Data Processing Agreement
Last updated: 26 March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Customer") and AI-CORES Digital Systems Limited ("Processor", "we"), pursuant to Article 28 of the General Data Protection Regulation (GDPR) (EU) 2016/679.
This DPA applies where we process personal data on your behalf when you use the AICORES platform.
1. Definitions
- "Personal Data" means any data relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on personal data, as defined in GDPR Article 4(2).
- "Sub-processor" means any third party engaged by us to process personal data on your behalf.
- "Data Subject" means the individual whose personal data is processed.
2. Scope and Purpose of Processing
2.1 Subject Matter
We process personal data to provide the AICORES business intelligence platform, including account management, financial analytics, AI-generated insights, and billing.
2.2 Duration
Processing continues for the duration of the Service agreement and for a retention period thereafter as specified in our Privacy Policy.
2.3 Categories of Data Subjects
- Customer employees and team members
- Customer advisors (accountants, consultants)
- Individuals referenced in customer financial data (client names, supplier contacts)
2.4 Types of Personal Data
- Names, email addresses, job titles
- Financial data (revenue figures, expense records)
- Business information (company name, industry, addresses)
- AI interaction data (queries, generated outputs)
3. Obligations of the Processor
We shall:
- Process personal data only on your documented instructions, unless required by EU or Irish law.
- Ensure that persons authorised to process personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (GDPR Article 32).
- Not engage a sub-processor without your prior authorisation (see Section 5).
- Assist you in responding to data subject requests (access, rectification, erasure, portability, restriction, objection).
- Assist you with data protection impact assessments and prior consultations with supervisory authorities where required.
- Delete or return all personal data upon termination of the Service, at your choice, unless retention is required by law.
- Make available all information necessary to demonstrate compliance and allow for audits.
4. Security Measures
We implement the following measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Row-level security (RLS) policies enforcing data isolation between workspaces.
- Multi-factor authentication available for user accounts.
- Regular security assessments and vulnerability scanning.
- Incident response procedures with notification within 72 hours of becoming aware of a personal data breach (GDPR Article 33).
- Access controls with principle of least privilege.
- Automated backup and disaster recovery procedures.
5. Sub-processors
You authorise us to engage the following sub-processors. We will notify you of any changes and provide an opportunity to object.
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt) | DPA, SOC 2 Type II |
| Stripe, Inc. | Payment processing (card payments) | US/EU | SCCs, PCI DSS Level 1 |
| GoCardless Ltd | Direct debit payments | UK/EU | UK Adequacy, DPA |
| Anthropic PBC | AI language model processing | US | SCCs, zero data retention for API |
| Resend, Inc. | Transactional email delivery | US | SCCs, DPA |
| Vercel Inc. | Frontend hosting and edge delivery | Global (CDN) | SCCs, SOC 2 Type II |
6. International Transfers
Where personal data is transferred outside the EU/EEA, we ensure compliance with GDPR Chapter V through one or more of the following mechanisms:
- EU adequacy decisions (e.g., UK, Canada).
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Supplementary measures where required by the Schrems II decision.
7. Data Breach Notification
In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach, providing:
- A description of the nature of the breach, including categories and approximate number of data subjects affected.
- The likely consequences of the breach.
- Measures taken or proposed to address the breach.
- Contact details of our data protection officer.
8. Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests. If we receive a request directly from a data subject, we will promptly inform you and await your instructions, unless required by law to respond directly.
9. Audit Rights
You may audit our compliance with this DPA, subject to reasonable notice and during business hours. We will cooperate and provide necessary information. Audits shall not unreasonably disrupt our operations.
10. Termination
Upon termination of the Service, we will, at your choice, delete or return all personal data within 30 days, unless EU or Irish law requires further storage. We will provide confirmation of deletion upon request.
11. Governing Law
This DPA is governed by the laws of Ireland and the GDPR. Disputes shall be subject to the jurisdiction of the Irish courts.
12. Contact
Data Protection Officer: dpo@aicores.ai
AI-CORES Digital Systems Limited
Ireland