Data Processing Addendum

1. Introduction

This Data Processing Addendum ("DPA") forms part of the services agreement ("Agreement") between:

• Customer ("Controller"): the entity that has entered into an Agreement for use of the AI SpendOps platform
• AI SpendOps Ltd ("Processor"): a company registered in England and Wales (company number 17046015), operating as AI SpendOps

This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the provision of the AI SpendOps platform. The terms "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given to them in the UK GDPR and EU GDPR.

This DPA is designed to satisfy the requirements of Article 28 of the UK GDPR and EU GDPR.

2. Scope & Duration

This DPA applies for the duration of the Agreement between the Controller and the Processor. It covers all Processing of Personal Data carried out by the Processor on behalf of the Controller in connection with the AI SpendOps platform.

Upon termination of the Agreement, the provisions of Section 12 (Data Return & Deletion) apply.

3. Details of Processing

4. Customer Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law.

The Controller's instructions are documented in the Agreement, this DPA, and any written instructions provided through the AI SpendOps management portal (such as configuration of dimensions, policies, and retention settings).

5. Confidentiality

The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require it for the performance of their duties in connection with the Agreement.

6. Security Measures

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Data minimisation: only usage metadata is processed; prompts and completions are never stored or logged
• Encryption in transit: all data transmitted via TLS
• Encryption at rest: all stored data encrypted using industry-standard algorithms
• Pseudonymisation: API keys are stored as irreversible HMAC-SHA-256 hashes
• Access controls: role-based access control (RBAC) with principle of least privilege
• Enterprise infrastructure: services hosted on Cloudflare Workers and Microsoft Azure with their respective security certifications
• Audit logging: all access to and operations on Personal Data are logged

For further details, see our Security page.

7. Sub-processors

The Controller provides general written authorisation for the Processor to engage sub-processors. The Processor shall:

• Notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance
• Provide the Controller with an opportunity to object to such changes
• Impose on each sub-processor, by way of contract, data protection obligations no less protective than those in this DPA

If the Controller objects to a new sub-processor on reasonable grounds related to data protection, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.

Current Sub-processors

AI providers are not sub-processors of AI SpendOps Ltd. When the Controller's API calls are routed through the AI SpendOps proxy to AI providers (e.g. OpenAI, Anthropic, Google), those providers process data under the Controller's own agreement with them. AI SpendOps does not determine the purposes or means of that processing.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection law. This includes requests for access, rectification, erasure, restriction, portability, and objection.

The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly, and shall not respond to such request without the Controller's prior written authorisation, unless required by law.

9. Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of the Processor's data protection contact
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its effects

10. Data Protection Impact Assessments

The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller is required to carry out under Article 35 or Article 36 of the UK GDPR or EU GDPR, taking into account the nature of the Processing and the information available to the Processor.

11. International Transfers

The Processor shall not transfer Personal Data outside the United Kingdom or European Economic Area unless appropriate safeguards are in place:

• UK transfers: governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable
• EU transfers: governed by the European Commission's Standard Contractual Clauses (SCCs), Module 3 (processor to processor)
• Adequacy decisions: where the destination country has an adequacy decision from the UK Secretary of State or the European Commission, transfers may proceed on that basis

12. Data Return & Deletion

Upon termination of the Agreement, the Processor shall, at the Controller's election:

• Return all Personal Data to the Controller in a commonly used, machine-readable format; or
• Delete all Personal Data and confirm deletion in writing

This shall be completed within 30 days of termination, unless the Controller provides instructions to the contrary.

The Processor may retain Personal Data to the extent required by applicable law (e.g. billing records for HMRC compliance), in which case it shall inform the Controller of the retention and its legal basis, and shall continue to protect such data in accordance with this DPA.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection law, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Processor may satisfy audit requests by providing:

• Third-party audit reports (e.g. SOC 2 Type II, ISO 27001 certification) covering the relevant period
• Completed security questionnaires or assessments
• Documentation of technical and organisational measures

On-site audits shall be limited to once per year, conducted during normal business hours with at least 30 days' prior written notice, and subject to reasonable confidentiality obligations. The Controller shall bear the costs of any on-site audit.

14. Liability

The liability of each party under this DPA is subject to the exclusions and limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects under applicable data protection law.