Last updated 29 April 2026 · Version 1.0

Data Processing Addendum

This Data Processing Agreement (DPA) forms part of the Service Agreement between the Customer and PhiVate (defined in Terms of Service Section 1) and applies whenever PhiVate processes personal data on behalf of the Customer in connection with AI Studio. A counsel-reviewed long-form DPA will replace this before public launch. This v1 covers the substantive obligations under GDPR Article 28, the Australian Privacy Act 1988, UAE Federal Decree-Law 45/2021, and Sri Lanka PDPA 2022.

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service. Customer Personal Data means personal data the Customer makes available to PhiVate through the Service. Applicable Data Protection Law means GDPR, the Australian Privacy Act 1988, UAE Federal Decree-Law 45/2021, the Sri Lanka Personal Data Protection Act 2022, and any other privacy law that governs the Customer’s processing.

2. Subject matter

PhiVate processes Customer Personal Data solely to provide the Service and on the Customer’s documented instructions. Processing duration matches the Service term plus the data-retention windows in the Privacy Policy.

3. Roles

For Customer Personal Data, the Customer is the controller and PhiVate is the processor. For data PhiVate collects independently — sales contacts — PhiVate is the controller, governed by the Privacy Policy.

4. Data processed

Categories of data subject: the Customer’s employees, contractors, prospects, leads, customers, and audience members whose data the Customer uploads. Categories of data: contact information, behavioural data, generated marketing assets, and any additional fields the Customer chooses to upload.

5. Security

Technical and organisational measures: encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access control, least-privilege secrets management, mandatory MFA for staff, audit logging, segregated production environments, vendor due-diligence reviews, annual penetration testing, and a documented incident-response runbook.

6. Sub-processors

The Customer authorises the sub-processors below. We contractually require each to provide a level of data protection no less than this DPA. We give thirty days’ notice via email to account administrators of any addition or replacement; the Customer may object on reasonable grounds and, if we cannot resolve the objection, may terminate the affected portion of the Service.

Sub-processor	Purpose	Region
Anthropic	Strategy reasoning (Claude Sonnet 4)	United States
OpenAI	Classification (GPT-4o mini)	United States
Google Cloud	SEO research (Gemini)	United States, EU
Microsoft Azure	AI orchestration & primary hosting	Australia, EU, US
Canva	Programmatic design generation	Australia, US
Cloudflare	Edge, CDN, DDoS protection	Global
Stripe	Subscription billing & payments	Australia, EU, US
Postmark	Transactional email delivery	United States
Amazon Web Services	Object storage (S3)	Australia, EU

7. International transfers

Cross-border transfers rely on adequacy decisions where available, Standard Contractual Clauses (EU/UK), the Australian APP 8 framework, the UAE adequacy regulations under Federal Decree-Law 45/2021, and equivalent safeguards under Sri Lanka PDPA. Transfer-impact assessments are maintained on file and available on request.

8. Data-subject rights assistance

We assist the Customer with access, correction, erasure, portability, restriction, and objection requests using appropriate technical and organisational measures, taking into account the nature of the processing. Forward requests to privacy@phivate.com; we acknowledge within five business days.

9. Breach notification

We notify the Customer without undue delay and, where feasible, within seventy-two hours of becoming aware of a personal-data breach affecting Customer Personal Data. The notification includes the nature of the breach, categories and approximate volume of data subjects, likely consequences, and measures taken or proposed.

10. Audits

On reasonable notice and no more than once every twelve months (more frequently if a regulator requires), we provide audit information sufficient to demonstrate compliance with this DPA — SOC 2 / ISO 27001 reports when available, or a written response to the Customer’s reasonable questionnaire. On-site audits are by mutual agreement.

11. Deletion or return on termination

On termination, the Customer may export Customer Personal Data within sixty days. After that window, we delete it from production systems within thirty days and from backups on the next backup-rotation cycle (no later than ninety days), except where Applicable Data Protection Law requires retention.

12. Liability

Liability under this DPA is subject to the liability cap in the Terms of Service, except where a higher minimum is required by Applicable Data Protection Law (in particular, GDPR Articles 82 and 83), in which case the statutory floor controls.

13. Order of precedence

If there is a conflict between the Terms of Service, the Privacy Policy, and this DPA in respect of the processing of Customer Personal Data, this DPA controls.

14. Governing law & contact

Governed by the law of the contracting entity per Terms of Service Section 15. privacy@phivate.com for DPA matters.