Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") is entered into by and between:

AIDAR GmbH
Ohmoor 97a, 22455 Hamburg, Germany
("Processor", "AIDAR")

and

the Customer ("Controller") who has accepted the AIDAR Terms of Service and uses the Services in a business capacity.

This DPA supplements the AIDAR Terms of Service and forms part of the contractual relationship between the Customer and AIDAR in accordance with Article 28 of Regulation (EU) 2016/679 ("GDPR").

1. Subject Matter

This DPA governs the processing of personal data by AIDAR on behalf of the Customer as necessary to provide the Services described in the Terms of Service.

2. Nature and Purpose of Processing

AIDAR processes Customer Data strictly for the following purposes:

  • • Providing, maintaining, and improving the AIDAR platform and Services
  • • Personalizing AI-driven discovery features for the Customer
  • • Technical support, billing, and account management
  • • Ensuring platform security and performance

3. Types of Personal Data

Data processed may include:

  • • Names, email addresses, and login credentials of Users
  • • Organization names and account configuration data
  • • Payment and billing information (for admins only)
  • • Interaction logs (e.g., search history, ratings, preferences)

No special categories of personal data (as defined in Article 9 GDPR) are intentionally processed.

4. Categories of Data Subjects

The categories of data subjects include:

  • • Employees, contractors, and agents of the Customer who are Users of the platform

5. Duration of Processing

Processing shall continue for the duration of the Customer’s active subscription and until Customer Data is deleted in accordance with AIDAR’s Data Retention Policy or upon the Controller’s written request.

6. Sub-Processors

AIDAR uses sub-processors to support the provision of Services. The current list of sub-processors and their functions is available in the Privacy Policy and may be updated from time to time. AIDAR shall ensure sub-processors are subject to data protection obligations consistent with this DPA.

7. Technical and Organizational Measures (TOMs)

AIDAR implements the following TOMs:

  • • Encrypted data transmission via TLS/SSL
  • • Access control by role-based permissions and authentication
  • • Data isolation by tenant/user accounts
  • • Logging and monitoring of access to production systems
  • • Regular security updates to infrastructure and codebase
  • • Hosting on ISO 27001-certified data centers (e.g., IONOS, Azure)

8. Rights and Obligations of the Controller

The Controller is responsible for:

  • • Ensuring the lawfulness of the personal data collected and processed
  • • Informing data subjects as required under Articles 13 and 14 GDPR
  • • Handling data subject requests (e.g., access, correction, deletion)

9. Assistance to the Controller

AIDAR will provide reasonable assistance in:

  • • Responding to data subject requests
  • • Conducting Data Protection Impact Assessments (DPIAs)
  • • Notifying supervisory authorities in the event of data breaches, as applicable

10. Deletion and Return of Data

Upon termination of the Agreement, AIDAR shall delete or anonymize Customer Data in accordance with its Data Retention Policy. Upon written request submitted at least 14 days prior to termination, Customer Data will be returned in a commonly used export format.

11. Audit Rights

The Controller may request documentation to demonstrate compliance with this DPA. On-site audits shall only be conducted if legally required and with at least 30 days' prior written notice.

12. Governing Law and Jurisdiction

This DPA shall be governed by the laws of the Federal Republic of Germany. Exclusive jurisdiction lies with the courts of Hamburg, unless otherwise required by applicable data protection law.

13. Miscellaneous

This DPA is effective upon acceptance of the AIDAR Terms of Service and applies for the duration of the Controller's use of the Services. In the event of a conflict with the Terms of Service, the provisions of this DPA shall prevail to the extent of such conflict in matters relating to data protection.

Contact for Privacy Matters:

team@aidar.ai