studio.aichathub.uk
✦ v1.0.0
← Legal

Data Processing Addendum

Last updated: 2026-06-14 · Version 1.0.0-draft

Effective date: 2026-06-14. This Data Processing Addendum ("DPA") supplements our Terms of Service and applies where you (the "Customer") are a controller of personal data and we (aichat-studio) process that data on your behalf as a processor — typically enterprise team accounts. For consumer accounts, our Privacy Policy is the operative document.

1. Scope

This DPA governs the processing of personal data by aichat-studio on behalf of Customer in connection with Customer's use of the Service. It is incorporated into the Terms of Service by reference; in case of conflict regarding personal-data processing, this DPA prevails.

2. Definitions

Capitalised terms not defined here have the meaning given in EU Regulation 2016/679 (GDPR) and the UK GDPR. In particular: Controller, Processor, Personal Data, Sub-processor, Data Subject, Processing, and Personal Data Breach are interpreted per GDPR Article 4.

3. Roles

  • Customer is the Controller of the Personal Data uploaded or generated through the Service.
  • aichat-studio is the Processor.
  • The third parties listed at Sub-processors are Sub-processors authorised in advance by Customer (see §7).

4. Processing instructions

aichat-studio processes Personal Data only on the documented instructions of Customer, including with regard to transfers to a third country. The Terms of Service, this DPA, and Customer's reasonable written instructions delivered to [email protected] constitute the complete instruction set. We notify Customer if we believe an instruction infringes GDPR or other applicable law.

5. Confidentiality

aichat-studio personnel with access to Personal Data are bound by written confidentiality undertakings or statutory duties of confidentiality.

6. Security measures (GDPR Article 32)

  • TLS for all data in transit.
  • At-rest encryption via Cloudflare D1 default-encryption.
  • Least-privilege access to secrets via Cloudflare Pages secret store.
  • Access logging with 90-day retention for security review.
  • No storage of full payment-card numbers, CVVs, or comparable "highly sensitive" data on our systems.

7. Sub-processor authorisation

Customer authorises the engagement of the Sub-processors listed at Sub-processors. We notify Customer at least 14 days before adding or replacing a Sub-processor. Customer may object on reasonable data-protection grounds within 14 days of the notice; objections trigger discussion and, failing resolution, allow Customer to terminate the affected processing without penalty.

8. Data subject requests

Taking into account the nature of the processing, aichat-studio assists Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests for the exercise of Data Subject rights laid down in Chapter III of GDPR. We forward requests directed to us to Customer within 7 business days unless responding directly is more practical and Customer agrees.

9. Personal data breach notification

aichat-studio notifies Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification includes the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed in response.

10. Audits

aichat-studio makes available to Customer all information necessary to demonstrate compliance with this DPA. Customer may, on 30 days written notice and at Customer's cost, conduct an audit (directly or via a mutually-agreed independent auditor) once per calendar year, limited to the systems and records relevant to processing of Customer's Personal Data. Audits must respect aichat-studio's confidentiality obligations and the privacy of other customers.

11. International transfers

Where personal data flows out of the European Economic Area or the United Kingdom, the parties rely on the European Commission's Standard Contractual Clauses (SCCs, Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum (IDTA), incorporated by reference. The transfers in scope are those to Sub-processors enumerated at Sub-processors.

12. Return or deletion of personal data

On termination of the Service, Customer may export Customer's Personal Data via the account export functionality within 30 days. After 30 days we delete Customer's Personal Data, except where retention is required by law (notably tax records — see Privacy §6).

13. Liability

The parties' liability under this DPA is subject to and counts towards the limitations and exclusions of liability set out in the Terms of Service.

14. Order of precedence

If any provision of this DPA conflicts with the Terms of Service in relation to personal-data processing, this DPA prevails. For all other matters the Terms prevail.

15. How to request a signed copy

Email [email protected] with subject DPA request and your account email. We return a counter-signed PDF within 5 business days.