Back to Home

AJAIA Data Processing Addendum (DPA)

Effective Date: December 5, 2025

Last Updated: December 5, 2025

Introduction

This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between [LEGAL ENTITY NAME TO BE PROVIDED] ("AJAIA," "Processor," "we," "us") and the entity agreeing to these terms ("Customer," "Controller," "you") for the provision of the AJAIA platform and services.

This DPA applies where AJAIA processes Personal Data on behalf of Customer in connection with the Service, and such processing is subject to European Data Protection Law (including GDPR), UK Data Protection Law, or other applicable data protection legislation requiring a data processing agreement.

By executing or electronically accepting this DPA, Customer and AJAIA agree to comply with its terms.

1. Definitions

1.1 "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.

1.2 "Customer Data" means any Personal Data that AJAIA Processes on behalf of Customer in the course of providing the Service.

1.3 "Data Protection Law" means all applicable laws relating to data protection and privacy, including:

  • The EU General Data Protection Regulation 2016/679 ("GDPR")
  • The UK GDPR and Data Protection Act 2018
  • The California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA")
  • Any other applicable data protection legislation

1.4 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

1.5 "Personal Data" means any information relating to an identified or identifiable natural person.

1.6 "Processing" (and "Process") means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

1.7 "Processor" means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.

1.8 "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

1.9 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (Decision 2021/914).

1.10 "Sub-processor" means any Processor engaged by AJAIA to Process Customer Data on behalf of Customer.

2. Scope and Roles

2.1 Roles of the Parties

  • Customer is the Controller of Customer Data
  • AJAIA is the Processor of Customer Data
  • AJAIA Processes Customer Data only on behalf of Customer and in accordance with Customer's documented instructions

2.2 Processing Details

Element Description
Subject Matter AI-powered workflow analysis and automation services
Duration The term of the Agreement plus any retention period required by law or this DPA
Nature and Purpose Processing work item data, user communications, and related content to provide AI analysis, epic breakdown, test case generation, and sprint planning services
Types of Personal Data Names, email addresses, user identifiers, work item content (which may contain personal data), usage data, IP addresses
Categories of Data Subjects Customer's employees, contractors, and end users; individuals referenced in work items

3. Customer Obligations

3.1 Lawful Instructions

Customer shall:

  • Ensure that its Processing instructions to AJAIA comply with applicable Data Protection Law
  • Ensure that it has obtained all necessary consents, authorizations, and legal bases for the Processing of Personal Data by AJAIA
  • Be responsible for the accuracy, quality, and legality of Customer Data provided to AJAIA

3.2 Data Subject Rights

Customer is responsible for responding to Data Subject requests. AJAIA will assist Customer as described in Section 7.

3.3 Compliance

Customer shall comply with all applicable Data Protection Law in connection with its use of the Service and Processing of Personal Data.

4. AJAIA Obligations

4.1 Processing Instructions

AJAIA shall:

  • Process Customer Data only on Customer's documented instructions, unless required by applicable law (in which case AJAIA will inform Customer before Processing, unless prohibited by law)
  • Inform Customer if, in AJAIA's opinion, an instruction infringes Data Protection Law

4.2 Documented Instructions

Customer's instructions are documented in:

  • The Agreement (Terms of Service)
  • This DPA
  • Customer's configuration and use of the Service
  • Any additional written instructions agreed between the parties

4.3 Confidentiality

AJAIA shall ensure that persons authorized to Process Customer Data:

  • Are subject to confidentiality obligations (whether contractual or statutory)
  • Process Customer Data only as necessary to provide the Service

4.4 Security Measures

AJAIA shall implement and maintain appropriate technical and organizational measures to protect Customer Data, as detailed in Section 5.

4.5 Sub-processing

AJAIA shall comply with the Sub-processor requirements in Section 6.

4.6 Assistance

AJAIA shall assist Customer with:

  • Data Subject requests (Section 7)
  • Security obligations (Section 5)
  • Data Protection Impact Assessments and prior consultations with supervisory authorities, where required

4.7 Deletion or Return

Upon termination of the Agreement, AJAIA shall, at Customer's choice:

  • Delete all Customer Data within 90 days, or
  • Return Customer Data in a structured, commonly used format within 30 days of request

AJAIA may retain Customer Data as required by applicable law, with such data subject to the confidentiality and security provisions of this DPA.

4.8 Audit Rights

AJAIA shall:

  • Make available to Customer all information necessary to demonstrate compliance with this DPA
  • Provide Customer with AJAIA's SOC 2 Type II report (when available) or equivalent audit report annually upon request
  • Allow and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer, subject to:
    • 30 days' advance written notice
    • Reasonable confidentiality obligations
    • Audits conducted during normal business hours
    • Customer bearing the costs of any on-site audit

5. Security Measures

5.1 Technical Measures

AJAIA implements and maintains the following technical security measures:

Measure Implementation
Encryption at Rest AES-256-GCM encryption for all stored Customer Data
Encryption in Transit TLS 1.2 or higher for all data transmission
Access Controls Role-based access control (RBAC); principle of least privilege
Authentication Secure password hashing (bcrypt, 12 rounds); optional multi-factor authentication
Network Security Firewalls, intrusion detection, DDoS protection
Credential Protection Platform-specific secure storage (Windows Credential Manager, macOS Keychain)
Vulnerability Management Regular security assessments; prompt remediation of vulnerabilities

5.2 Organizational Measures

Measure Implementation
Personnel Security Background checks for personnel with access to Customer Data; confidentiality agreements
Training Regular privacy and security awareness training
Access Management Access provisioning/deprovisioning procedures; regular access reviews
Incident Response Documented incident response plan; regular testing
Business Continuity Backup procedures; disaster recovery capabilities

5.3 Compliance Certifications

  • SOC 2 Type II: Targeted for 2026 (currently ~75% control implementation)
  • Annual Security Assessment: Third-party penetration testing

6. Sub-processors

6.1 Current Sub-processors

Customer authorizes AJAIA to engage the following Sub-processors:

Sub-processor Purpose Location
Anthropic, PBC AI/ML processing United States
Vercel Inc. Cloud hosting and infrastructure United States (global edge)
Neon Inc. Database hosting United States
Stripe, Inc. Payment processing United States
Twilio SendGrid Email delivery United States

6.2 Sub-processor Obligations

AJAIA shall:

  • Enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those in this DPA
  • Remain liable to Customer for the acts and omissions of its Sub-processors

6.3 New Sub-processors

Before engaging a new Sub-processor:

  • AJAIA shall notify Customer at least 30 days in advance by email to the address associated with Customer's account
  • The notification shall include the Sub-processor's name, location, and Processing activities
  • Customer may object to the new Sub-processor within 14 days of notification by providing written notice with reasonable grounds for objection
  • If AJAIA cannot reasonably accommodate the objection, Customer may terminate the affected Service by providing written notice within 30 days

6.4 Sub-processor List

A current list of Sub-processors is maintained at [URL to be provided] and is available upon request at privacy@subscriptionsense.com.

7. Data Subject Rights

7.1 Assistance with Requests

AJAIA shall:

  • Promptly notify Customer if AJAIA receives a request from a Data Subject regarding Customer Data
  • Not respond directly to Data Subject requests unless authorized by Customer or required by law
  • Assist Customer in responding to Data Subject requests, including requests for:
    • Access to Personal Data
    • Rectification of inaccurate data
    • Erasure of Personal Data
    • Restriction of Processing
    • Data portability
    • Objection to Processing

7.2 Response Time

AJAIA shall respond to Customer's requests for assistance within 10 business days.

7.3 Customer Self-Service

Where possible, AJAIA provides Customer with self-service tools to:

  • Access Customer Data
  • Export Customer Data
  • Delete Customer Data

8. Security Incident Notification

8.1 Notification Timeline

AJAIA shall notify Customer of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident.

8.2 Notification Content

AJAIA's notification shall include, to the extent known:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects concerned
  • Categories and approximate number of Personal Data records concerned
  • Name and contact details of AJAIA's point of contact
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the Security Incident

8.3 Cooperation

AJAIA shall:

  • Cooperate with Customer in investigating and mitigating the Security Incident
  • Provide reasonable assistance in Customer's notifications to supervisory authorities and Data Subjects
  • Document the Security Incident, including facts, effects, and remedial action taken

8.4 Limitations

AJAIA's notification of or response to a Security Incident shall not be construed as an acknowledgment of fault or liability.

9. International Data Transfers

9.1 Transfer Mechanisms

For transfers of Customer Data from the EU/EEA/UK to countries not deemed adequate by the European Commission or UK authorities (including the United States), AJAIA relies on:

Primary Mechanism: EU-US Data Privacy Framework (where applicable)

Supplementary Mechanism: EU Standard Contractual Clauses (2021/914):

  • Module 2 (Controller to Processor) applies to this DPA
  • The SCCs are incorporated by reference and form part of this DPA
  • In case of conflict between this DPA and the SCCs, the SCCs shall prevail

9.2 SCC Annexes

The following details apply to the SCCs:

Annex I.A (List of Parties):

  • Data Exporter: Customer (as identified in the Agreement)
  • Data Importer: AJAIA ([LEGAL ENTITY NAME], [ADDRESS])

Annex I.B (Description of Transfer):

  • As set forth in Section 2.2 of this DPA

Annex I.C (Competent Supervisory Authority):

  • The supervisory authority of the EU Member State where Customer is established, or where Data Subjects whose Personal Data is transferred are located

Annex II (Technical and Organizational Measures):

  • As set forth in Section 5 of this DPA

9.3 Transfer Impact Assessment

AJAIA has conducted a Transfer Impact Assessment ("TIA") evaluating the legal framework in the United States. A summary is available upon request.

9.4 Supplementary Measures

AJAIA implements supplementary measures including:

  • Encryption of data in transit and at rest
  • Access controls limiting who can access Customer Data
  • Policies requiring legal process for government access requests
  • Commitment to challenge overly broad requests

10. Term and Termination

10.1 Term

This DPA shall remain in effect for the duration of AJAIA's Processing of Customer Data under the Agreement.

10.2 Survival

The following sections shall survive termination: Section 4.7 (Deletion or Return), Section 8 (Security Incident Notification), Section 9 (International Transfers), and Section 11 (Liability).

10.3 Data Handling Post-Termination

Upon termination of the Agreement:

  • Customer has 30 days to request data export via Settings > Privacy > Export Data
  • AJAIA shall delete Customer Data within 90 days after the later of: (a) termination of the Agreement, or (b) completion of any requested data return
  • AJAIA shall provide written confirmation of deletion upon request

11. Liability

11.1 Liability Cap

Each party's total aggregate liability arising out of or relating to this DPA (including the SCCs) shall be subject to the limitations set forth in the Agreement.

11.2 Indemnification

Each party shall indemnify the other for damages arising from the indemnifying party's breach of this DPA, subject to the limitations in the Agreement.

12. General Provisions

12.1 Order of Precedence

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to Processing of Personal Data. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.

12.2 Amendments

This DPA may be amended only by written agreement signed by both parties, except that AJAIA may update the Sub-processor list in accordance with Section 6.3.

12.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4 Governing Law

This DPA shall be governed by the laws specified in the Agreement, except that:

  • The SCCs shall be governed by the law of the EU Member State specified in Annex I.C
  • For UK transfers, the UK Addendum to the SCCs shall apply and be governed by UK law

12.5 Entire Agreement

This DPA, together with the Agreement and SCCs, constitutes the entire agreement between the parties regarding the Processing of Customer Data.

13. Contact Information

Data Protection Inquiries:
privacy@subscriptionsense.com

Legal Inquiries:
legal@subscriptionsense.com

Mailing Address:
[PHYSICAL ADDRESS TO BE PROVIDED]

Signatures

Customer:

Name: ________________________________

Title: ________________________________

Date: ________________________________

Signature: ________________________________

AJAIA ([LEGAL ENTITY NAME]):

Name: ________________________________

Title: ________________________________

Date: ________________________________

Signature: ________________________________

This DPA is effective upon execution by both parties or upon Customer's electronic acceptance through the Service.

Appendix A: Standard Contractual Clauses

The EU Standard Contractual Clauses (Module 2: Controller to Processor) as adopted by Commission Implementing Decision (EU) 2021/914 are incorporated by reference and available at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Appendix B: UK International Data Transfer Addendum

For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as issued by the UK Information Commissioner's Office) is incorporated by reference and available at:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

Last Updated: December 5, 2025