HomeLegal & Compliance

Data Processing Agreement

Effective Date: January 1, 2025Last Updated: May 28, 2025Version 1.1

1. Definitions and Interpretation

This Data Processing Agreement ("DPA") forms part of the agreement between Spectro AI Inc. ("Processor") and the Client ("Controller") for the provision of Services.

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on Personal Data
  • "Data Subject" means the individual to whom Personal Data relates
  • "Sub-processor" means any third party engaged by Processor to process Personal Data
  • "Security Incident" means any breach of security leading to unauthorized access or disclosure

2. Processing of Personal Data

2.1 Processor Obligations

Processor shall:

  • Process Personal Data only on documented instructions from Controller
  • Ensure persons authorized to process Personal Data are subject to confidentiality
  • Implement appropriate technical and organizational measures
  • Not transfer Personal Data outside agreed jurisdictions without Controller approval
  • Assist Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination

3. Security Measures

Processor implements and maintains the following security measures:

  • Encryption of data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security testing and assessments
  • Incident detection and response procedures
  • Business continuity and disaster recovery plans
  • Employee training and awareness programs

4. Sub-processors

Controller authorizes the use of the following Sub-processors:

  • Amazon Web Services: Cloud infrastructure and storage
  • Supabase: Database services
  • Upstash: Redis caching services
  • PostHog: Analytics services

Processor shall notify Controller of any intended changes concerning Sub-processors with 30 days notice.

5. Data Subject Rights

Processor shall assist Controller in fulfilling obligations to respond to Data Subject requests including:

  • Access to Personal Data
  • Rectification or erasure
  • Restriction of processing
  • Data portability
  • Objection to processing

6. Security Incident Notification

Processor shall notify Controller without undue delay and within 72 hours of becoming aware of a Security Incident. Notification shall include:

  • Nature of the incident
  • Categories and approximate number of affected Data Subjects
  • Likely consequences
  • Measures taken or proposed

7. Audit Rights

Controller may conduct audits, including inspections, subject to:

  • Reasonable advance notice (minimum 30 days)
  • During regular business hours
  • No more than once per year unless required by law
  • Execution of confidentiality agreement
  • Controller bearing all costs

8. Liability and Indemnification

PROCESSOR'S LIABILITY SHALL BE LIMITED AS SET FORTH IN THE MAIN AGREEMENT. EACH PARTY SHALL INDEMNIFY THE OTHER FOR LOSSES ARISING FROM ITS BREACH OF THIS DPA.

9. Term and Termination

This DPA shall remain in effect for the duration of the Services agreement. Upon termination, Processor shall, at Controller's option, delete or return all Personal Data.

This Data Processing Agreement supplements and is incorporated into the main Services agreement.