Data Processing Addendum

This Data Processing Addendum (“DPA”) is entered into between the organization subscribing to and using Aitros Engagement (“Customer” or “Controller”) and Aitros Engagement (“Processor” or “Aitros”) and forms part of the agreement under which Aitros provides the Aitros Engagement platform (“Services”).

1. Definitions

• Personal Data: Information relating to an identified or identifiable individual processed by Aitros on behalf of Customer through the Services.
• Subprocessor: A third party engaged by Aitros to process Personal Data — see our Subprocessors list.
• Applicable Data Protection Law: GDPR, UK GDPR, CCPA/CPRA, and other laws applicable to Customer's use of the Services.

2. Roles

Customer is the Controller (or Processor acting on behalf of its controller) for employee and participant data submitted to the Services. Aitros is the Processor, except for account, billing, and website data where Aitros may act as Controller as described in the Privacy Policy.

3. Processing details

4. Processor obligations

Aitros shall:

1. Process Personal Data only on documented instructions from Customer (including this DPA and the Services configuration), unless required by law.
2. Ensure personnel with access are bound by confidentiality.
3. Implement appropriate technical and organizational measures (see Security measures summary below).
4. Not sell or share Personal Data for cross-context behavioral advertising.
5. Assist Customer with data subject requests in accordance with Applicable Data Protection Law and our published privacy procedures.
6. Notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data.
7. Delete or return Personal Data upon termination, subject to legal retention, using deletion tools or export as agreed.

5. Subprocessors

Customer authorizes Aitros to engage Subprocessors listed at https://aitrosengagement.com/subprocessors. Aitros will notify Customer of material changes by email or in-app notice at least 30 days before a new Subprocessor processes Customer Personal Data, where practicable. Customer may object on reasonable grounds relating to data protection by contacting hello@aitrosengagement.com.

6. International transfers

Where Personal Data is transferred outside the EEA/UK, Aitros relies on appropriate safeguards (including Standard Contractual Clauses or equivalent mechanisms) as applicable under Applicable Data Protection Law.

7. Audits

Upon reasonable notice, Customer may request information necessary to demonstrate compliance, including summaries of SOC 2 reports or security questionnaires, no more than once per year unless required by a regulator.

8. Security measures (summary)

Aitros maintains controls including:

• Encryption in transit (TLS) and at rest (cloud provider)
• Role-based access and database row-level security
• Authentication, rate limiting, and fail-closed administrative endpoints
• Audit logging for privileged administrative actions
• Change management via version control and CI security checks
• Incident response procedures

Additional details are available on request or in our Security Overview.

9. AI processing

Unless otherwise agreed in writing, Aitros does not use Customer assessment responses or chat transcripts to train third-party foundation models. AI providers process data only to deliver configured features, as described in our AI Use Disclosure.

10. Term

This DPA remains in effect for the duration of the Services agreement.

11. Acceptance

By registering for or continuing to use the Services and accepting the related legal agreements at account registration, Customer agrees to this Data Processing Addendum. For a countersigned copy or questions about data processing terms, contact hello@aitrosengagement.com.