Data Processing Agreement
Last updated: January 2025
Important: This Data Processing Agreement (DPA) supplements our Terms of Service and Privacy Policy. It governs the processing of personal data in accordance with GDPR, CCPA, and other applicable privacy laws.
1. Definitions
Controller
The organization or individual using E-ARI Platform services who determines the purposes and means of processing personal data.
Processor
E-ARI Platform, which processes personal data on behalf of the Controller in accordance with this agreement.
Personal Data
Any information relating to an identified or identifiable natural person, including assessment responses, user profiles, and usage data.
Processing
Any operation performed on personal data, including collection, storage, analysis, and reporting.
2. Scope and Purpose
This DPA applies to all personal data processing activities conducted by E-ARI Platform in connection with the provision of AI readiness assessment services. The purposes of processing include:
- Providing AI readiness assessment and evaluation services
- Generating personalized reports and recommendations
- Managing user accounts and authentication
- Providing customer support and onboarding services
- Ensuring platform security and preventing fraud
- Complying with legal and regulatory requirements
- Improving platform functionality and user experience
3. Categories of Personal Data
3.1 User Information
- Name, email address, and contact information
- Organization details and professional information
- Account credentials and authentication data
- User roles and permissions
3.2 Assessment Data
- Responses to AI readiness questionnaires
- Assessment results and scoring data
- Organizational AI maturity metrics
- Usage patterns and platform interactions
3.3 Technical Data
- Device and browser information
- IP addresses and location data
- Platform usage analytics
- Performance and error logs
4. Data Processing Principles
4.1 Lawfulness, Fairness, and Transparency
All personal data processing is conducted in accordance with applicable privacy laws, with clear communication about processing activities and purposes.
4.2 Purpose Limitation
Personal data is processed only for specified, explicit, and legitimate purposes as outlined in this agreement.
4.3 Data Minimization
We collect and process only the personal data that is necessary for the stated purposes.
4.4 Accuracy
We maintain accurate and up-to-date personal data and provide mechanisms for data subjects to correct inaccurate information.
4.5 Storage Limitation
Personal data is retained only for as long as necessary to fulfill the stated purposes or as required by law.
4.6 Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction.
5. Data Subject Rights
We support the following data subject rights in accordance with applicable privacy laws:
- Right of Access: Data subjects can request access to their personal data
- Right to Rectification: Data subjects can request correction of inaccurate data
- Right to Erasure: Data subjects can request deletion of their personal data
- Right to Restrict Processing: Data subjects can request limitation of processing
- Right to Data Portability: Data subjects can request their data in a structured format
- Right to Object: Data subjects can object to certain processing activities
- Rights Related to Automated Decision-Making: Data subjects have rights regarding automated processing
Data subjects can exercise these rights through our Privacy Dashboard or by contacting privacy@e-ari.com.
6. Data Security Measures
6.1 Technical Safeguards
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Multi-factor authentication and role-based access controls
- Regular security assessments and penetration testing
- Network security and intrusion detection systems
- Secure development practices and code reviews
6.2 Organizational Safeguards
- Employee training on data protection and privacy
- Confidentiality agreements and background checks
- Incident response and breach notification procedures
- Regular compliance audits and assessments
- Data protection impact assessments (DPIA)
7. Data Residency and International Transfers
7.1 Regional Data Storage
We offer flexible data residency options to meet your organization's compliance requirements:
- United States (US): SOC 2 Type II compliant infrastructure
- European Union (EU): GDPR compliant with EU data residency
- Asia-Pacific (APAC): Regional compliance including PDPA
7.2 Transfer Safeguards
For international data transfers, we implement appropriate safeguards including:
- Standard contractual clauses (SCCs)
- Adequacy decisions by relevant authorities
- Certified data protection frameworks
- Data residency controls and monitoring
8. Sub-Processors and Third Parties
We may engage sub-processors to assist in providing our services. All sub-processors are:
- Subject to the same data protection obligations as outlined in this DPA
- Required to implement appropriate technical and organizational measures
- Listed in our sub-processor registry with notification of changes
- Bound by written agreements that ensure compliance with applicable privacy laws
Current sub-processors include cloud infrastructure providers, analytics services, and customer support tools. A complete list is available upon request.
9. Data Breach Notification
In the event of a personal data breach, we will:
- Notify the Controller without undue delay and within 72 hours where feasible
- Provide detailed information about the nature and scope of the breach
- Assist in notifying affected data subjects where required
- Cooperate with relevant supervisory authorities
- Implement remedial measures to prevent future breaches
10. Data Retention and Deletion
10.1 Retention Periods
- Active Accounts: Duration of subscription plus 2 years
- Assessment Data: 7 years for enterprise accounts, 3 years for individual accounts
- Audit Logs: 7 years for compliance purposes
- Support Data: 3 years after ticket resolution
10.2 Deletion Procedures
Upon expiration of retention periods or upon request, we will:
- Securely delete personal data from all systems and backups
- Provide confirmation of deletion to the Controller
- Maintain records of deletion for audit purposes
- Ensure deletion is irreversible and complete
11. Compliance and Auditing
We maintain compliance with applicable privacy laws and regulations through:
- SOC 2 Type II certification with regular audits
- GDPR and CCPA compliance programs
- Regular privacy impact assessments
- Third-party security and compliance audits
- Continuous monitoring and improvement of data protection measures
Controllers may request audit reports and compliance documentation subject to confidentiality agreements.
12. Liability and Indemnification
Each party's liability for data protection violations is limited to direct damages arising from breaches of this DPA. Both parties agree to indemnify each other against claims arising from their respective violations of applicable privacy laws.
13. Governing Law and Dispute Resolution
This DPA is governed by applicable privacy laws and regulations. Any disputes will be resolved through binding arbitration or courts of competent jurisdiction, with preference for the jurisdiction of the data subjects' residence.
14. Amendments and Updates
This DPA may be updated to reflect changes in applicable laws or our processing activities. Material changes will be communicated to Controllers with 30 days advance notice. Continued use of our services after changes constitutes acceptance of the updated DPA.
Contact Information
For questions about this Data Processing Agreement or to exercise data subject rights:
- Privacy Officer: privacy@e-ari.com
- Data Protection Officer: dpo@e-ari.com
- Legal Department: legal@e-ari.com
- Address: E-ARI Platform, Data Protection Office