Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the Master Subscription Agreement (or, for self-service customers, our Terms of Service) between TrustWays AI (operated by Ailoitte Technologies — the Processor) and you (the Controller).

Defined terms not explicitly defined here have the meanings ascribed in the GDPR (Regulation (EU) 2016/679), UK GDPR + Data Protection Act 2018, Swiss FADP, and India's DPDP Act 2023 — as applicable to the personal data being processed.

The Customer acts as Controller (or, where applicable, Processor for its own customers — in which case TrustWays AI acts as Subprocessor). TrustWays AI processes personal data only on documented instructions from the Customer.

Subject matter: processing necessary to provide the TrustWays AI compliance platform.

Duration: the term of the Master Subscription Agreement plus any retention period required by law.

Nature + purpose: hosting, storing, displaying, and operating the Customer's compliance records (AI system inventory, classifications, documents, risks, gaps, incidents, audit log, user metadata).

Categories of personal data: business contact data of Customer's users (name, email, role); audit-log metadata; any personal data the Customer chooses to include in documents / risks / gaps.

Categories of data subjects: Customer's employees + Customer's end-users where the Customer chooses to reference them in compliance artefacts.

We process personal data only on the Customer's documented instructions — the Master Subscription Agreement, this DPA, and any reasonable instructions given through the platform's standard configuration (data residency choice, user permissions, framework enablement). We will not process personal data for any other purpose without prior written authorisation.

If we are required by EU, UK, Swiss, or Indian law to process personal data in a way that conflicts with the Customer's instructions, we will notify the Customer before processing unless prohibited from doing so by law.

All TrustWays AI personnel with access to personal data are bound by written confidentiality obligations or are subject to a statutory duty of confidentiality. Access is on a need-to-know basis.

We implement and maintain the technical and organisational measures described in our Security Overview, including: encryption in transit (TLS 1.2+) and at rest (AES-256), multi-tenant row-level security, hash-chained audit logging, MFA enforcement for admins, principle of least privilege, regular vulnerability scanning, secrets management via cloud KMS, segregated dev/staging/production environments.

The Customer grants general authorisation to engage subprocessors. The current list lives at /legal/subprocessors. We notify Customer admins by email of any addition or replacement of a subprocessor at least 30 days in advance. If you object to a new subprocessor on reasonable data-protection grounds, you may terminate the affected services without penalty.

Where personal data must be transferred outside its origin region, we rely on:

• The EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) for transfers out of the EEA.
• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs for transfers out of the UK.
• The Swiss SCCs / FDPIC recognised mechanisms for transfers out of Switzerland.
• Section 16 list-tracking for DPDP cross-border transfers from India.

A Transfer Impact Assessment (TIA) is available on request for EU/UK/Swiss customers.

Taking the nature of the processing into account, we assist the Customer with appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection), to perform DPIAs, and to engage in prior consultations with supervisory authorities.

We will notify the Customer without undue delay (and in any event within 48 hours) of becoming aware of a personal data breach affecting the Customer's personal data. The notification will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.

On reasonable notice, the Customer may audit TrustWays AI's compliance with this DPA — directly (Enterprise customers, once per year, at the Customer's expense) or by reviewing the latest SOC 2 / ISO 27001 attestation report we maintain (once we have those).

On termination, we delete the Customer's personal data within 90 days of effective termination, unless the law requires retention (e.g. SEBI's 5-year AI/ML I/O log retention). On request, we provide the Customer with an export of customer data in JSON or CSV format before deletion.

This DPA terminates simultaneously with the Master Subscription Agreement, except clauses that survive by their nature (confidentiality, deletion, audits) which continue for the duration of any applicable retention period.