Legal
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the agreement between Customer and Adaptive Agentic Platform LLC ("Adaptive AI," "Processor," "we," "our," or "us") as set forth in the Terms of Service v1.0 ("ToS") (together, the "Agreement"). This DPA applies where Adaptive AI processes Personal Data on behalf of Customer in connection with the Platform.
In the event of conflict between this DPA and the ToS, this DPA governs with respect to data protection obligations (ToS §5.5). In the event of conflict between this DPA and the Privacy Policy, this DPA governs with respect to data protection obligations (Privacy Policy §17). All capitalized terms not defined herein have the meanings given in the ToS.
1. Definitions
- "Applicable Data Protection Law" — all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR (Regulation (EU) 2016/679), UK GDPR, CCPA (Cal. Civ. Code §1798.100 et seq.), and any successor legislation.
- "Controller" — the entity that determines the purposes and means of the processing of Personal Data. Under this DPA, the Customer is the Controller.
- "Data Subject" — an identified or identifiable natural person to whom Personal Data relates, including End Users interacting with AI Workers deployed by Customer.
- "EEA" — the European Economic Area.
- "Personal Data" — any information relating to a Data Subject that is processed by Adaptive AI on behalf of Customer through the Platform.
- "Processing" — any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Processor" — an entity that processes Personal Data on behalf of a Controller. Under this DPA, Adaptive AI is the Processor.
- "Security Incident" — a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed under this DPA.
- "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses approved by the European Commission for international data transfers, as set out in Annex C.
- "Sub-processor" — any third party engaged by Adaptive AI to process Personal Data on behalf of Customer.
- "Sensitive Personal Information" or "SPI" — has the meaning ascribed under Applicable Data Protection Law, including special category data under GDPR Article 9 and sensitive personal information under the CCPA.
2. Scope and Roles
2.1 Roles of the Parties
- Customer is the Controller of Personal Data submitted to or generated through the Platform.
- Adaptive AI is the Processor, processing Personal Data solely on behalf of Customer and in accordance with Customer's documented instructions.
2.2 Scope of Processing
This DPA applies to all Personal Data that Adaptive AI processes on Customer's behalf through the Platform, including End User contact information and conversation content processed by AI Workers; voice recordings and transcripts generated through voice channel interactions; session metadata and interaction logs; and any other Personal Data submitted by Customer or generated through Platform use.
2.3 Details of Processing
The details of processing activities are set out in Annex A (Description of Processing).
3. Customer Obligations
3.1 Lawful Basis
Customer warrants that it has a valid legal basis under Applicable Data Protection Law for all Personal Data processed through the Platform, including any required consents from End Users (ToS §3.1–3.2).
3.2 AI Disclosure
Customer is responsible for informing End Users that they are interacting with an AI system and for providing any disclosures required by Applicable Data Protection Law, the EU AI Act, or other applicable regulation (ToS §3.2; Privacy Policy §8).
3.3 Data Minimization
Customer will ensure that Personal Data submitted to the Platform is adequate, relevant, and limited to what is necessary for the purposes of processing.
3.4 Sensitive Personal Information
Customer must not submit Sensitive Personal Information to the Platform unless Customer has: (a) obtained explicit consent from Data Subjects where required; (b) confirmed that Adaptive AI's technical and organizational measures are adequate for the sensitivity of the data; and (c) entered into any supplementary agreements required (such as a BAA for Protected Health Information).
4. Processor Obligations
4.1 Processing Instructions
Adaptive AI will process Personal Data only on documented instructions from Customer, unless required by Applicable Data Protection Law. If Adaptive AI believes an instruction infringes Applicable Data Protection Law, it will promptly notify Customer.
4.2 Confidentiality
Adaptive AI ensures that all personnel authorized to process Personal Data are subject to binding confidentiality obligations. Access to Personal Data is restricted to personnel on a strict need-to-know basis, and all access is logged and auditable (Privacy Policy §11).
4.3 No Training on Personal Data
Adaptive AI will not use Personal Data to train foundation AI models or to improve AI capabilities made available to other Customers. This prohibition applies to identified and pseudonymized data alike (ToS §5.2; Privacy Policy §7).
4.4 No Sale of Personal Data
Adaptive AI will not sell, rent, or transfer Personal Data to any third party for their independent commercial purposes (ToS §5.4; Privacy Policy §10).
5. Security Measures
5.1 Technical and Organizational Measures
Adaptive AI implements and maintains the technical and organizational measures described in Annex B (Security Measures) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include those described in ToS §5.7 and Privacy Policy §11.
5.2 Single-Tenant Isolation
Each Customer runs on a dedicated, isolated infrastructure instance. Personal Data is stored in a database instance not shared with any other Customer. AI Workers run in compute environments isolated from other Customers' workloads. This is a binding service specification (ToS §5.10; Privacy Policy §4).
5.3 Encryption
- In transit: All data transmitted between clients, AI Workers, and Adaptive AI infrastructure uses TLS 1.2 or higher.
- At rest: Customer databases and file storage are encrypted using AES-256.
- BYOK credentials: Encrypted at rest and never logged in plaintext (ToS §5.7; Privacy Policy §11).
6. Sub-processors
6.1 Authorization
Customer grants Adaptive AI general authorization to engage Sub-processors to process Personal Data, subject to the requirements of this Section 6.
6.2 Sub-processor List
A current list of Sub-processors is maintained at legal.adaptive.ai/subprocessors (ToS §5.6; Privacy Policy §10.1).
6.3 Notification of Changes
Adaptive AI will notify Customer account administrators via email at least 30 days before adding any new Sub-processor (ToS §5.6; Privacy Policy §10.1).
6.4 Right to Object
If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer must notify Adaptive AI in writing within 14 days of receiving notice. Adaptive AI will work in good faith to address Customer's concern. If the objection cannot be resolved to Customer's reasonable satisfaction within 30 days, Customer may terminate the affected services without penalty.
6.5 Sub-processor Obligations
Adaptive AI will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, including confidentiality, security, and restrictions on use and disclosure. Adaptive AI remains fully liable for the acts and omissions of its Sub-processors.
7. Data Subject Rights
7.1 Assistance
Adaptive AI will assist Customer in responding to Data Subject requests to exercise rights under Applicable Data Protection Law, including rights of access, correction, deletion, portability, objection, restriction, and rights related to automated decision-making (Privacy Policy §13).
7.2 Response
If Adaptive AI receives a request directly from a Data Subject, Adaptive AI will promptly redirect the Data Subject to Customer, unless legally required to respond directly. Adaptive AI will notify Customer of any such request within 5 business days.
7.3 Automated Decision-Making
Adaptive AI provides technical capabilities (including "Voice to Human" escalation) to support Customer's obligations under GDPR Article 22 regarding automated decision-making. Customer is responsible for configuring AI Workers to honor Data Subject rights related to automated processing (Privacy Policy §8).
8. Security Incidents
8.1 Notification
Adaptive AI will notify Customer without undue delay and in any event within 72 hours of confirming a Security Incident affecting Customer's Personal Data (ToS §5.7; Privacy Policy §11; GDPR Article 33).
8.2 Notification Content
Notification will include: (a) the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) measures taken or proposed to address the incident; and (d) the name and contact details of the Adaptive AI point of contact.
8.3 Cooperation
Adaptive AI will cooperate with Customer in investigating the Security Incident and in any required notifications to Data Subjects, supervisory authorities, or other parties under Applicable Data Protection Law.
8.4 Record-Keeping
Adaptive AI will maintain a record of all Security Incidents, including facts, effects, and remedial actions taken, regardless of whether notification to Customer was required.
9. International Data Transfers
9.1 Transfer Mechanisms
Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection, Adaptive AI relies on the Standard Contractual Clauses set out in Annex C, supplemented by the additional safeguards described in Section 9.2.
9.2 Supplementary Measures
- Encryption: All Personal Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Single-tenant isolation: Customer data cannot be accessed by or commingled with other Customers' data.
- Access controls: Access to Personal Data is restricted to personnel on a strict need-to-know basis; all access is logged.
- Transparency reporting: Adaptive AI will publish an annual transparency report disclosing the number and nature of government access requests received, to the extent permitted by law.
9.3 Transfer Impact Assessments
Adaptive AI has conducted Transfer Impact Assessments (TIAs) evaluating the legal framework in destination countries, the supplementary measures in place, and the practical likelihood of government access to transferred Personal Data. Customer may request a summary of TIA findings by contacting admin@adaptiveap.com (Privacy Policy §12).
9.4 Data Residency
Customer may configure data residency preferences as described in the Data Residency & Retention Policy. Where an Order Form specifies a data residency region, Adaptive AI will not process Personal Data outside that region without Customer's prior written consent, except where required by Applicable Data Protection Law.
10. Audits and Compliance
10.1 Audit Rights
Customer (or a qualified independent third-party auditor appointed by Customer) may audit Adaptive AI's compliance with this DPA no more than once per calendar year, upon at least 30 days' written notice. Audits will be conducted during normal business hours, will not unreasonably interfere with Adaptive AI's operations, and will be subject to reasonable confidentiality obligations.
10.2 Audit Reports
In lieu of an on-site audit, Adaptive AI may provide Customer with: (a) a copy of its most recent SOC 2 Type II report or equivalent certification; (b) a summary of its most recent penetration test results; and (c) responses to a reasonable data protection questionnaire. Customer may accept these materials in satisfaction of its audit rights.
10.3 Regulatory Cooperation
Adaptive AI will cooperate with any supervisory authority exercising its powers under Applicable Data Protection Law, to the extent such cooperation relates to processing under this DPA.
11. Data Retention and Deletion
11.1 Retention
Adaptive AI retains Personal Data only as long as necessary to provide the Platform, meet legal obligations, or as configured by Customer. Default retention periods and Customer-configurable options are set out in the Data Residency & Retention Policy and Privacy Policy §9.
11.2 Deletion on Termination
Upon termination or expiration of the Agreement, Customer Data (including Personal Data) remains available for export for 30 days. Following the export window — or upon Customer's earlier written request — Adaptive AI will permanently delete Personal Data within 30 days, except where retention is required by Applicable Data Protection Law (ToS §10.5(d); Privacy Policy §9).
11.3 Certification of Deletion
Upon Customer's written request, Adaptive AI will provide written certification that Personal Data has been deleted in accordance with this Section 11.
11.4 Customer Self-Service Deletion
Customers may initiate data deletion at any time through the Platform's account settings or via the API. Self-service deletion requests are processed within 30 days. See Data Residency & Retention Policy §5 for details.
12. Term and Termination
12.1 Term
This DPA takes effect on the date Customer executes it (or, if later, the date the Agreement takes effect) and remains in force for as long as Adaptive AI processes Personal Data on behalf of Customer.
12.2 Survival
Sections 4.3 (No Training), 4.4 (No Sale), 7 (Data Subject Rights), 8 (Security Incidents), 9 (International Data Transfers), 10 (Audits), 11 (Retention and Deletion), and the Annexes survive termination of this DPA.
13. General
13.1 Order of Precedence
In the event of conflict: (1) the Order Form controls; (2) then this DPA; (3) then the ToS; (4) then the Privacy Policy; (5) then the Documentation (ToS §13.2).
13.2 Governing Law
This DPA is governed by the laws of the State of Delaware, without regard to conflict-of-law principles, except that where the GDPR applies, the governing law of the DPA shall be the law of the EU Member State in which the Customer is established (ToS §12.5).
13.3 Amendments
Material amendments to this DPA require at least 30 days' written notice and are subject to the objection and termination rights in ToS §13.3.
13.4 Execution
This DPA may be executed by: (a) signing a physical or electronic copy; (b) accepting via the Platform's account settings; or (c) countersigning an Order Form that incorporates this DPA. Contact admin@adaptiveap.com to execute.
Annex A — Description of Processing
| Field | Description |
|---|---|
| Controller | Customer (as identified in the Order Form) |
| Processor | Adaptive Agentic Platform LLC, 254 Chapman Rd, Ste 208 #26210, Newark, Delaware 19702, US |
| Subject Matter | Processing of Personal Data through the Adaptive AI Platform to enable AI Worker deployment and operation |
| Duration | For the term of the Agreement, plus the post-termination export and deletion window |
| Nature of Processing | Collection, storage, retrieval, use, transmission, organization, and deletion of Personal Data in connection with AI Worker interactions across voice, chat, email, SMS, and social media channels |
| Purpose of Processing | To provide, maintain, and support the Platform; to operate AI Workers on Customer's behalf; to enable human escalation; to generate analytics and telemetry; to comply with applicable law |
| Categories of Data Subjects | End Users interacting with Customer's AI Workers; Customer's Authorized Users |
| Categories of Personal Data | Contact information (name, email, phone number); conversation content and transcripts; voice recordings (where enabled); device and channel metadata (IP address, browser type, messaging platform identifiers); session logs and interaction history; account credentials (hashed) |
| Sensitive Data | Not processed by default. If Customer submits Sensitive Personal Information, Customer must comply with §3.4 of this DPA and, for Protected Health Information, execute a BAA |
| Retention | Per the Data Residency & Retention Policy and Privacy Policy §9. Default: conversation transcripts 90 days; voice recordings 30 days; session telemetry 30 days. Configurable per Order Form. |
Annex B — Technical and Organizational Measures
Adaptive AI implements the following measures to protect Personal Data. These measures correspond to ToS §5.7 and Privacy Policy §11.
B.1 Encryption
- All data in transit encrypted using TLS 1.2 or higher.
- All data at rest encrypted using AES-256.
- BYOK API keys encrypted at rest and never logged in plaintext.
B.2 Access Controls
- Role-based access control (RBAC) with least-privilege principle.
- Multi-factor authentication required for all Adaptive AI personnel accessing production systems.
- All access to Customer Data logged and auditable.
- Access restricted to personnel with a legitimate business need.
B.3 Tenant Isolation
- Single-tenant deployment: dedicated database instance and compute environment per Customer (ToS §5.10; Privacy Policy §4).
- Network-level isolation between Customer environments.
- Security incidents or misconfigurations in one tenant cannot expose another tenant's data.
B.4 Vulnerability Management
- Regular security assessments and penetration testing.
- Automated dependency scanning and patch management.
- Secure software development lifecycle (SSDLC) practices.
B.5 Incident Response
- Documented incident response procedures for detecting, containing, and remediating security incidents.
- 72-hour notification to Customer upon confirmed Security Incident (ToS §5.7; Privacy Policy §11).
- Post-incident review and remediation tracking.
B.6 Infrastructure Security
- Production infrastructure hosted on Railway with single-tenant deployments.
- Database services on Supabase (PostgreSQL) with encryption at rest.
- Object storage on Cloudflare R2 with encryption at rest.
- Real-time communications via LiveKit Cloud (WebRTC) with end-to-end encryption for media streams.
B.7 Personnel Security
- Background checks for personnel with access to production systems.
- Mandatory data protection and security awareness training.
- Binding confidentiality obligations for all personnel.
B.8 Business Continuity
- Automated backups with geographic redundancy.
- Disaster recovery procedures with defined recovery time objectives.
- Regular backup restoration testing.
Annex C — Standard Contractual Clauses
For transfers of Personal Data from the EEA to the United States, the parties agree to the Standard Contractual Clauses (Module Two: Controller to Processor) approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced.
For transfers of Personal Data from the United Kingdom, the parties agree to the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office under section 119A of the Data Protection Act 2018.
| SCC Element | Selection |
|---|---|
| Module | Module Two: Controller to Processor |
| Clause 7 (Docking clause) | Included |
| Clause 9(a) (Sub-processor authorization) | Option 2: General written authorization, with 30-day prior notice of changes |
| Clause 11 (Redress) | Option: Independent dispute resolution body not included |
| Clause 13 (Supervision) | The supervisory authority of the EU Member State in which the Controller is established |
| Clause 17 (Governing law) | The law of the EU Member State in which the Controller is established |
| Clause 18 (Choice of forum) | The courts of the EU Member State in which the Controller is established |
| Annex I.A (List of parties) | Data exporter: Customer (Controller); Data importer: Adaptive Agentic Platform LLC (Processor) |
| Annex I.B (Description of transfer) | As set out in Annex A of this DPA |
| Annex I.C (Competent supervisory authority) | The supervisory authority of the EU Member State in which the Controller is established |
| Annex II (Technical and organizational measures) | As set out in Annex B of this DPA |
| Annex III (List of sub-processors) | As maintained at legal.adaptive.ai/subprocessors |
The full text of the SCCs is available at eur-lex.europa.eu.
Execution
By executing this DPA, the parties agree to its terms.
| Customer | Adaptive AI | |
|---|---|---|
| Signature | _________________________ | _________________________ |
| Name | ||
| Title | ||
| Date | ||
| Entity | Adaptive Agentic Platform LLC |