Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AI Port ("Processor") and you ("Controller") and governs the processing of personal data in accordance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

This DPA applies when you use AI Port to process personal data of individuals in the European Economic Area (EEA), UK, or other jurisdictions with similar data protection requirements.

Key terms used in this DPA:

• "Controller": You, the customer, who determines the purposes and means of processing personal data
• "Processor": AI Port, which processes personal data on behalf of the Controller
• "Personal Data": Any information relating to an identified or identifiable natural person
• "Processing": Any operation performed on personal data (collection, storage, use, disclosure, deletion)
• "Sub-processor": Third-party processors engaged by AI Port (e.g., Anthropic, OpenAI)
• "Data Subject": An individual whose personal data is processed

Nature and Purpose

AI Port processes personal data solely for the purpose of providing the Service as described in the Terms of Service, including:

• Processing AI prompts and generating responses
• Storing chat history and uploaded files
• Managing user accounts and authentication
• Processing payments and billing
• Providing customer support

Types of Personal Data

Personal data processed may include:

• Account information (name, email, company name)
• Payment information (billing details, not full credit card numbers)
• Usage data (feature usage, model selection, timestamps)
• Content data (prompts, chat history, uploaded files)
• Technical data (IP address, device information, browser type)

Categories of Data Subjects

• Account holders (customers)
• Team members of customer organizations
• End users interacting with customer's AI implementations

AI Port agrees to:

• Process Lawfully: Process personal data only on documented instructions from you
• Confidentiality: Ensure that personnel authorized to process personal data are under confidentiality obligations
• Security: Implement appropriate technical and organizational measures to ensure data security
• Sub-processors: Engage sub-processors only with your prior consent (general or specific)
• Data Subject Rights: Assist you in responding to data subject requests (access, deletion, etc.)
• Breach Notification: Notify you of any personal data breaches without undue delay
• Data Return/Deletion: Return or delete personal data at the end of the service relationship
• Audits: Make available information necessary to demonstrate compliance

As Controller, you agree to:

• Legal Basis: Ensure you have a lawful basis for processing personal data through AI Port
• Data Subject Rights: Comply with data subject rights and privacy obligations under applicable laws
• Data Accuracy: Ensure personal data is accurate and up to date
• Instructions: Provide clear, lawful instructions for data processing
• Third-Party Consent: Obtain necessary consents from data subjects for processing

Authorization

By accepting this DPA, you authorize AI Port to engage the following sub-processors:

• Anthropic PBC - AI model provider (Claude models)
• OpenAI L.L.C. - AI model provider (GPT models)
• Cloud infrastructure providers - Hosting and storage
• Payment processors - Billing and payments (e.g., Stripe)

Sub-processor Changes

We will notify you of any intended changes concerning the addition or replacement of sub-processors. You may object to such changes within 30 days. If we cannot accommodate your objection, you may terminate the Service.

Sub-processor Obligations

All sub-processors are bound by data protection obligations equivalent to those in this DPA through contracts or other legally binding acts.

AI Port implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and appropriate protections at rest
• Ability to ensure ongoing confidentiality, integrity, availability, and resilience
• Regular testing and evaluation of security effectiveness
• Pseudonymization and encryption where appropriate
• Access controls and authentication requirements
• Regular security audits and vulnerability assessments

For detailed information, see our Security & Compliance page.

AI Port will assist you in fulfilling data subject rights requests, including:

• Right of Access: Provide access to personal data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Delete personal data ("right to be forgotten")
• Right to Restriction: Restrict certain processing activities
• Right to Portability: Provide data in a machine-readable format
• Right to Object: Object to certain processing activities

We will respond to your assistance requests within a reasonable timeframe. You are responsible for responding to data subjects within legal deadlines.

In the event of a personal data breach, AI Port will:

• Notify you without undue delay (within 72 hours of discovery)
• Provide details of the breach, including categories and approximate numbers of data subjects affected
• Describe likely consequences and measures taken to address the breach
• Assist in your breach notification obligations to supervisory authorities and data subjects

You remain responsible for determining whether to notify supervisory authorities and data subjects as required by law.

Personal data may be transferred to and processed in countries outside the EEA. AI Port ensures appropriate safeguards:

• Standard Contractual Clauses (SCCs): We use EU-approved SCCs for transfers to third countries
• Adequacy Decisions: We may rely on adequacy decisions where applicable
• Additional Safeguards: Technical measures like encryption to protect data during transfer

Upon request, we will provide copies of the transfer mechanisms in place.

Upon termination or expiration of the Service:

• Return: You may request a copy of your data within 30 days (export functionality available in account settings)
• Deletion: All personal data will be deleted from production systems within 30 days and from backups within 90 days
• Retention Exceptions: Data required to be retained by law will be securely stored and isolated until the retention period expires

AI Port will make available to you information necessary to demonstrate compliance with this DPA:

• Security documentation may be provided where applicable
• Security documentation and certifications
• Responses to reasonable audit questionnaires

For Enterprise customers, on-site audits may be arranged:

• Reasonable advance notice required (minimum 30 days)
• During normal business hours
• Subject to confidentiality obligations
• Limited to once per year (unless breach suspected)

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

AI Port is liable to you for damages caused by processing personal data in violation of this DPA or applicable data protection laws, subject to the limitations in the Terms of Service.

This DPA remains in effect as long as AI Port processes personal data on your behalf. Upon termination of the Terms of Service, this DPA will automatically terminate once all personal data has been returned or deleted in accordance with this DPA.

For questions or requests related to this DPA:

• Email: support@ai-port.me (Data Protection Officer)
• Legal inquiries: support@ai-port.me
• Enterprise custom DPA: support@ai-port.me