Legal · GDPR / UK GDPR / CCPA
Data processing addendum.
Our standard DPA. Executable on institutional paper with reasonable edits.
1. Scope.
This DPA supplements the Terms of Service and applies wherever we process Personal Data on your behalf. It addresses GDPR (Regulation (EU) 2016/679), UK GDPR, and CCPA (as amended by CPRA).
2. Roles.
You are the Controller. We are the Processor (or "Service Provider" under CCPA). For anonymous / individual use, we may be a Controller ourselves for limited security/abuse-detection purposes; that is separately addressed in the Privacy Policy.
3. Subject matter and nature of processing.
We process submitted text to produce AI-detection, plagiarism, grammar, or humanization outputs, and collect usage metadata for rate-limiting, abuse detection, and billing.
4. Duration.
For the duration of the underlying agreement plus the retention periods in Section 6.
5. Data subjects and categories.
Students, educators, and authorized users of Customer's instance. Categories: name, email, IP address (hashed), submitted text content.
6. Retention and deletion.
Submitted text: 30 days unless Customer elects a shorter period in a signed order form. Account metadata: for the life of the account. Billing records: 7 years. On termination, we delete or return Personal Data within 90 days except where retention is required by law.
7. Security measures.
Encryption at rest (AES-256) and in transit (TLS 1.3). Access controls with least-privilege principles. Audit logging. Incident response procedures with 72-hour notification per Art. 33 GDPR. Full control inventory available on request under NDA.
8. Subprocessors.
Current list on /trust-center. We provide 30-day notice of additions or changes via email to customers who subscribe to the subprocessor list (subscribe at security@aiessaydetector.ai).
9. International transfers.
Transfers outside the EEA/UK are covered by Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor). A signed SCC appendix is available on request.
10. Data subject rights.
We assist Customer in responding to access, rectification, erasure, portability, and objection requests. Customer is primarily responsible for responding to data subjects; we provide the underlying data on request.
11. Audit rights.
Customer may audit our compliance once per 12-month period, on 30 days' written notice, during business hours, at Customer's cost. We will accept third-party audit reports (SOC 2 Type II) in lieu of on-site audits where reasonably possible.
12. Execution.
This DPA is incorporated by reference when Customer accepts the Terms of Service. Customers who require a signed DPA on their own paper may contact security@aiessaydetector.ai.