Data Processing Addendum (DPA)

Last Updated: December 2024

For clients subject to the General Data Protection Regulation (GDPR) or similar data protection laws, RiskAI offers a comprehensive Data Processing Addendum (DPA) that governs our processing of personal data on your behalf.

1. Why You Need a DPA

If your organization processes personal data and uses RiskAI's services, you likely need a DPA to:

• Comply with GDPR Article 28 requirements
• Establish clear data processing obligations
• Define security measures and safeguards
• Outline data subject rights procedures
• Ensure regulatory compliance
• Protect your organization and customers

2. Our DPA Coverage

2.1 Applicable Regulations

Our DPA covers compliance with:

• GDPR (General Data Protection Regulation): European Union data protection law
• UK GDPR: United Kingdom data protection law
• CCPA (California Consumer Privacy Act): California privacy law

2.2 Processing Activities

Our DPA covers all processing activities including:

• Data collection and storage
• Data analysis and processing
• AI model training and inference
• Compliance monitoring and reporting
• Data backup and recovery
• Data deletion and retention

3. Key DPA Provisions

3.1 Data Controller and Processor Roles

• You (Data Controller): Determine the purposes and means of processing personal data
• RiskAI (Data Processor): Process personal data on your behalf according to your instructions
• Clear definition of responsibilities and obligations
• Joint accountability for data protection compliance

3.2 Processing Instructions

• Detailed processing instructions and limitations
• Purpose and scope of data processing
• Duration and retention periods
• Data subject categories and data types
• Geographic restrictions and data localization

3.3 Security Measures

• Technical and organizational security measures
• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments and testing
• Incident response and breach notification procedures

3.4 Subprocessors

• List of authorized subprocessors
• Subprocessor selection and approval process
• Subprocessor obligations and commitments
• Notification requirements for new subprocessors
• Right to object to subprocessor changes

4. Data Subject Rights

4.1 Rights Support

Our DPA includes provisions for supporting data subject rights:

• Right of Access: Assistance with data subject access requests
• Right to Rectification: Support for data correction requests
• Right to Erasure: Data deletion and anonymization procedures
• Right to Portability: Data export in structured formats
• Right to Restriction: Processing limitation procedures
• Right to Object: Objection handling and processing cessation

4.2 Response Procedures

• Timeline commitments for responding to requests
• Verification and authentication procedures
• Documentation and record-keeping requirements
• Escalation procedures for complex requests
• Cooperation and coordination mechanisms

5. Audit and Compliance

5.1 Audit Rights

• Right to conduct audits and inspections
• Access to relevant documentation and records
• Cooperation with regulatory audits
• Third-party audit support
• Cost allocation and scheduling procedures

5.2 Compliance Monitoring

• Regular compliance assessments
• Certification and attestation requirements
• Regulatory change monitoring
• Compliance reporting and documentation
• Remediation procedures for compliance gaps

6. Data Breach Response

6.1 Breach Notification

• 72-hour notification requirement for GDPR breaches
• Detailed breach assessment and documentation
• Impact assessment and risk evaluation
• Remediation measures and timeline
• Communication and notification procedures

6.2 Incident Response

• Dedicated incident response team
• 24/7 incident detection and response
• Forensic analysis and investigation
• Regulatory reporting and coordination
• Lessons learned and process improvement

7. International Data Transfers

7.1 Transfer Safeguards

• Standard Contractual Clauses (SCCs) for EU transfers
• Adequacy decisions and certifications
• Additional safeguards and protections
• Transfer impact assessments
• Local law compliance requirements

7.2 Geographic Restrictions

• Data localization options and requirements
• Regional data center selection
• Cross-border transfer limitations
• Local regulatory compliance
• Data sovereignty considerations

8. Termination and Data Return

8.1 Termination Procedures

• Data return and deletion requirements
• Certification of data deletion
• Data retention and archival procedures
• Transition assistance and support
• Ongoing confidentiality obligations

8.2 Data Disposal

• Secure data deletion methods
• Media destruction and sanitization
• Backup and archive deletion
• Third-party data removal
• Deletion certification and verification

9. Liability and Indemnification

9.1 Liability Provisions

• Limitation of liability for data processing
• Indemnification for data protection violations
• Insurance coverage requirements
• Joint and several liability considerations
• Dispute resolution procedures

10. How to Request a DPA

10.1 Request Process

1. Contact Us: Send an email to privacy@riskai.tech with "DPA Request" in the subject line
2. Provide Information: Include your company name, contact details, and any specific requirements
3. Review & Customization: We'll review your requirements and customize the DPA if needed
4. Execution: Both parties will sign the DPA to make it legally binding
5. Implementation: The DPA will govern our data processing relationship going forward

10.2 Required Information

To expedite your DPA request, please provide:

• Company name and legal entity details
• Primary contact person and contact information
• Specific data processing requirements or concerns
• Geographic locations where you operate
• Any specific regulatory requirements

11. Contact Information

For DPA-related inquiries and requests:

Legal Team:
Email: privacy@riskai.tech

Data Protection Officer:
Email: dpo@riskai.tech
Address: Dorothee-Sölle-Platz 2, 50672 Köln, Germany