Data Processing Addendum
- Parties & definitions
- Subject matter & duration
- Nature & purpose of processing
- Categories of data & data subjects
- Processor obligations
- Subprocessors
- Assistance with data-subject rights
- Security measures
- Personal data breach
- Audit rights
- International transfers
- Deletion & return of data
- Term
- Contact
1. Parties & definitions
This DPA forms part of the agreement between the customer (“Controller”) and autogovern.io Governance Systems Inc. [ ● registered address ] (“Processor”, “we”, “us”) governing use of the autogovern.io platform (the “Service”, as defined in our Terms of Service). Terms such as “personal data”, “processing”, “controller”, “processor” and “data subject” have the meanings given in the UK/EU GDPR, and equivalent terms under other applicable data-protection law (e.g. the CCPA/CPRA) are read consistently with those meanings.
2. Subject matter & duration
We process personal data on the Controller's behalf only to provide the Service, for the duration of the Controller's use of the Service plus the retention periods described in §8 of our Privacy Policy.
3. Nature & purpose of processing
Processing consists of storing, analysing, and displaying the data the Controller or its users submit to the Service — for example, saved governance assessments, risk registers, Workbench artefacts (model cards, LLM-safety evaluations), and messages sent to the Governance Copilot — solely to operate, secure, and improve the Service and to respond to support requests. We do not process personal data for our own independent purposes or for third-party advertising.
4. Categories of data & data subjects
| Category | Examples | Data subjects |
|---|---|---|
| Contact & account data | Name, work email, company, role | Controller's personnel who use the Service |
| Assessment content | System descriptions, risk answers, saved documents the Controller chooses to upload or type | Whoever the Controller's own data describes — determined entirely by the Controller, not by us |
| Technical & usage data | IP-derived hash, browser/device type, session identifiers | Controller's personnel and site visitors |
The Controller is solely responsible for ensuring it has a lawful basis to submit any personal data (including about third parties) to the Service, per §5 (Acceptable use) of our Terms of Service.
5. Processor obligations
We will: (a) process personal data only on the Controller's documented instructions, including regarding international transfers, unless required otherwise by law; (b) ensure personnel authorised to process the data are subject to confidentiality obligations; (c) implement the security measures described in §8; (d) assist the Controller in responding to data-subject requests (§7); and (e) make available the information reasonably necessary to demonstrate compliance with this DPA.
6. Subprocessors
The Controller provides general authorisation for us to engage the subprocessors listed in §6 of our Privacy Policy, which is incorporated into this DPA by reference. We impose data-protection obligations on each subprocessor materially equivalent to those in this DPA, and we remain liable for their performance. We will notify the Controller of any intended addition or replacement of a subprocessor by updating that list and revising the “last updated” date on our Privacy Policy; the Controller may object on reasonable data-protection grounds by contacting us within a reasonable time of that update.
7. Assistance with data-subject rights
Where we receive a request from a data subject to exercise their rights (access, rectification, erasure, restriction, portability, or objection) and that request identifies the Controller, we will promptly forward it to the Controller. We will provide reasonable assistance to the Controller in responding to such requests, taking into account the nature of the processing and the information available to us.
8. Security measures
We maintain the technical and organisational measures described in §11 of our Privacy Policy — HTTPS/TLS in transit, security headers, rate-limiting, restricted access to stored data, and tamper-evident hash-chained logging for the Agent Control Plane ledger. We do not currently hold a SOC 2, ISO 27001, or similar third-party certification; see that section for the current state and how to raise this as part of a procurement process.
9. Personal data breach
We will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, consistent with §12 of our Privacy Policy, and will provide the information reasonably available to us to help the Controller meet its own notification obligations.
10. Audit rights
On reasonable prior written notice, and no more than once per year (except following a confirmed security incident), the Controller may request information reasonably necessary to verify our compliance with this DPA. We will provide available documentation (such as this DPA, our Privacy Policy, and relevant security descriptions) in the first instance; an on-site or third-party audit is available for enterprise engagements by separate written agreement.
11. International transfers
Where personal data is transferred outside the UK/EEA (including to the subprocessors in §6), we rely on appropriate safeguards such as Standard Contractual Clauses or an adequacy decision, consistent with §9 of our Privacy Policy.
12. Deletion & return of data
Following termination of the Service, and subject to the retention periods in §8 of our Privacy Policy (including any legal retention obligations), we will delete or anonymise the Controller's personal data. The Controller may request deletion at any time, or export of their saved assessments and Workbench artefacts before deletion, by contacting us.
13. Term
This DPA takes effect when the Controller begins using the Service and remains in effect for as long as we process personal data on the Controller's behalf under the Terms of Service.
14. Contact
Questions about this DPA: governance@autogovern.io.