfils Article 17 erasure requests where Customer Personal Data appears in a captured prompt or response); captures cascade-delete on workspace deletion. The system prompt used in each call carries a stable identifier and a SHA-256 hash published in the Services' prompt manifest; the per-call identifier and hash are recorded on the corresponding capture record so the exact prompt used to produce any captured response is independently verifiable.
  • Personnel. Confidentiality and acceptable-use obligations on all personnel; background-check process scaled to role.
  • Incident response. Documented incident-response runbook; 72-hour Personal Data Breach notification commitment to Customer (Section 6).
  • Vendor management. All Sub-processors bound by written terms no less protective than this DPA; published Sub-processor list with change notification.

This DPA was last updated on June 4, 2026 — Section 5.1 now reflects that primary application and database hosting moved from a United States VPS to Hetzner Cloud (Falkenstein, Germany) in May 2026; off-site backup remains in the United States (Backblaze B2). The Sub-processor list at privacyautomated.ai/subprocessors has been updated correspondingly. We will revise this DPA from time to time to reflect changes in Data Protection Laws, Sub-processors, or our technical and organizational measures. Material updates will be communicated in advance per Section 14 of the Terms of Service.

Questions? Email info@privacyautomated.ai.