Last Updated: July 22, 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Candy Prompts Ltd. operating the Emotional AI Agents platform ("Company", "we", "us") and the customer ("Customer", "you") for the use of our AI-powered content enhancement services ("Services").
This DPA applies when Customer acts as a Data Controller and Company acts as a Data Processor under applicable data protection laws, including the General Data Protection Regulation (GDPR) and other similar regulations.
User Account Data: - Names, email addresses, and contact information - Authentication credentials and access logs - User preferences and service configuration settings - Billing and payment information
Content Data: - Text content submitted for AI enhancement - Personal information contained within submitted content - User-generated preferences and instructions - Output preferences and customization settings
Technical Data: - IP addresses and device identifiers - Browser information and technical specifications - Usage logs and access patterns - Performance metrics and error logs
Primary Processing: - AI-powered content analysis and enhancement - Content storage and retrieval - User authentication and authorization - Billing and subscription management
Secondary Processing: - Service improvement and optimization - Security monitoring and threat detection - Performance analysis and troubleshooting - Customer support and assistance
Legal Basis: - Ensure lawful basis for all personal data processing - Obtain necessary consents from data subjects where required - Provide clear privacy notices to data subjects - Maintain records of processing activities
Data Subject Rights: - Respond to data subject requests for access, rectification, erasure, and portability - Handle complaints and inquiries from data subjects - Facilitate exercise of data subject rights through Company when necessary - Ensure data subjects are informed of their rights
Data Quality: - Ensure personal data is accurate, complete, and up-to-date - Regularly review and update personal data as necessary - Delete or correct inaccurate personal data promptly - Limit data collection to what is necessary for specified purposes
Instructions to Processor: - Provide clear, written instructions for personal data processing - Ensure instructions comply with applicable data protection laws - Update instructions as necessary for compliance and business needs - Document all processing instructions and changes
Processing Compliance: - Process personal data only on documented instructions from Customer - Ensure processing complies with applicable data protection laws - Implement appropriate technical and organizational security measures - Maintain confidentiality of personal data
Sub-processor Management: - Obtain Customer consent before engaging new sub-processors - Ensure sub-processors provide adequate data protection guarantees - Maintain current list of authorized sub-processors - Monitor sub-processor compliance with data protection requirements
Data Subject Assistance: - Assist Customer in responding to data subject requests - Provide necessary information for Customer to fulfill obligations - Implement technical measures to facilitate data subject rights - Cooperate with Customer in data protection compliance efforts
Security and Breach Response: - Implement state-of-the-art security measures - Notify Customer of personal data breaches without undue delay - Assist Customer in breach notification obligations - Provide relevant information for breach assessment and response
User Authentication: - Multi-factor authentication for administrative access - Role-based access controls with principle of least privilege - Regular access reviews and deprovisioning procedures - Strong password policies and account lockout protections
System Access: - Secure authentication for all system components - Network segmentation and firewall protections - VPN requirements for remote administrative access - Audit logging of all access and administrative activities
Encryption: - Encryption in transit using TLS 1.2 or higher - Encryption at rest for all stored personal data - Key management using industry-standard practices - Regular rotation of encryption keys
Data Integrity: - Regular data backups with integrity verification - Version control and change management procedures - Data validation and quality assurance processes - Recovery procedures for data corruption or loss
Physical Security: - Secure data centers with restricted access controls - Environmental controls and monitoring systems - Redundant power and cooling systems - Physical security monitoring and incident response
Network Security: - Intrusion detection and prevention systems - Regular vulnerability assessments and penetration testing - Security monitoring and incident response procedures - Network traffic analysis and anomaly detection
Background Checks: - Comprehensive background screening for personnel with data access - Confidentiality agreements for all employees and contractors - Regular security training and awareness programs - Clear data handling procedures and policies
Access Management: - Documented procedures for granting and revoking access - Regular reviews of personnel access rights - Segregation of duties for sensitive operations - Monitoring of personnel activities and access patterns
Company engages the following categories of sub-processors:
AI Processing Services: - OpenAI: Large language model processing and content enhancement - Additional LLM Providers: As integrated for specialized AI capabilities - Purpose: Content analysis, enhancement, and generation - Data Transferred: User content, processing instructions, and metadata
Infrastructure Services: - Cloud Hosting Providers: Platform hosting and data storage - Content Delivery Networks: Fast content delivery and caching - Purpose: Service hosting, data storage, and performance optimization - Data Transferred: All service data and personal data
Authentication Services: - Google: OAuth authentication and identity verification - Purpose: User authentication and account management - Data Transferred: Basic profile information and authentication tokens
Payment Processing: - Stripe: Payment processing and subscription management - Purpose: Billing, subscription management, and payment processing - Data Transferred: Billing information and payment details
All sub-processors must: - Provide adequate data protection guarantees - Comply with data protection obligations equivalent to this DPA - Implement appropriate technical and organizational security measures - Submit to regular audits and compliance assessments - Notify Company of any data protection incidents
Company will assist Customer in fulfilling data subject requests:
Right of Access: - Provide Customer with relevant personal data and processing information - Assist in verifying data subject identity and request validity - Supply data in structured, commonly used, and machine-readable format - Include information about processing purposes, categories, and recipients
Right of Rectification: - Implement corrections to inaccurate personal data as instructed by Customer - Update personal data across all relevant systems and backups - Notify relevant sub-processors of corrections when necessary - Maintain audit trail of all rectification activities
Right of Erasure: - Delete personal data as instructed by Customer (subject to legal retention requirements) - Ensure deletion across all systems, backups, and sub-processors - Provide confirmation of deletion to Customer - Maintain logs of deletion activities for compliance purposes
Right of Data Portability: - Extract personal data in structured, commonly used format - Provide data in machine-readable format suitable for transmission - Assist Customer in transferring data to other services when requested - Ensure data integrity during export processes
Personal data may be transferred to and processed in: - United States: Primary data processing and storage - European Union: Regional data processing and compliance - Other Countries: Where sub-processors operate or provide services
Adequacy Decisions: - Transfers to countries with adequacy decisions as permitted - Regular monitoring of adequacy decision status - Alternative mechanisms prepared for adequacy decision changes
Standard Contractual Clauses (SCCs): - EU-approved Standard Contractual Clauses for data transfers - Appropriate SCCs selected based on transfer scenarios - Additional safeguards implemented as required - Regular review and update of SCCs as necessary
Additional Safeguards: - Encryption of data in transit and at rest - Access controls and authentication requirements - Legal and technical assessment of data protection laws in destination countries - Contractual restrictions on sub-processor data handling
Service Data: - Account data retained for duration of service agreement plus 30 days - Content data retained according to Customer instructions and legal requirements - Technical logs retained for 90 days for security and performance purposes - Billing data retained for 7 years for tax and audit requirements
Anonymized Data: - Anonymized aggregated data may be retained indefinitely - No personal identifiers maintained in anonymized datasets - Anonymization process prevents re-identification of individuals - Used only for service improvement and research purposes
End of Service: - All personal data deleted within 30 days of service termination - Customer notified before deletion with opportunity to export data - Secure deletion procedures ensuring data cannot be recovered - Deletion certificates provided upon request
Customer-Requested Deletion: - Personal data deleted within 30 days of Customer request - Deletion across all systems, backups, and sub-processors - Exception for data required for legal compliance or legitimate interests - Audit logs maintained of all deletion activities
Immediate Response (within 4 hours): - Initial incident assessment and containment - Preliminary determination of scope and impact - Internal incident response team activation - Preservation of evidence and logs
Customer Notification (within 24 hours): - Detailed incident description and timeline - Categories and approximate number of affected data subjects - Likely consequences of the breach - Measures taken to address the breach and mitigate harm
Regulatory Notification Support: - Assist Customer in determining regulatory notification requirements - Provide information necessary for supervisory authority notifications - Support Customer in data subject breach notifications - Coordinate with Customer on public communications if necessary
Containment: - Immediate steps to stop ongoing data exposure - System isolation and security measure implementation - Prevention of further unauthorized access - Preservation of evidence for investigation
Investigation: - Comprehensive forensic analysis of incident - Root cause analysis and contributing factors - Assessment of data protection impact - Documentation of all findings and actions taken
Remediation: - Implementation of corrective measures - System hardening and security improvements - Process improvements to prevent recurrence - Regular monitoring for similar incidents
Internal Audits: - Regular internal assessments of data protection compliance - Annual comprehensive review of all processing activities - Continuous monitoring of security controls and procedures - Documentation of all audit findings and remediation actions
Third-Party Audits: - Annual third-party security and privacy assessments - Industry-standard compliance certifications (SOC 2, ISO 27001) - Penetration testing and vulnerability assessments - Independent verification of data protection measures
Information Requests: - Customer may request information about data protection practices - Annual compliance reports provided to Customer - Audit questionnaires completed upon reasonable request - Documentation of compliance measures and certifications
On-Site Audits: - Customer may conduct on-site audits with reasonable notice - Audits limited to data protection and security matters - Reasonable frequency and scope limitations apply - Customer responsible for audit costs and coordination
Supervisory Authority Cooperation: - Full cooperation with supervisory authority investigations - Timely provision of requested information and documentation - Implementation of supervisory authority orders and recommendations - Regular communication with relevant supervisory authorities
Compliance Documentation: - Comprehensive records of all processing activities - Documentation of technical and organizational measures - Evidence of compliance with data protection obligations - Regular updates to reflect changes in processing or regulations
Company Indemnification: - Company indemnifies Customer for damages resulting from Company's breach of this DPA - Defense of claims against Customer arising from Company's data protection violations - Settlement authority for covered claims with Customer consent - Cooperation in defense of any covered claims
Customer Indemnification: - Customer indemnifies Company for damages resulting from Customer's unlawful instructions - Defense of claims arising from Customer's violation of data protection laws - Customer responsible for ensuring lawful basis for all processing instructions - Customer liable for damages from inaccurate or unlawful data
Data Handling: - All personal data deleted or returned as instructed by Customer - Secure deletion procedures implemented across all systems - Sub-processors notified and required to delete or return data - Deletion certificates provided upon Customer request
Ongoing Obligations: - Confidentiality obligations survive termination indefinitely - Liability limitations and indemnification provisions survive - Audit rights continue for reasonable period after termination - Regulatory cooperation obligations continue as required by law
Company Data Protection Officer: - Email: dpo@eaiagents.store - Phone: [DPO Contact Number] - Address: [DPO Business Address]
Customer Success Team: - Email: privacy@eaiagents.store - Phone: [Customer Success Number] - Response Time: 24 hours for urgent data protection matters
Security Incidents: - Emergency: security@eaiagents.store - Phone: [Emergency Security Number] - Available 24/7 for critical security incidents
Compliance Issues: - Email: compliance@eaiagents.store - Phone: [Compliance Contact Number] - Business hours support for compliance inquiries
Signatures:
Company: Emotional AI Agents By: ___ Name: [Authorized Representative] Title: [Title] Date: ________
Customer: [Customer Organization] By: ___ Name: [Authorized Representative] Title: [Title] Date: ________
Appendices: - Appendix A: List of Sub-processors - Appendix B: Technical and Organizational Security Measures - Appendix C: Standard Contractual Clauses (where applicable) - Appendix D: Data Transfer Impact Assessment
Last Updated: July 22, 2025 Version: 1.0 Next Review: January 1, 2026