Data Processing Agreement

This Data Processing Agreement ("DPA") supplements the Terms of Service and governs the processing of personal data by APIR on behalf of the Customer. It applies to all personal data processed through the Service.

For the purposes of GDPR and equivalent data protection laws: the Customer is the Data Controller; APIR is the Data Processor. APIR processes personal data only on documented instructions from the Customer.

Categories of Data Subjects: Customer's employees, end-users, AI agent operators, compliance officers, and transaction counterparties.

Types of Personal Data: Names, email addresses, job titles, IP addresses, usage logs, and any personal data contained within uploaded documents.

Purpose: Providing AI verification, compliance assessment, transaction due diligence, and reporting services.

Duration: For the term of the subscription plus the data retention period specified in the Privacy Policy.

APIR implements appropriate technical and organizational measures including: encryption (AES-256 at rest, TLS 1.3 in transit), access controls, audit logging, employee training, incident response procedures, and regular security assessments.

APIR maintains a list of approved sub-processors. We will notify the Customer at least 30 days before engaging a new sub-processor. The Customer may object to a new sub-processor by notifying us within 14 days.

Where personal data is transferred outside the EEA, APIR ensures adequate protection through EU Standard Contractual Clauses (SCCs), supplementary measures, and transfer impact assessments as required.

APIR will assist the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law.

APIR will notify the Customer of any personal data breach without undue delay and no later than 48 hours after becoming aware. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.

The Customer may audit APIR's compliance with this DPA upon reasonable notice (no more than once per year). APIR will provide relevant certifications (SOC 2 Type II) and respond to written questionnaires.

Data Protection Officer: dpo@apir.ai