Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into between [Your legal entity], [registered address] (“Controller”), and AIOProductOS Inc., a Delaware C-Corporation, 131 Continental Dr, Suite 305, Newark, DE 19713, United States (file no. 10681442) (“Processor”), effective [date]. It forms part of the agreement under which Processor provides AIOProductOS to Controller and reflects GDPR Article 28.
1 · Roles & subject matter
Processor processes personal data on behalf of Controller solely to provide AIOProductOS, for the duration of the subscription. Controller is the controller of that personal data; Processor is the processor.
2 · Nature, purpose & data
The nature and purpose of processing is the hosting, storage, analytics, AI assistance, and communications that Controller configures in the product. The personal data and categories of data subjects are those Controller chooses to process — typically Controller's staff and the end users of Controller's product, and identifiers, contact details, usage/event data, and content.
3 · Processor obligations (Art 28(3))
- Process personal data only on Controller's documented instructions, including for transfers, unless required by law.
- Ensure persons authorised to process are bound by confidentiality.
- Implement appropriate technical and organisational measures under Art 32 — encryption in transit and at rest, per-tenant isolation via row-level security, access control, and logging.
- Engage subprocessors only under §4 below.
- Assist Controller, by appropriate measures, to respond to data-subject rights requests.
- Assist Controller with security, personal-data-breach notification (Art 33–34), and data-protection impact assessments (Art 35–36).
- At Controller's choice, delete or return personal data at the end of the services, subject to legal retention.
- Make available the information necessary to demonstrate compliance, and allow for and contribute to audits.
4 · Subprocessors
Controller authorises the subprocessors listed at status.aioproductos.com/subprocessors, kept current. Before adding a new subprocessor that processes personal data, Processor publishes the change there at least 30 days in advance and notifies Controller via the subprocessor change feed at status.aioproductos.com/subscribe (email, RSS, or Atom). Controller may object during that window; if a reasonable objection cannot be resolved, Controller may terminate the affected service. Each subprocessor is bound by data-protection terms no less protective than this DPA.
5 · International transfers
Where personal data is transferred outside the EEA, the parties rely on the European Commission's Standard Contractual Clauses, which are incorporated by reference. Controller selects an EU or US data region in the product; data resides in the chosen region.
6 · Breach notification
Processor notifies Controller without undue delay after becoming aware of a personal-data breach affecting Controller's data, with the information Controller needs to meet its own obligations.
7 · Deletion & return
On termination, Processor deletes or returns the personal data at Controller's choice, including via the product's full-organisation export and deletion, save where retention is required by law.
8 · Precedence
This DPA supplements the service agreement. To the extent of any conflict on the processing of personal data, this DPA prevails.
[Your legal entity]
Signature:
Name: [signatory]
Title: [title]
Email: [email]
Date: [date]
AIOProductOS Inc.
131 Continental Dr, Suite 305, Newark, DE 19713, United States · file no. 10681442
Signature:
Name: AIOProductOS Inc.
Title: Authorised signatory
Email: privacy@aioproductos.com