This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Aidra (Quick LLC) (“Processor”) and the customer using the Aidra platform (“Controller”). It applies whenever Controller instructs Aidra to process Personal Data on its behalf under the General Data Protection Regulation (“GDPR”), UK GDPR, PIPEDA, or similar data protection laws.

1. Definitions

Terms like “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject ”, and “Supervisory Authority” have the meanings given to them under GDPR Article 4.

2. Scope & Roles

Controller is the data controller of Personal Data it submits to Aidra. Aidra acts as a data processor, processing Personal Data only in accordance with Controller’s documented instructions (including those given through the Aidra product).

3. Subject Matter & Duration

• Subject matter: operation of the Aidra AI employee platform, including chat, workflows, widget, and agent automations.
• Duration: the term of the subscription plus any post-termination period required to return or delete Personal Data.
• Nature & purpose of processing:storing and processing user-submitted content (messages, uploaded files, memory, leads) so Aidra’s AI agents can generate deliverables on Controller’s behalf.

4. Categories of Data Subjects and Data

• Data subjects:Controller’s employees, customers, prospects, leads, and website visitors (via the widget).
• Data categories: name, email, phone, company, professional details, content the Controller chooses to share with agents (e.g. customer messages, documents).
• No special categories: Controller agrees NOT to submit special-category Personal Data (health, biometric, genetic, criminal) unless a separate written agreement is in place.

5. Controller Instructions

Aidra will process Personal Data solely on documented instructions from Controller, including transfers to a third country or international organisation, unless required to do otherwise by law.

6. Confidentiality

Aidra ensures that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.

7. Security Measures

Aidra has implemented appropriate technical and organisational measures including:

• Encryption in transit (TLS 1.3) and at rest (AES-256-GCM for secrets).
• Role-based access control with single-tenant DB isolation per company.
• Audit logging of administrative actions and authentication events.
• Rate limiting and bot-detection on authentication endpoints.
• Automated daily database backups with 30-day retention.
• Regular review of third-party sub-processors; vendor security questionnaires before onboarding.

See our Security Overview for the current list.

8. Sub-processors

Controller grants Aidra general authorisation to engage sub-processors for the provision of the Service, provided Aidra:

• Maintains an up-to-date list of sub-processors (below).
• Imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA.
• Gives Controller at least 14 days’ notice of any new sub-processor. If Controller objects on reasonable grounds, they may terminate the subscription before the new sub-processor is engaged.

Current sub-processors

9. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, Aidra relies on the European Commission’s Standard Contractual Clauses (SCCs) 2021/914, the UK IDTA, or other lawful transfer mechanism applicable to the destination. Controller is a data exporter and Aidra acts as data importer (and, where applicable, onward transferor to sub-processors on the same SCCs).

10. Data Subject Rights

Aidra will assist Controller, by appropriate technical and organisational measures, in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within statutory timelines. Controllers can export and delete their own data self-serve from the dashboard, or contact privacy@aidra.live for assistance.

11. Personal Data Breaches

Aidra will notify Controller without undue delay (and within 48 hours where feasible) of any confirmed Personal Data Breach affecting Controller’s data. The notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken.

12. Data Protection Impact Assessment

Aidra will provide reasonable assistance to Controller with any Data Protection Impact Assessment or prior consultation with a Supervisory Authority, at Controller’s cost for anything exceeding the information already documented in this DPA or the Security Overview.

13. Return & Deletion of Data

Upon termination of the Service, Aidra will, at Controller’s choice, delete or return all Personal Data within 30 days. Backups are retained for a further 30 days, after which they are cryptographically destroyed. Controller can trigger an immediate account deletion from the dashboard; this starts the deletion SLA clock.

14. Audit Rights

Aidra will make available to Controller all information necessary to demonstrate compliance with this DPA, including access to audit logs via the admin panel or CSV export. Third-party on-site audits are available to Enterprise customers with 30 days’ notice, no more than once per 12 months, at Controller’s cost, subject to confidentiality terms.

15. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service.

16. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, except where GDPR or UK GDPR mandate otherwise.

How to request a signed DPA

Enterprise and regulated customers may request a countersigned DPA from legal@aidra.live. For most customers, this online DPA is incorporated into the Terms of Service by reference and is deemed accepted on first use of the Service.

Questions? Email privacy@aidra.live. This document may be updated to reflect changes in law, sub-processors, or security practices. Material changes will be announced via email and a 30-day notice period.