Document ID: DPA-BIZ-2026-001 · Effective: On Customer acceptance of the Bodaty Terms of Service or first Business-tier access, whichever is earlier.
This is Bodaty’s Business-tier click-through Data Processing Agreement — the default DPA for Business-edition subscribers (Starter, Growth, Scale).
Looking for the Enterprise negotiated template (on-site audit, custom residency, countersignature)? See /legal/dpa-enterprise/. Looking for the Community free-tier DPA? See /legal/community-dpa/.
ABOUT THIS DPA
This Data Processing Agreement (“DPA”) governs Processor’s Processing of Personal Data on behalf of Business-edition Customers of the AICtrlNet / HitLai Platform. It is a click-through agreement: by accepting the Bodaty Terms of Service or by continuing to use a Business-tier subscription, Customer accepts this DPA without further signature.
Customers who require a negotiated, countersigned DPA — typically as a condition of procurement at companies of more than approximately 500 employees, or in regulated sectors — should use the Enterprise Negotiated DPA Template at aictrlnet.com/legal/dpa-enterprise instead of this DPA. The Enterprise template adds: on-site audit rights, custom data residency commitments, dedicated DPO/security-team contacts, custom sub-processor objection windows, negotiated SCC parties and clauses, and a countersignature page.
This DPA is incorporated by reference into the Bodaty Terms of Service at aictrlnet.com/legal/terms (the “Principal Agreement”). Capitalized terms not defined in this DPA have the meanings given in the Principal Agreement or in applicable Data Protection Laws.
PARTIES
This DPA is between:
BODATY LLC (“Processor”, “AICtrlNet”, “Bodaty”, “we”, “us”, or “our”) An Illinois Limited Liability Company 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 United States Email: privacy@aictrlnet.com
AND
The Customer identified in the Bodaty account that accepted the Principal Agreement (“Controller”, “Customer”, or “you”).
1. DEFINITIONS
“Controller” means Customer.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including: the EU General Data Protection Regulation 2016/679 (“GDPR”); the UK GDPR and Data Protection Act 2018; the California Consumer Privacy Act as amended by the CPRA (“CCPA/CPRA”); the Virginia Consumer Data Protection Act; the Colorado Privacy Act; the Connecticut Data Privacy Act; Brazil’s LGPD; Canada’s PIPEDA; and any other applicable national, federal, state, provincial, or local privacy legislation.
“Personal Data”, “Processing” (and its cognates), “Data Subject”, “Personal Data Breach”, “Processor”, “Sub-processor”, “Special Categories of Personal Data”, “Supervisory Authority”, and “Standard Contractual Clauses” / “SCCs” have the meanings given in the GDPR (and, where applicable, the UK GDPR and CCPA/CPRA).
“AI System” means any machine-learning or artificial-intelligence component of the Services, including foundation-model inference, workflow prediction, risk scoring, anomaly detection, and natural-language processing features.
“Automated Decision-Making” means any decision based solely on automated Processing, including profiling, that produces legal effects concerning a Data Subject or similarly significantly affects them.
“Controller Inputs and Outputs” means Personal Data, Customer Confidential Information, prompts, and AI System outputs submitted to or generated by the Services on behalf of Customer.
“Services” means the AICtrlNet / HitLai Business-edition platform and any related Services delivered to Customer under the Principal Agreement, including any Doing-With-You (“DWY”) implementation hours bundled with Customer’s subscription.
2. SCOPE AND NATURE OF PROCESSING
2.1 Subject Matter
This DPA applies to all Processing of Personal Data by Processor on behalf of Controller in connection with the provision of the Business-edition Services.
2.2 Nature and Purpose of Processing
Processor shall Process Personal Data only as necessary to:
(a) provide the Business-edition workflow automation, AI governance, and human-in-the-loop (“HITL”) collaboration features; (b) operate, maintain, secure, and support the Services; (c) enable authentication, authorization, audit logging, and compliance reporting; (d) deliver DWY implementation hours bundled with Customer’s subscription; (e) respond to Controller’s documented instructions consistent with the Principal Agreement; and (f) comply with applicable legal obligations.
2.3 Description of Processing
The complete description of Processing — including categories of Personal Data, categories of Data Subjects, processing operations, and AI-specific processing — is set forth in Annex A below.
2.4 Duration
This DPA remains in effect for the duration of the Principal Agreement and continues until all Personal Data has been deleted or returned in accordance with Section 12 (Data Return and Deletion).
3. CATEGORIES OF PERSONAL DATA
3.1 Personal Data Processed
The Services Process the following categories of Personal Data, as further detailed in Annex A:
- Account and identity data (names, email addresses, user IDs, job titles)
- Contact and communication data
- Technical and usage data (IP addresses, device identifiers, session logs)
- Workflow and business-process data submitted by Customer
- AI governance and compliance data (risk-assessment inputs/outputs, audit trail records)
3.2 Special Categories of Personal Data
Processor does not request or intentionally collect Special Categories of Personal Data. Customer acknowledges that such data may be incidentally included in workflow content uploaded by Customer’s users. If Customer will use the Services to Process Special Categories of Personal Data, Customer is solely responsible for establishing a valid legal basis under Article 9 of the GDPR or equivalent.
3.3 Children’s Data
The Services are not directed at children under 16. Customer warrants it will not use the Services to Process Personal Data of children without appropriate parental consent and legal basis.
4. OBLIGATIONS OF THE PROCESSOR
4.1 Documented Instructions
Processor shall Process Personal Data only on Customer’s documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by law. Customer’s instructions are set forth in this DPA, the Principal Agreement, Customer’s use of the Services (configuration and settings), and any additional written instructions Customer provides. If Processor reasonably believes an instruction violates Data Protection Laws, Processor shall promptly notify Customer and may suspend the relevant Processing.
4.2 Confidentiality of Personnel
Processor shall ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations, have received data-protection training, and Process Personal Data only as necessary to perform their job functions, applying the principle of least privilege.
4.3 Security Measures
Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32 and other applicable Data Protection Laws. These measures include, at minimum:
(a) encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); (b) role-based access control with multi-factor authentication on personnel access; (c) ongoing logging, monitoring, and alerting on security-relevant events; (d) periodic vulnerability scanning and patch management; (e) tested backup and disaster-recovery procedures; (f) secure software development lifecycle practices including code review and dependency scanning.
A fuller description of measures appears in Annex B.
4.4 Sub-processor Management
4.4.1 Authorization
Customer hereby provides general written authorization for Processor to engage Sub-processors to Process Personal Data on Customer’s behalf, subject to this Section 4.4.
4.4.2 Current Sub-processors
The authoritative list of current Sub-processors is maintained at aictrlnet.com/legal/sub-processors. The list as of the Effective Date is summarized in Annex C for convenience; in case of inconsistency, the published list controls.
4.4.3 Sub-processor Notification
Processor shall provide Customer with prior notice of any intended Sub-processor change as follows:
(a) AI Sub-Processors. For any addition, replacement, or material expansion of an AI Sub-Processor (defined as any Sub-processor that processes Controller Personal Data using machine-learning inference or training infrastructure, including Foundation Model Providers such as Anthropic, OpenAI, Google (Gemini), AWS Bedrock, Cohere, Azure OpenAI, HuggingFace, DeepSeek, and Mistral), Processor shall provide at least fifteen (15) days’ prior notice. The shorter period reflects the higher cadence of change in the AI vendor ecosystem. Customer-controlled or self-hosted Foundation Model runtimes that Customer configures (e.g., Ollama or vLLM on Customer infrastructure) are not AI Sub-Processors under this DPA because Processor does not engage them on Controller’s behalf.
(b) Other Sub-Processors. For any other Sub-processor change, Processor shall provide at least thirty (30) days’ prior notice.
(c) Notification Channels. Notification will be provided via update to aictrlnet.com/legal/sub-processors and, where Customer has subscribed, by email to Customer’s designated privacy contact.
4.4.4 Objection Right
Customer may object to a new Sub-processor on reasonable data-protection grounds by emailing privacy@aictrlnet.com within fifteen (15) days of notification. If the Parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services by written notice to Processor without penalty; Customer shall not be entitled to a refund of any prepaid fees unless required by applicable law.
4.4.5 Sub-processor Agreements
Processor shall (i) enter into a written agreement with each Sub-processor imposing data-protection obligations substantially similar to those in this DPA, (ii) remain liable to Customer for the performance of each Sub-processor’s obligations, and (iii) ensure each Sub-processor provides sufficient guarantees of appropriate technical and organizational measures.
4.5 Assistance with Data Subject Rights
Taking into account the nature of the Processing, Processor shall assist Customer by appropriate technical and organizational measures (insofar as possible) in responding to requests by Data Subjects exercising their rights under Data Protection Laws, including access, rectification, erasure, restriction, portability, objection, and rights related to Automated Decision-Making. If Processor receives a request from a Data Subject directly, Processor shall promptly (within five (5) business days) notify Customer and shall not respond to the Data Subject directly unless authorized by Customer or required by law. Reasonable assistance is provided at no additional charge; excessive, repetitive, or manifestly unfounded requests may incur reasonable administrative fees.
4.6 Personal Data Breach Notification
In the event of a Personal Data Breach affecting Customer’s Personal Data, Processor shall notify Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the Breach. Notification will be sent by email to Customer’s designated security contact and through in-platform notification. The notification will include, to the extent known, the nature of the Breach (categories and approximate volume of Data Subjects and records concerned), Processor’s contact for further information, the likely consequences, and the measures taken or proposed. Processor shall cooperate with Customer in investigating and mitigating the Breach. Customer is responsible for determining whether the Breach is notifiable to Supervisory Authorities or Data Subjects and for making such notifications within applicable timeframes (e.g., GDPR Article 33’s 72 hours).
Note on cadence. The Enterprise Negotiated DPA Template commits Processor to a 48-hour breach notification window. The Business click-through cadence in this Section 4.6 is set at the GDPR Article 33 statutory ceiling. Customers requiring a 48-hour or shorter contractual commitment should use the Enterprise template.
4.7 Data Protection Impact Assessments
Taking into account the nature of Processing and the information available, Processor shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under GDPR Articles 35-36 or equivalent provisions.
4.8 Audit Rights
Processor shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA. In place of on-site inspections (which are reserved for the Enterprise Negotiated DPA Template), Customer’s audit right under this Business click-through DPA is satisfied by Processor making available, upon written request and subject to confidentiality obligations:
(a) Processor’s then-current SOC 2 Type II report (or equivalent), once such report is available; (b) Summaries of penetration test results (redacted as necessary for security); (c) Annex B (Technical and Organizational Measures), updated from time to time at aictrlnet.com/legal/dpa; (d) Annex C (Sub-processors List), maintained at aictrlnet.com/legal/sub-processors; (e) Written responses to Customer’s reasonable security and privacy questionnaires, limited to one (1) per twelve-month period unless triggered by a Personal Data Breach or material change in Processing.
Customers requiring on-site inspections must use the Enterprise Negotiated DPA Template.
5. OBLIGATIONS OF THE CONTROLLER
5.1 Lawfulness
Customer represents and warrants that (a) it has the authority to bind users and Affiliates that access the Services through Customer’s account; (b) its instructions to Processor and its own Processing of Personal Data through the Services comply with applicable Data Protection Laws; (c) it has obtained all necessary consents or has another valid legal basis for the Processing; and (d) it shall not provide Personal Data to Processor in violation of Data Protection Laws.
5.2 Customer Configuration
Customer is responsible for configuring the Services in accordance with security best practices, including the AI governance controls described in Section 9, multi-factor authentication, role assignments, and HITL approval policies appropriate to Customer’s risk profile.
5.3 Data Subject Communications
Customer is responsible for providing appropriate privacy notices to Data Subjects and for responding to Data Subject requests. Customer shall coordinate with Processor as necessary using the assistance described in Section 4.5.
5.4 Data Accuracy
Customer is responsible for the accuracy, quality, and integrity of Personal Data provided to Processor and for updating or correcting Personal Data as necessary.
6. INTERNATIONAL DATA TRANSFERS
6.1 Data Location
Processor stores and Processes Personal Data primarily in cloud regions located in the United States for Business-edition subscriptions. EU data residency is available only under the Enterprise Negotiated DPA Template.
6.2 Transfers Outside the EEA, UK, and Switzerland
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, Processor shall ensure such transfers comply with applicable Data Protection Laws through one or more of the following mechanisms:
(a) Standard Contractual Clauses. The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two: Controller-to-Processor, are hereby incorporated by reference. For Sub-processor onward transfers, Module Three: Processor-to-Processor is hereby incorporated. SCC completion details and selections are set forth in Annex D.
(b) UK International Data Transfer Addendum. For transfers from the UK, the International Data Transfer Addendum to the EU Commission SCCs (the “UK Addendum”), issued by the UK Information Commissioner’s Office, is hereby incorporated by reference. Completion details are set forth in Annex D.
(c) Swiss Transfers. For transfers from Switzerland, the EU SCCs apply with the modifications set forth in Annex D.
(d) Data Privacy Framework. Where applicable, Processor and/or its Sub-processors may rely on certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. Data Privacy Framework, with continuing certification verifiable at dataprivacyframework.gov/list.
6.3 Supplementary Measures
For international transfers, Processor implements: encryption of Personal Data in transit and at rest; access controls limiting data access to authorized personnel; policies prohibiting voluntary disclosure to government authorities except as required by law; and procedures to challenge government data-access requests to the extent permitted by law.
7. LIABILITY AND INDEMNIFICATION
7.1 Limitation of Liability
The limitations of liability and exclusions of damages set forth in the Principal Agreement (including any aggregate liability cap) apply to this DPA, except as otherwise required by applicable Data Protection Laws. Neither Party excludes or limits liability for damages arising from (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) willful misconduct or gross negligence; or (iv) any liability that cannot be limited under applicable law.
7.2 Allocation
Each Party shall be liable for damages caused by Processing that infringes applicable Data Protection Laws, subject to the limitations in Section 7.1. Processor is liable for damages caused by Processing only where Processor (a) has not complied with obligations of Data Protection Laws specifically directed to Processors or (b) has acted outside of or contrary to Customer’s lawful instructions.
7.3 No Regulatory Fines Indemnification
Processor does not indemnify Customer for administrative fines, penalties, or other regulatory sanctions assessed against Customer under Data Protection Laws. Customers requiring contractual indemnification for regulatory fines must use the Enterprise Negotiated DPA Template.
8. TERM AND TERMINATION
This DPA becomes effective on the Effective Date and remains in effect until the termination or expiration of the Principal Agreement, subject to Section 12 (Data Return and Deletion). Provisions that by their nature should survive termination — including confidentiality, liability allocation, and data-return obligations — shall survive.
9. AI-SPECIFIC DATA PROCESSING TERMS
9.1 AI System Transparency
Processor maintains documentation of AI Systems used within the Services, including: a description of the AI functionality and its purpose; the types of data used as inputs; the outputs produced; known limitations or biases; and human oversight mechanisms. This documentation is available at aictrlnet.com/legal and in product documentation. For AI-powered features that significantly affect Data Subjects or Customer’s business processes, Processor shall, upon Customer’s reasonable request, provide meaningful information about the logic involved in automated decision-making and explanations of AI-generated recommendations (to the extent possible without revealing trade secrets).
9.2 Model Training Opt-Out (No-Training-By-Default)
Processor shall not, and shall contractually require its Sub-processors not to, use Controller Inputs and Outputs to: (a) train, fine-tune, or otherwise improve any general-purpose AI model owned by Processor or any Sub-processor; (b) develop new AI models; (c) benchmark or evaluate AI models for purposes other than providing the Services to Customer; or (d) deliver services to other customers.
The foregoing prohibition applies by default and persists unless Customer affirmatively opts in via in-Service controls. Processor shall ensure that all AI Sub-processor agreements include a substantively equivalent no-training-by-default prohibition flowed through the inference chain.
Notwithstanding the above, Processor may use aggregated and anonymized data (which does not constitute Personal Data) for service improvement, security and threat detection, benchmarking, and research and development.
9.3 Automated Decision-Making and Human Oversight
For any Automated Decision-Making that produces legal effects or similarly significantly affects Data Subjects, Customer shall ensure human oversight using the HITL approval workflows and AI governance controls provided by the Services. Processor shall not implement fully automated decisions with significant effects without Customer’s explicit configuration. Customer is responsible for configuring approval workflows, confidence thresholds, and audit logging appropriate to its risk profile.
9.4 AI Governance Controls (Customer-Configurable)
Customer may configure the following AI governance controls in the Services: AI feature toggles (enable/disable specific AI features); confidence thresholds for AI recommendations; HITL approval workflows for AI-generated actions; audit logging for AI-assisted decisions; and bias monitoring (where supported by the deployed feature set). The availability and configuration surface of these controls may vary by feature.
9.5 AI Output Ownership
As between the Parties, Customer owns all right, title, and interest in and to AI System outputs (“Outputs”) generated from Customer Inputs through the Services. Processor receives no rights in Outputs except a limited, revocable license to host, transmit, store, and process Outputs solely as necessary to provide the Services. Processor shall not (a) use Outputs to train AI models, (b) sell or license Outputs to third parties, (c) use Outputs to deliver services to other customers, or (d) retain Outputs beyond the period necessary to provide the Services (subject to Section 12).
9.6 Cross-Border AI Inference
Customer acknowledges that AI Sub-Processors may host inference infrastructure in regions different from the data-residency region Customer expects. When Customer’s prompts or AI inputs are routed to an AI Sub-Processor’s inference endpoint outside the EEA, UK, or Switzerland (as applicable), such routing constitutes an international data transfer. Processor relies on (a) the EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF where the relevant AI Sub-Processor is certified, and (b) the EU SCCs (Modules Two and Three) as the contractual fallback in all cases.
9.7 Regulatory Compliance for AI
9.7.1 EU AI Act
The EU AI Act becomes fully applicable on August 2, 2026 (with General-Purpose AI Model obligations already in force since August 2, 2025). Where applicable, Processor shall classify AI Systems according to risk categories, implement appropriate risk-management measures, maintain technical documentation, provide transparency information, and support Customer’s compliance obligations as a deployer of AI Systems.
9.7.2 Colorado AI Act
For decisions falling within the scope of the Colorado Artificial Intelligence Act (effective June 30, 2026), where Customer is a deployer subject to the Act, Processor shall provide the technical and procedural support reasonably necessary for Customer’s compliance, including pre-use notice generation, adverse-action notice generation, and risk-assessment documentation. Customer is the deployer and bears primary compliance responsibility.
9.7.3 Evolving AI Regulations
Processor monitors evolving AI regulations globally and shall: update the Services as necessary to maintain compliance; notify Customer of material regulatory changes affecting AI features; and provide reasonable assistance to Customer in meeting AI regulatory obligations.
10. DWY (DOING-WITH-YOU) IMPLEMENTATION HOURS
10.1 Scope
The Business-edition Services bundle a fixed allocation of DWY implementation hours per subscription tier (Starter: 2 hours; Growth: 5 hours; Scale: 8 hours), as specified in the Principal Agreement. During DWY engagements, Processor’s implementation personnel may access Customer’s tenant of the Services for the purpose of co-implementing workflows, configuring AI governance controls, and transferring knowledge to Customer’s team.
10.2 Processor Personnel Access
Where DWY work requires Processor personnel to access Personal Data within Customer’s tenant, such access is performed under this DPA as Processing on Customer’s behalf. Processor personnel performing DWY work are bound by confidentiality obligations, complete data-protection training, and access Personal Data only as necessary to perform the DWY engagement. All DWY access is logged in the Services’ audit trail and is reviewable by Customer.
10.3 No New Sub-Processor Relationship
DWY work does not create a new Sub-processor relationship. DWY personnel are Processor personnel acting under Processor’s existing obligations under this DPA.
11. RELATIONSHIP TO PRINCIPAL AGREEMENT
This DPA is incorporated into and forms part of the Principal Agreement. In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails with respect to data-protection matters. In the event of a conflict between this DPA and the EU SCCs incorporated under Section 6.2(a) (where the SCCs apply), the SCCs prevail.
12. DATA RETURN AND DELETION
12.1 Data Export
During the Subscription Term, Customer may export the following data using the means Processor makes generally available to Business-edition subscribers:
- (i) Workflow templates created or modified by Customer, exportable via the Workflow Templates API in the formats and under the conditions described in the Bodaty Terms of Service §12.10(b) (Business and Enterprise editions);
- (ii) Audit logs, execution history, and compliance reports accessible via the Services’ REST APIs in JSON format; programmatic export to CSV is available for analytics and compliance check results;
- (iii) Other Customer Content available upon written request to legal@aictrlnet.com, which Processor will make commercially reasonable efforts to fulfill within thirty (30) days in a mutually acceptable format.
Customer is responsible for periodically exporting any data required for continuity. Processor does not warrant any post-termination access window beyond any grace period available under the Principal Agreement.
12.2 Post-Termination Default
If Customer does not provide instructions within thirty (30) days of termination of the Principal Agreement, Processor shall delete all Personal Data using methods that render the data irretrievable, in accordance with industry standards such as NIST SP 800-88. Customer may instead request return of Personal Data in a commonly used, machine-readable format (such as JSON or CSV) within thirty (30) days of termination; in that case, deletion will proceed promptly after return is complete.
12.3 Deletion Certification
Upon request, Processor shall provide written certification confirming that all Personal Data has been deleted in accordance with this Section 12. Processor may retain Personal Data (or portions thereof) after termination only where required by law, for routine backup-rotation cycles, or to resolve pending disputes or legal proceedings; in such cases Processor shall inform Customer of the retention and the legal basis.
13. GENERAL PROVISIONS
13.1 Amendments
Processor may update this DPA from time to time to reflect changes in applicable law, the Services, or Sub-processor arrangements. Material changes will be notified by email to Customer’s account administrator and/or by in-Service notification, and shall take effect no earlier than thirty (30) days after notification. Material changes do not include updates to Annexes B and C (which may be updated more frequently consistent with Sections 4.4 and 4.8). Updates that materially diminish the protections afforded to Personal Data require Customer’s consent.
13.2 Governing Law
This DPA shall be governed by the laws specified in the Principal Agreement (Illinois, USA), provided that (a) where the GDPR applies, the governing law shall not affect Data Subjects’ rights to bring claims in the Member State of their habitual residence; and (b) disputes regarding data-protection compliance may be referred to the competent Supervisory Authority.
13.3 Notices
Notices to Processor shall be sent to:
Bodaty LLC Attn: Privacy Team 200 E. 5th Ave., Suite 121DE Naperville, IL 60563 United States Email: privacy@aictrlnet.com
Notices to Customer shall be sent to the email address associated with Customer’s Bodaty account or, where Customer has designated a privacy contact, to that address.
13.4 Severability
If any provision of this DPA is held invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect, and the Parties shall replace the invalid provision with a valid provision that achieves the original intent.
13.5 Order of Precedence
In the event of conflict between documents, the following order of precedence applies: (1) EU SCCs (where applicable); (2) this DPA; (3) the Principal Agreement; (4) any other referenced documents.
13.6 No Third-Party Beneficiaries
Except for Data Subjects’ rights under applicable Data Protection Laws and as provided in the SCCs, this DPA does not confer any rights on third parties.
ANNEX A: DESCRIPTION OF PROCESSING
A.1 Subject Matter
Processing of Personal Data in connection with the provision of the AICtrlNet / HitLai Business-edition platform.
A.2 Duration
From the Effective Date of the Principal Agreement until termination, plus any additional period required for data return, deletion, or legal retention.
A.3 Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| Service Provision | Providing workflow automation, AI governance, and collaboration features |
| User Management | Account creation, authentication, authorization, access control |
| Workflow Processing | Executing workflows, task assignments, approvals, notifications |
| AI Features | Risk assessment, predictive analytics, compliance monitoring, intelligent automation |
| Security Operations | Authentication, access logging, threat detection, security monitoring |
| Integration Processing | Data synchronization with Customer’s authorized third-party systems |
| DWY Implementation | Co-implementation of workflows and AI governance configuration with Customer |
| Support Services | Technical support, troubleshooting, incident response |
| Backup and Recovery | Data backup, disaster recovery, business continuity |
A.4 Types of Personal Data
| Category | Data Elements |
|---|---|
| Identity Data | Names, usernames, employee IDs, job titles |
| Contact Data | Email addresses, phone numbers, business addresses |
| Account Data | User credentials (hashed), authentication tokens, account settings |
| Technical Data | IP addresses, device identifiers, browser data, session information |
| Usage Data | Feature usage logs, interaction data, preferences |
| Workflow Data | Task data, approvals, comments, attachments, business-process data |
| Communication Data | In-platform messages, notifications |
| Audit Data | Access logs, change logs, compliance records |
| AI Processing Data | Inputs to AI Systems, outputs and recommendations |
A.5 Categories of Data Subjects
| Category | Description |
|---|---|
| Customer’s Employees | Individuals employed by Customer who use the Services |
| Customer’s Contractors | Independent contractors and consultants engaged by Customer |
| Business Partners | Third-party users authorized by Customer |
| Customer’s Customers | Individuals whose data is processed through Customer’s workflows |
| Other Individuals | Any other individuals whose data is submitted to the Services by Customer |
A.6 Special Categories of Personal Data
Not intentionally processed. Customer acknowledges that incidental Processing may occur if Special Categories are included in workflow content uploaded by Customer’s users; in that case Customer is responsible for ensuring a valid legal basis under GDPR Article 9 or equivalent.
A.7 AI Processing Specifics
| AI Feature | Data Processed | Purpose | Human Oversight |
|---|---|---|---|
| Workflow Prediction | Historical workflow data, user behavior | Suggest optimal workflow routing | Customer-configurable thresholds |
| Risk Assessment | Workflow content, compliance data | Identify compliance risks | Required human review (HITL) |
| Anomaly Detection | Usage patterns, access logs | Security threat detection | Alert-based review |
| NLP Processing | Text content from workflows | Content classification and extraction | Optional review |
| Recommendation Engine | User preferences, usage data | Personalized suggestions | User-controllable |
ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES
Processor implements and maintains the following technical and organizational measures to protect Personal Data in accordance with GDPR Article 32 and industry best practices. These measures are reviewed and updated periodically; the current statement of measures is maintained at aictrlnet.com/legal/dpa.
B.1 Organizational Security
- Documented information-security program aligned with ISO 27001 and SOC 2 control objectives
- Security policies covering data protection, access control, and incident response
- Background checks and confidentiality obligations for personnel with access to Personal Data
- Mandatory security-awareness training on hire and annually thereafter
- Vendor and Sub-processor risk assessment including data-protection requirements in contracts
B.2 Physical and Cloud-Infrastructure Security
- Enterprise-grade cloud infrastructure (AWS / Google Cloud Platform) with SOC 2 and ISO 27001 certifications inherited from the provider
- Physical access controls, surveillance, fire suppression, climate control, and power redundancy provided by the underlying cloud provider
- Secure disposal of physical media containing Personal Data
B.3 Access Control
- Multi-factor authentication required for personnel access to production systems
- SAML 2.0 / OIDC integration available for Customer enterprise SSO
- Role-based access control with least-privilege enforcement
- Quarterly access certification and recertification
- Automatic session timeout and concurrent session controls
- Strong password requirements; password hashing using bcrypt or Argon2
B.4 Encryption
- TLS 1.2+ enforced for all data in transit; HTTPS-only public endpoints
- AES-256 encryption for all stored Personal Data
- Cloud-provider key-management services for encryption keys
B.5 Network Security
- Web Application Firewall and network firewalls
- Network segmentation isolating production, development, and administrative environments
- Distributed denial-of-service mitigation
- Encrypted VPN for administrative access
B.6 Application Security
- Secure Software Development Lifecycle practices
- Mandatory code review for production changes
- Automated static application security testing (SAST)
- Dependency scanning for known vulnerabilities
- Periodic third-party penetration testing
- Responsible-disclosure / coordinated-vulnerability-disclosure program
B.7 Logging and Monitoring
- Comprehensive logging of security-relevant events
- Log retention of at least twelve (12) months for security logs
- Real-time alerting for security anomalies
- Audit trails for compliance and investigation
B.8 Availability and Resilience
- Multi-zone deployment with automatic failover where supported by region
- Daily backups; backups encrypted at rest
- Documented disaster-recovery procedures; periodic recovery testing
- Documented incident response procedures
B.9 Compliance and Certification
| Standard | Status |
|---|---|
| SOC 2 Type II | In progress (target completion within twelve months of GA) |
| ISO 27001 | Not yet certified; controls aligned to framework |
| GDPR | Compliant under this DPA |
| CCPA/CPRA | Compliant under this DPA |
| HIPAA | Not available under the Business-edition click-through DPA. Customers requiring a Business Associate Agreement must use the Enterprise Negotiated DPA Template. |
| PCI DSS | Bodaty does not Process payment card data on Customer’s behalf; payment processing for Bodaty’s own billing is handled by a PCI-compliant payment processor. |
Aspirational items disclosure. Items shown as “in progress” or “not yet certified” are aspirational and will be updated as certifications complete. Customers requiring contractually committed certifications should use the Enterprise Negotiated DPA Template, where certification commitments may be negotiated and dated.
B.10 Updates
Processor may update these measures from time to time to reflect improvements in security practices and technology, provided that updates do not materially diminish the overall security of Personal Data.
ANNEX C: SUB-PROCESSORS LIST (SUMMARY)
The authoritative, current list of Sub-processors is maintained at aictrlnet.com/legal/sub-processors. The summary below reflects the inventory as of the Document Version date; in case of inconsistency, the published list controls.
C.1 Infrastructure and Hosting
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, computing, and storage | All Personal Data | US (Business-tier primary region) | DPF (verify) + SCCs Module Two |
| Google Cloud Platform | Secondary cloud infrastructure; AI/ML services | Workflow data, AI inputs/outputs | US | DPF (verify) + SCCs Module Two |
C.2 AI Sub-Processors (subject to Section 4.4.3(a) 15-day notice)
The following Foundation Model Providers are engaged where Customer enables the corresponding adapter through the Service. Each is contractually committed (or otherwise represented) to no-default-training of Controller data. Adapters reside under editions/community/src/adapters/implementations/ai/ (Community-tier providers, available to Business subscribers) and editions/business/src/business_adapters/implementations/ai/ (Business-tier providers).
| Sub-processor | Purpose | Edition tier | Data Processed | Location | Transfer Mechanism |
|---|---|---|---|---|---|
| Anthropic, PBC | Claude Foundation Model inference | Community+ | Customer prompts and Outputs (no training) | US | DPF (verify) + SCCs Module Three |
| OpenAI, LLC | GPT Foundation Model inference | Community+ | Customer prompts and Outputs (no training, commercial/API tier) | US | DPF (verify) + SCCs Module Three |
| HuggingFace, Inc. | HuggingFace Inference API for hosted open-source models | Community+ | Customer prompts and Outputs (no training) | US; EU | DPF (verify) + SCCs Module Three |
| DeepSeek (Hangzhou DeepSeek Artificial Intelligence Co., Ltd.) | DeepSeek Foundation Model inference (where Customer enables) | Community+ | Customer prompts and Outputs | China-based provider; Customer should review transfer-impact assessment before enabling | SCCs Module Three; supplementary measures required |
| Google LLC (Gemini) | Gemini Foundation Model inference | Business+ | Customer prompts and Outputs (no training) | US; EU | DPF (verify) + SCCs Module Three |
| Amazon Web Services, Inc. (Bedrock) | Multi-model Foundation Model gateway (Anthropic, Meta, Mistral, Cohere, and others as Customer selects) | Business+ | Customer prompts and Outputs (no training) | US (primary); EU (where supported) | DPF (verify) + SCCs Module Three |
| Cohere, Inc. | Cohere Foundation Model inference | Business+ | Customer prompts and Outputs (no training) | US; Canada | SCCs Module Three |
| Microsoft Corporation (Azure OpenAI) | OpenAI Foundation Models via Azure regional deployment | Business+ | Customer prompts and Outputs (no training) | Customer-selected Azure region | DPF (verify) + SCCs Module Three |
Customer-controlled / self-hosted runtimes. Customer may configure the Service to use locally hosted Foundation Model runtimes such as Ollama or vLLM. When operated on Customer-controlled infrastructure, these are not AI Sub-Processors under this DPA and Processor does not engage them on Controller’s behalf.
Provider terms references. Customer should consult each enabled provider’s current data-processing terms before transmitting Personal Data through that adapter. Bodaty does not warrant the contents of third-party Foundation Model Provider terms beyond what is contractually flowed through Bodaty’s own agreements with those providers.
C.3 Database, Storage, Security, Communication, Analytics
The current list of Sub-processors in these categories (e.g., MongoDB Atlas, Redis Labs, Amazon S3, Cloudflare, Auth0, Datadog, Twilio SendGrid, Twilio, Mixpanel, Zendesk, Intercom) is maintained at aictrlnet.com/legal/sub-processors.
C.4 Sub-Processor Agreements
All Sub-processors have entered into data-processing agreements with Processor that impose data-protection obligations substantially similar to those in this DPA, restrict Processing to what is necessary, require implementation of appropriate technical and organizational measures, require notification of Personal Data Breaches, and provide for data return or deletion upon termination.
ANNEX D: STANDARD CONTRACTUAL CLAUSES REFERENCE
D.1 Applicability
This Annex D applies when Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision.
D.2 EU SCCs (Commission Implementing Decision (EU) 2021/914)
The EU SCCs are incorporated by reference. The following selections apply for Business-tier click-through use:
| Item | Selection |
|---|---|
| Module | Module Two (Controller-to-Processor) for direct Customer-to-Bodaty transfers; Module Three (Processor-to-Processor) for Sub-processor onward transfers |
| Clause 7 (Docking Clause) | Not included for click-through DPA (Customers requiring docking must use the Enterprise Negotiated DPA Template) |
| Clause 9 (Sub-processors) | Option 2 (General Written Authorization) selected; see Sections 4.4.1 and 4.4.3 |
| Clause 11 (Redress) | Option (a) — independent dispute-resolution body not required |
| Clause 17 (Governing Law) | Laws of Ireland (for EEA transfers) |
| Clause 18 (Forum) | Courts of Ireland (for EEA transfers) |
| Annex I.A (Parties) | Data Exporter: Customer (as identified in Customer’s Bodaty account). Data Importer: Bodaty LLC. |
| Annex I.B (Description of Transfer) | As set forth in Annex A of this DPA |
| Annex I.C (Competent Supervisory Authority) | The Irish Data Protection Commission (for EEA transfers); or as otherwise required based on Customer’s establishment |
| Annex II (Technical and Organizational Measures) | As set forth in Annex B of this DPA |
| Annex III (Sub-processors) | As set forth in Annex C of this DPA |
D.3 UK International Data Transfer Addendum
For transfers from the UK, the UK Addendum to the EU SCCs (issued by the UK ICO, laid before Parliament 2 February 2022) is incorporated by reference, with completion details corresponding to Section D.2 above. The UK Addendum is governed by the laws of England and Wales.
D.4 Swiss Data Transfer Provisions
For transfers from Switzerland, the EU SCCs apply with the following modifications: references to the GDPR are interpreted as references to the Swiss Federal Act on Data Protection (FADP); references to “EU Member State” include Switzerland; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; governing law is Swiss law; the courts of Switzerland have jurisdiction.
D.5 Updates to Transfer Mechanisms
If any transfer mechanism relied upon under this Annex D is invalidated or superseded by a court decision or regulatory guidance, the Parties shall cooperate in good faith to implement an alternative lawful transfer mechanism.
This Business-edition click-through DPA has been prepared in accordance with GDPR Article 28 requirements and aligned with industry click-through DPA practices (HubSpot, Snowflake, Databricks). For questions or to request the Enterprise Negotiated DPA Template, please contact privacy@aictrlnet.com.