Data Processing Agreement

Data Processing Agreement for Raidu Enterprise Customers

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Agreement for Services (“Principal Agreement”) between Raidu, Inc. (“Processor”) and the entity executing the Principal Agreement (“Controller”).

1. Definitions

In this DPA:

  • “Data Protection Laws” means all applicable data protection and privacy laws including GDPR, CCPA, and any other applicable legislation.
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Processing” means any operation performed on Personal Data.
  • “Sub-processor” means any third party engaged by Processor to process Personal Data.

2. Processing of Personal Data

2.1 Scope and Purpose

Processor shall process Personal Data only for the purpose of providing the Services as described in the Principal Agreement and in accordance with Controller’s documented instructions.

2.2 Categories of Data

  • User account information (names, email addresses, roles)
  • AI interaction data (prompts, responses, metadata)
  • Usage analytics and performance metrics
  • Security logs and audit trails

2.3 Categories of Data Subjects

  • Controller’s employees and contractors
  • Controller’s authorized users
  • Controller’s customers (if applicable)

3. Processor’s Obligations

3.1 Compliance

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure persons processing Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to data subject requests
  • Make available information necessary to demonstrate compliance

3.2 Security Measures

Processor implements and maintains:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident detection and response procedures
  • Business continuity and disaster recovery plans

3.3 Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a Personal Data breach, providing:

  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Likely consequences
  • Measures taken or proposed to address the breach

4. Sub-processors

4.1 Authorized Sub-processors

Controller acknowledges and agrees that Processor may engage the following Sub-processors:

Sub-processorLocationPurpose
Amazon Web ServicesUSACloud infrastructure
CloudflareGlobalCDN and security
StripeUSAPayment processing
SendGridUSAEmail delivery

4.2 New Sub-processors

Processor shall:

  • Inform Controller of intended changes concerning Sub-processors
  • Provide Controller opportunity to object to such changes
  • Ensure Sub-processors are bound by data protection obligations

5. International Transfers

5.1 Transfer Mechanisms

Where Personal Data is transferred outside the EEA, Processor shall ensure:

  • Appropriate safeguards are in place (Standard Contractual Clauses)
  • Transfer is to an adequate jurisdiction
  • Other valid transfer mechanism applies

5.2 Data Localization

Upon request and subject to additional fees, Processor can provide data residency options for specific jurisdictions.

6. Controller’s Obligations

Controller shall:

  • Ensure lawful basis for Processing
  • Provide necessary instructions for Processing
  • Ensure accuracy of Personal Data
  • Comply with all applicable Data Protection Laws

7. Data Subject Rights

7.1 Assistance

Processor shall assist Controller in fulfilling obligations to respond to data subject requests for:

  • Access to Personal Data
  • Rectification or erasure
  • Data portability
  • Restriction of Processing
  • Objection to Processing

7.2 Technical Measures

Processor provides technical features enabling Controller to:

  • Export user data
  • Delete user accounts
  • Modify Personal Data
  • Restrict Processing

8. Audits and Inspections

8.1 Information and Audit Rights

Processor shall:

  • Make available necessary information to demonstrate compliance
  • Allow for and contribute to audits conducted by Controller or authorized auditor
  • Provide relevant certifications (SOC 2, ISO 27001)

8.2 Audit Procedures

  • Audits require 30 days written notice
  • Limited to once per calendar year unless required by Data Protection Laws
  • Conducted during regular business hours
  • Subject to confidentiality agreements

9. Return and Deletion

Upon termination of the Principal Agreement, Processor shall:

  • Return all Personal Data to Controller in standard format
  • Delete existing copies unless required by law
  • Provide certification of deletion upon request

10. Liability and Indemnification

10.1 Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Principal Agreement.

10.2 Indemnification

Each party shall indemnify the other against losses arising from breach of this DPA or Data Protection Laws.

11. Term and Termination

This DPA shall remain in effect for the duration of the Principal Agreement and survive termination to the extent necessary for compliance with Data Protection Laws.

12. Miscellaneous

12.1 Amendments

Modifications to this DPA must be agreed in writing, except for updates to Sub-processor list which follow Section 4.2.

12.2 Governing Law

This DPA is governed by the same law as the Principal Agreement.

12.3 Severability

If any provision is invalid or unenforceable, the remainder shall continue in full force.

Annex 1: Technical and Organizational Measures

Physical Security

  • Secured data center facilities
  • Access control systems
  • Environmental controls
  • Video surveillance

System Security

  • Firewalls and intrusion detection
  • Anti-malware protection
  • Vulnerability management
  • Patch management

Data Security

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Key management procedures
  • Data classification policies

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication
  • Privileged access management
  • Regular access reviews

Operational Security

  • Change management procedures
  • Logging and monitoring
  • Incident response plan
  • Business continuity planning

Personnel Security

  • Background checks
  • Confidentiality agreements
  • Security training
  • Security awareness programs

To execute this DPA: This DPA is incorporated into and governed by the Principal Agreement. No separate signature is required.

For questions regarding this DPA, contact: privacy@raidu.com