Legal · Customer DPA

Data Processing Agreement.

This Data Processing Agreement (the 'DPA') supplements the Order Form and Terms of Service between Privil, Inc. and the customer organization. It governs Privil's processing of personal data on behalf of the customer.

1. Definitions

Capitalized terms not defined here have the meaning in the Terms of Service. “Personal Data,” “Processing,” “Data Subject,” “Controller,” and “Processor” have the meanings in the GDPR and, where applicable, the CCPA. “Customer Personal Data” means Personal Data that Privil processes on behalf of customer.

2. Roles and scope

The customer acts as Controller (or as Processor on behalf of its own customer) and Privil acts as Processor of Customer Personal Data. The subject matter, duration, nature, and purpose of processing are described in Annex A.

3. Customer instructions

Privil will process Customer Personal Data only on documented instructions from customer, including with regard to international transfers, except as required by applicable law. Privil will inform customer if it believes an instruction violates data-protection law.

4. Confidentiality

Privil ensures that personnel authorized to process Customer Personal Data are under appropriate confidentiality obligations. Access is granted only as necessary to provide the Services.

5. Security

Privil implements appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex B and summarized at /legal/security. These measures may evolve provided the overall level of security is not diminished.

6. Subprocessors

Customer authorizes Privil to engage subprocessors, listed in Annex C, subject to written agreements with terms no less protective than this DPA. Privil will notify customer of additions or changes at least thirty days in advance; customer may object on reasonable grounds related to data protection.

7. Data subject rights

Privil will reasonably assist customer in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, and objection), taking into account the nature of the processing.

8. Personal data breach

Privil will notify customer of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware, and provide information reasonably necessary for customer to meet its own notification obligations under applicable law.

9. Audits

Privil makes available to customer information reasonably necessary to demonstrate compliance with this DPA, including SOC 2 Type II and ISO 27001 audit reports. Customers may conduct further audits at customer’s expense, subject to reasonable confidentiality and operational safeguards.

10. International transfers

To the extent Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country without an adequacy decision, the parties incorporate the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as set out in Annex D.

11. Return or deletion

Upon termination of the Services, Privil will return or delete Customer Personal Data in accordance with customer’s instructions and applicable law, subject to legitimate retention obligations.

12. Liability

Each party’s liability under this DPA is subject to the limitations in the Terms of Service, except as otherwise required by applicable law.

13. Term

This DPA is effective on the Order Form effective date and continues for the duration of Privil’s processing of Customer Personal Data. Sections that by their nature should survive will survive.

Annex A · Processing details

Subject matter: provision of the Services. Duration: term of the Order Form. Nature and purpose: monitoring of generative-AI prompt and completion traffic and generation of audit records. Categories of Data Subjects: customer’s personnel and the persons identified within the prompts and completions processed by customer’s users. Categories of Personal Data: identifiers, professional information, and any other categories included by customer in transmitted content.

Annex B · Technical and organizational measures

Summarized at /legal/security. Full description available under NDA.

Annex C · Subprocessors

Current subprocessors available at /legal/subprocessors. Categories include cloud infrastructure, customer support, billing, and observability vendors.

Annex D · Standard Contractual Clauses

Where applicable, Modules Two and Three of the 2021 SCCs, with Annex I.A (data exporter: customer; data importer: Privil), Annex I.B (categories: as in Annex A), and Annex II (technical and organizational measures: as in Annex B). Optional clauses are deemed not selected.

For DPA execution or questions, contact dpa@privil.ai.