Data Processing Addendum
Last updated: 8 April 2026
IMPORTANT NOTICE:
1. DEFINITIONS
Controller:means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. The Subscriber is the Controller with respect to Subscriber Data.
Data Breach:means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Data Processing Agreement:means this DPA and any annexes attached hereto.
Data Subject:means the identified or identifiable individual to whom Personal Data relates.
Data Subject Rights:means the rights of Data Subjects under the GDPR, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.
GDPR:means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data.
Personal Data:means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier.
Processing:means any operation performed on Personal Data, whether by automated means or not, such as collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, making available, alignment, combination, restriction, erasure or destruction.
Processor:means the natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller. Aradyne is the Processor under this DPA.
Sub-processor:means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Processor under written contract.
Subscriber Data:means the electronic data or information submitted by the Subscriber, its Users, or Authorized Parties to the Service, including any Personal Data contained therein.
2. SCOPE AND PURPOSE OF PROCESSING
2.1 Scope.
This DPA applies to the Processing of Personal Data by Aradyne as a Processor acting on instructions from the Subscriber (the Controller) in connection with the provision of the PeakSpitz AIERP™ Software-as-a-Service (“Service”) as described in the Subscription Terms of Service.
2.2 Purpose.
Aradyne shall process Personal Data contained within Subscriber Data solely for the purposes of: (a) providing the Service; (b) preventing or addressing technical problems; (c) verifying and improving the Service; and (d) complying with applicable laws and this DPA, and only on the documented instructions of the Subscriber as set forth herein.
3. PROCESSING INSTRUCTIONS
3.1 Subscriber as Controller.
The Subscriber is the Controller of all Personal Data contained in Subscriber Data. Aradyne shall process Personal Data only on the documented instructions of the Subscriber, including regarding the transfer of Personal Data outside the European Economic Area (EEA), unless required by Union or Member State law.
3.2 Instructions.
Instructions for processing shall include: (i) the nature of processing; (ii) the purpose of processing; (iii) categories of Data Subjects; (iv) categories of Personal Data; and (v) duration of processing. Such instructions are set forth in Annex 1 to this DPA.
3.3 Compliance with Instructions.
Aradyne shall immediately notify the Subscriber if an instruction, in Aradyne’s opinion, violates the GDPR or other data protection laws. Aradyne shall comply with the Subscriber’s instructions unless required otherwise by Union or Member State law.
4. OBLIGATIONS OF ARADYNE AS PROCESSOR
4.1 Processing only on Instructions.
Aradyne ensures that persons authorised to process Personal Data are subject to appropriate confidentiality undertakings or legal obligations of confidentiality. Aradyne shall not engage any Sub-processor without prior specific or general written authorization from the Subscriber.
4.2 Confidentiality and Security.
Aradyne shall ensure that employees or agents who have access to Personal Data are bound by obligations of confidentiality or are under an appropriate legal obligation of confidentiality. Aradyne shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those set forth in Annex 2 to this DPA.
4.3 Assisting with Data Subject Rights.
Aradyne shall, taking into account the nature of the Processing, assist the Subscriber by implementing appropriate technical and organisational measures in fulfilling the Subscriber’s obligations to respond to Data Subject Rights requests, including rights of access, rectification, erasure, data portability, and objection to processing.
4.4 Assistance with Data Protection Impact Assessments (DPIAs).
Aradyne shall assist the Subscriber with data protection impact assessments and prior consultations with supervisory authorities as required under the GDPR, in particular by providing the Subscriber with information and technical details necessary to assess the risks and safeguards for the Processing.
4.5 Return or Deletion of Personal Data.
At the choice of the Subscriber, Aradyne shall, at the end of the provision of services relating to the Processing, delete or return all Personal Data to the Subscriber and delete existing copies unless Union or Member State law requires storage of the Personal Data.
4.6 Audit Rights and Compliance Certifications.
Aradyne shall make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections by the Subscriber or the Subscriber’s auditors. Aradyne shall provide the Subscriber with appropriate audit certifications, including ISO 27001 or equivalent security certifications, upon request.
5. SUB-PROCESSORS
5.1 Authorization and Notification.
Aradyne shall not engage any Sub-processor for the Processing of Personal Data without prior specific or general written authorization from the Subscriber. Aradyne shall inform the Subscriber of any intended changes concerning the addition or replacement of Sub-processors, giving the Subscriber the opportunity to object on reasonable grounds relating to data protection concerns.
5.2 Current Sub-processors.
The approved Sub-processors as of the date of this DPA are listed in Annex 3. Aradyne shall maintain this list and update it as required.
5.3 Right to Object.
If the Subscriber objects to the engagement of a new Sub-processor, the Subscriber may suspend use of the Service or terminate the Subscription Terms of Service without penalty, provided written notice is given within thirty (30) days of notification of the Sub-processor change.
5.4 Sub-processor Obligations.
Aradyne shall impose on Sub-processors, through binding written agreements, the same data protection obligations as are set out in this DPA, in particular with regard to confidentiality, security, and assistance with Data Subject Rights. Aradyne shall remain fully liable to the Subscriber for the performance of any Sub-processor’s obligations.
6. INTERNATIONAL DATA TRANSFERS
6.1 Authorised Transfer Mechanisms.
Any transfer of Personal Data outside the EEA shall be based on appropriate safeguards, including: (i) an adequacy decision issued by the European Commission; (ii) Standard Contractual Clauses (SCCs); (iii) Binding Corporate Rules (BCRs); or (iv) other mechanisms recognised under the GDPR.
6.2 Standard Contractual Clauses.
To the extent that Personal Data is transferred outside the EEA to a country not deemed adequate by the European Commission, the transfer shall be subject to the Standard Contractual Clauses (SCCs) approved by the European Commission, unless another lawful mechanism applies.
6.3 Subscriber Consent.
The Subscriber acknowledges and consents to the transfers described in Annex 3 and consents to the use of Standard Contractual Clauses and other transfer mechanisms as necessary to lawfully process Personal Data as required to provide the Service.
7. DATA SECURITY
Aradyne shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. These measures are detailed in Annex 2 and are appropriate to the risk presented by the Processing.
8. DATA BREACH NOTIFICATION
8.1 Notification Timeline.
Aradyne shall notify the Subscriber without undue delay, and in any case within twenty-four (24) hours of becoming aware of a Data Breach affecting Personal Data, unless it is unlikely to result in a risk to the rights and freedoms of Data Subjects. Aradyne shall provide the Subscriber with all information necessary for the Subscriber to meet its own obligations under the GDPR.
8.2 Notification Content.
Aradyne’s notification shall include: (i) the nature of the Data Breach; (ii) categories and approximate number of Data Subjects affected; (iii) categories and approximate volume of Personal Data affected; (iv) likely consequences of the Data Breach; (v) measures taken or proposed to remedy the Data Breach and mitigate harm; and (vi) contact point for further information.
8.3 Cooperation.
Aradyne shall cooperate fully with the Subscriber and competent authorities in addressing the Data Breach, including provision of evidence and assistance with notifications to Data Subjects and regulatory authorities.
9. AI ASSISTANT AND AUTOMATED DATA PROCESSING
9.1 AI Processing Transparency.
The Service includes an AI Assistant that may process Personal Data to provide recommendations, analysis, and other AI-generated outputs. Aradyne shall: (i) clearly disclose to the Subscriber that Personal Data is processed by the AI Assistant; (ii) maintain transparency regarding the purpose, scope, and lawful basis for AI processing; (iii) not use Personal Data or outputs therefrom to train, fine-tune, or improve machine learning models without explicit written consent from the Subscriber.
9.2 Output Storage.
Aradyne shall not store AI-generated outputs (AI Outputs) for purposes of model training, improvement, or any purpose other than: (i) providing the Service to the Subscriber; (ii) improving the Service solely for the Subscriber’s benefit; and (iii) complying with applicable law. AI Outputs shall not be used for commercial advantage or shared with third parties without the Subscriber’s express written consent.
9.3 EU AI Act Compliance.
Aradyne has assessed the AI Assistant under the EU AI Act (Regulation (EU) 2024/1689) and has classified it as a low-risk AI system. Aradyne maintains documentation of this classification and provides transparency regarding: (i) the AI system’s purpose and design; (ii) the categories of Personal Data processed; (iii) the technical and organisational measures implemented to manage risks; and (iv) the right of Data Subjects to object to automated processing affecting them.
10. US PRIVACY LAWS
10.1 CCPA/CPRA Applicability.
To the extent that the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”), applies to Aradyne’s Processing of Personal Data on behalf of the Subscriber, Aradyne shall be deemed a “service provider” as defined in Cal. Civ. Code § 1798.140(ag). Aradyne shall: (i) process Personal Data solely for the business purposes specified in this DPA and the Subscription Terms of Service; (ii) not “sell” or “share” (as those terms are defined under the CCPA) Personal Data received from or on behalf of the Subscriber; (iii) not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA, including any commercial purpose other than providing the Service; (iv) not combine Personal Data received from the Subscriber with personal information received from other sources or collected from its own interactions with consumers, except as permitted by the CCPA; and (v) comply with applicable provisions of the CCPA and grant the Subscriber the right to take reasonable and appropriate steps to ensure that Aradyne uses Personal Data in a manner consistent with the Subscriber’s obligations under the CCPA.
10.2 Other US State Privacy Laws.
To the extent that any other US state privacy law (including the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Texas Data Privacy and Security Act, each as amended from time to time) applies to Aradyne’s Processing of Personal Data on behalf of the Subscriber, Aradyne shall fulfil the role of “processor” (or equivalent designation under the applicable law) and shall process Personal Data only on behalf of and pursuant to the documented instructions of the Subscriber, consistent with the obligations set forth in this DPA.
10.3 De-identification.
Aradyne shall not attempt to re-identify any de-identified data derived from Personal Data, except for the purpose of determining whether its de-identification processes comply with applicable law.
11. TERMINATION AND DATA HANDLING
11.1 End of Processing.
Upon termination or expiry of the Subscription Terms of Service, Aradyne shall, at the Subscriber’s choice: (i) securely delete all Personal Data (except where retention is required by law); or (ii) return all Personal Data in a structured, commonly used, machine-readable format.
11.2 Retention.
Aradyne shall not retain Personal Data longer than necessary to fulfil the purposes for which it was collected, except where retention is required by Union or Member State law, in which case Aradyne shall inform the Subscriber of the legal requirement, the purpose of retention, and the expected deletion date.
12. GOVERNING LAW AND JURISDICTION
This DPA shall be governed by the laws of the Republic of Cyprus and the GDPR. Both parties submit to the jurisdiction of the courts of Cyprus. In the event of any conflict between this DPA and the Subscription Terms of Service, the terms of this DPA shall prevail to the extent the conflict relates to the Processing of Personal Data.
ANNEX 1: DETAILS OF PROCESSING
Parameter | Description |
Subject Matter | Processing of Subscriber Data containing Personal Data in accordance with the Subscription Terms of Service. |
Duration | During the Term of the Subscription Terms of Service. |
Purpose | Provision of the Service, support, maintenance, improving the Service, and compliance with legal obligations. |
Categories of Data Subjects | Employees, contractors, customers, and other individuals whose data is uploaded by the Subscriber. |
Types of Personal Data | Name, email address, contact information, and any other data uploaded by the Subscriber, as determined by the Subscriber’s use of the Service. |
ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES
A. TECHNICAL MEASURES
Data Encryption:All Personal Data in transit is encrypted using Transport Layer Security (TLS 1.2 or higher). Personal Data at rest is encrypted using AES-256 encryption.
Access Controls:Role-based access control (RBAC) restricts access to Personal Data to authorized personnel only. Multi-factor authentication (MFA) is required for all access to systems containing Personal Data.
Audit Logging:All access to Personal Data is logged and retained for audit purposes. Logs include user identity, timestamp, action taken, and data accessed.
Intrusion Detection:Aradyne implements intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor and prevent unauthorized access to systems processing Personal Data.
Vulnerability Management:Regular vulnerability assessments and penetration testing are conducted. Security patches and updates are applied promptly.
Data Backup and Redundancy:Personal Data is backed up regularly and stored in geographically redundant locations. Disaster recovery procedures are tested regularly.
B. ORGANISATIONAL MEASURES
Personnel Security:All personnel with access to Personal Data undergo background checks and receive data protection training. Personnel are bound by confidentiality agreements.
Data Protection Governance:A Data Protection Officer (DPO) is responsible for ensuring compliance with data protection laws. Regular data protection impact assessments are conducted.
Third-party Management:All Sub-processors are subject to written data protection agreements that impose obligations equivalent to this DPA. Sub-processors are audited regularly.
Incident Response:A documented incident response plan is in place and tested regularly. All Data Breaches are investigated and documented.
Sub-processor Audits:Sub-processors are audited annually or as required by contract to ensure compliance with data protection obligations.
ANNEX 3: APPROVED SUB-PROCESSORS
The following Sub-processors may process Personal Data under this DPA:
Sub-processor Name | Service Provided | Processing Location | Data Categories |
Amazon Web Services (AWS) | Cloud infrastructure and services | EU, US, Asia-Pacific regions | Personal Data |
Microsoft Azure | Cloud infrastructure and services | EU, US, Asia-Pacific regions | Personal Data |
Google Cloud Platform (GCP) | Cloud infrastructure and services | EU, US, Asia-Pacific regions | Personal Data |
OVH | Cloud infrastructure and services | EU (France, Germany, Poland) | Personal Data |
Cerebras | AI inference and processing | US | Personal Data |
Deepinfra | AI model hosting and inference | US, EU | Personal Data |
Mistral AI | AI model provider | EU (France) | Personal Data |
Apple | AI/ML services | US, EU | Personal Data |
Brevo (formerly Sendinblue) / Mailjet | Transactional email and communications | EU (France) | Personal Data |
Green Cloud | Cloud hosting | EU | Personal Data |