Data Processing Addendum
Last updated: May 27, 2026
1. Scope
This Data Processing Addendum ("DPA") forms part of the master services agreement or other written agreement between AiCX, Inc. ("Processor") and the customer ("Controller") under which AiCX provides services that involve processing personal data.
2. Definitions
"Personal Data", "Controller", "Processor", "Data Subject", "Processing", "Sub-processor", and "Supervisory Authority" have the meanings given in Regulation (EU) 2016/679 ("GDPR"). "Applicable Data Protection Law" means the GDPR, the UK GDPR, the CCPA/CPRA, and any other applicable privacy or data-protection law.
3. Processing details
Subject matter: provision of the services described in the master agreement. Duration: the term of the master agreement. Nature and purpose: processing required to deliver the services. Categories of data subjects: Controller's customers, end users, and personnel. Categories of personal data: contact information, account data, communications content, and any other data submitted to the services by Controller.
4. Processor obligations
Processor shall (a) process personal data only on documented instructions from Controller, (b) ensure that personnel authorized to process personal data are bound by confidentiality, (c) implement appropriate technical and organizational measures, (d) assist Controller in responding to data-subject requests, and (e) notify Controller without undue delay of any personal-data breach.
5. Sub-processors
Controller authorizes Processor to engage sub-processors to support delivery of the services. A current list of sub-processors is available on request. Processor shall impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.
6. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, Processor shall ensure such transfers are made pursuant to Standard Contractual Clauses or another lawful transfer mechanism.
7. Security
Processor maintains a written information security program aligned with SOC 2, HIPAA, and PCI-DSS frameworks, including access controls, encryption in transit and at rest, vulnerability management, and incident response procedures.
8. Audit
Upon reasonable request and subject to confidentiality obligations, Processor shall make available to Controller information necessary to demonstrate compliance with this DPA, including third-party audit reports.
9. Deletion or return
Upon termination of the master agreement, Processor shall delete or return all personal data to Controller, except to the extent retention is required by law.
10. Liability
Each party's liability under this DPA is subject to the limitation of liability set forth in the master agreement.
11. Contact
To request the signed version of this DPA or for any data-protection inquiry, email legal@aicx.com.