Data Processing Agreement

⚠️

Template notice: This DPA is provided as a template for convenience. It is not legal advice — have your own counsel review it before relying on it. For a countersigned copy, email privacy@getassurai.com.

Contents

Parties
Roles & Responsibilities
Subject Matter & Duration
Nature & Purpose
Data Subjects & Data
Sub-Processors
Security Measures
Data Subject Rights
International Transfers
Breach Notification
Deletion & Return
Contact

1. Parties

This Data Processing Agreement ("DPA") forms part of the agreement between:

The Customer ("Controller") — the organisation that has subscribed to the AssurAI platform; and
AssurAI Inc., a Delaware C-Corporation, San Jose, California, USA ("Processor").

This DPA applies to the extent the Processor processes Personal Data (as defined under the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR) on behalf of the Controller.

2. Roles & Responsibilities

The Controller determines the purposes and means of processing the audit, compliance, and risk data it uploads to AssurAI. The Processor processes that Personal Data only on the Controller's documented instructions, including those set out in this DPA, the Privacy Policy, and the platform's configuration (such as the selected data region).

The Processor ensures that persons authorised to process Personal Data are bound by confidentiality obligations.

3. Subject Matter & Duration

Subject matter: the provision of the AssurAI AI-native GRC platform for audit, compliance, and risk management.

Duration: processing continues for the term of the Controller's subscription and for any post-termination retention period described in Section 11 and the Privacy Policy.

4. Nature & Purpose of Processing

Personal Data is processed to host, secure, and operate the platform and to provide its features, including AI-assisted generation of workpapers, controls testing, findings, and reports. AI processing is performed to produce outputs for the Controller only and is not used to train AI models.

Processing activity	Purpose
Storage & hosting	Persisting the Controller's audit data
Authentication	Securing account access
AI generation	Producing workpapers and analysis on request
Transactional email	Notifications, reminders, confirmations

5. Categories of Data Subjects & Personal Data

Data subjects

The Controller's employees and authorised platform users
Control owners, remediation owners, and reviewers named in audit records
External auditors granted portal access
Individuals referenced within evidence or workpaper content provided by the Controller

Categories of Personal Data

Identity & contact data (name, email, company, role)
Account & usage data (logins, audit trail, IP address)
Content data the Controller chooses to upload (evidence, findings, workpapers)

The Controller must not upload special categories of data unless strictly necessary and lawful.

6. Sub-Processors

The Controller authorises the Processor to engage the following sub-processors. Each is bound by a written agreement imposing data-protection obligations no less protective than this DPA.

Sub-processor	Service	Region
Supabase	Database & authentication	US or EU (per org data region)
Netlify	Application hosting & functions	US / global edge
Anthropic	AI processing (Claude API) — no training on customer data	US
Resend	Transactional email delivery	US

The Processor will give reasonable notice of any intended change to its sub-processors, allowing the Controller to object on reasonable data-protection grounds.

7. Security Measures

The Processor implements appropriate technical and organisational measures, including:

Encryption in transit (TLS 1.2+) and at rest (AES-256)
Row-level security (RLS) enforcing strict tenant isolation by organisation
Server-derived authorisation (org/role) on all platform API functions
Per-user API rate limiting and audit logging of sensitive actions
Multi-factor authentication availability and least-privilege access
Regular security assessments; SOC 2 program in progress

Further detail is available at getassurai.com/security.

8. Data Subject Rights

Taking into account the nature of the processing, the Processor assists the Controller (by appropriate technical and organisational measures, insofar as possible) in responding to requests to exercise data subject rights — access, rectification, erasure, restriction, portability, and objection.

The platform provides self-service data export (portability) and data deletion (erasure) tools from account settings. Deletion is confirmed via an emailed verification code and applied as an immediate soft-delete pending permanent removal under the retention policy.

9. International Transfers & Data Residency

AssurAI offers a data region selection (US or EU). For organisations on the EU region, primary database storage is provisioned in an EU Supabase project. Certain sub-processors (e.g. AI processing) may still process data in the United States.

Where Personal Data is transferred outside the EEA, UK, or Switzerland, such transfers are governed by the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary measures where required.

🌍

EU data residency requires the organisation to be provisioned on AssurAI's EU deployment. See our EU setup documentation or contact us to enable EU residency for your organisation.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data, providing the information reasonably necessary for the Controller to meet its own notification obligations.

11. Deletion & Return of Data

On termination, or upon the Controller's request, the Processor will delete or return the Controller's Personal Data:

Self-service export is available at any time while the account is active.
Deletion requests are applied as a soft-delete immediately, then permanently removed in line with the Privacy Policy retention schedule (default 90 days).
Copies retained by sub-processors are deleted according to their own retention controls, except where retention is required by law.

12. Contact

Data protection: privacy@getassurai.com
General: hello@getassurai.com

Need a countersigned DPA?

We'll provide an executable copy for your records.

privacy@getassurai.com