Data Processing Agreement
Effective Date: 24th March 2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Plexe AI Ltd ("Plexe AI", "we", "us", or "our") and you or the entity you represent ("Customer"). It governs the processing of Personal Data by Plexe AI on behalf of the Customer under applicable data protection laws. This policy is incorporated by reference into the Terms of Service. All capitalised terms not defined in this AUP have the meanings given in the Terms of Service.
1. Definitions
-
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
-
"Applicable Data Protection Law" means all applicable laws and regulations governing the processing of Personal Data, including the UK GDPR, EU GDPR, Indian DPDPA, and relevant US state laws.
-
"Subprocessor" means a third party engaged by Plexe AI to process Personal Data on behalf of the Customer.
-
"Controller", "Processor", "Data Subject", "Processing", "Personal Data Breach", and related terms shall have the meanings given under Applicable Data Protection Law.
2. Roles and Scope
Customer is the Data Controller and Plexe AI is the Data Processor with respect to Personal Data processed under the Terms.
This DPA applies only where Plexe AI processes Personal Data on behalf of the Customer in the course of providing the Services.
3. Processing Instructions
Plexe AI shall process Personal Data only:
-
on documented instructions from the Customer;
-
to provide, maintain, and improve the Services;
-
to provide technical support;
-
to comply with applicable law;
-
as further instructed by configuration or use of the Platform.
Plexe AI shall not use Personal Data contained in Customer-uploaded content for service improvement or machine learning model training unless explicitly authorised by Customer through documented instructions or express consent.
Plexe AI will promptly notify Customer if it believes an instruction violates Applicable Data Protection Law.
4. Personnel Confidentiality and Access
Plexe AI shall:
-
ensure that personnel with access to Personal Data are subject to binding confidentiality obligations;
-
limit access to those who need it to perform their roles;
-
implement access controls based on least privilege;
-
provide appropriate training on data protection obligations.
5. Data Security
Plexe AI shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
-
Encryption of Personal Data in transit;
-
Access controls and authentication mechanisms;
-
Role-based permissions and least-privilege access;
-
Monitoring and logging of relevant systems;
-
Secure software development practices;
-
Incident response procedures.
6. Subprocessing
Customer authorises Plexe AI to engage Subprocessors. Plexe AI shall:
-
impose data protection obligations on Subprocessors equivalent to those in this DPA;
-
ensure Subprocessors implement appropriate safeguards for international data transfers;
-
remain liable for Subprocessors' actions;
-
maintain a list of current Subprocessors in the DPA and provide notice of changes.
The following list defines the Subprocessors used by Plexe AI. The list abides by the format Subprocessor | Description of Subprocessing | Location:
-
Amazon Web Services, Inc. | Hosting/Infrastructure, Generative AI | United States
-
OpenAI, Inc. | Generative AI | United States
-
Anthropic PBC | Generative AI | United States
7. International Transfers
Where Personal Data is transferred outside the UK, EU, or other jurisdictions with adequacy protections, Plexe AI will implement appropriate safeguards such as Standard Contractual Clauses or equivalent legal mechanisms. By using the Services, Customer authorises such transfers, including transfers made by authorised Subprocessors.
8. Data Subject Rights
Plexe AI shall assist Customer in responding to requests from data subjects to exercise their rights under Applicable Data Protection Law (e.g., access, rectification, erasure, objection, restriction, portability). If Plexe AI receives a request directly, it will forward it to Customer unless legally required to respond.
9. Personal Data Breaches
In the event of a Personal Data Breach, Plexe AI shall:
-
notify Customer without undue delay after becoming aware;
-
provide information to support the Customer’s compliance obligations;
-
cooperate with mitigation and remediation efforts.
Plexe AI and the Customer will each be responsible for costs, damages, or regulatory penalties arising from a Personal Data Breach only to the extent caused by their respective failure to comply with this DPA or applicable data protection laws, and subject to the liability limitations in the Terms of Service.
10. Data Protection Impact Assessments and Prior Consultation
Plexe AI shall provide reasonable assistance to the Customer with any data protection impact assessments and, where necessary, consultations with supervisory authorities, taking into account the nature of the processing and the information available to Plexe AI.
11. Audit and Compliance
Upon reasonable written request, Plexe AI shall provide documentation necessary to demonstrate compliance with this DPA. If that is insufficient, Customer may perform an audit:
-
no more than once per calendar year, unless required by law or following a breach;
-
with at least 60 days' prior written notice;
-
during business hours and without material disruption;
-
subject to reasonable confidentiality and security safeguards.
Plexe AI may propose alternative means (e.g., third-party certifications or summaries) to satisfy audit obligations where appropriate.
12. Data Return or Deletion
Upon termination of the Services, Customer may request the return or deletion of Personal Data. Plexe AI will delete Customer Personal Data within 3 months of account closure, unless earlier deletion is requested by Customer or retention is required to comply with applicable law or valid regulatory obligations.
Customers must request export of Personal Data before account deletion. Requests made after this point may not be fulfilled if the data has already been securely erased.
13. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service.
14. Governing Law and Jurisdiction
This DPA shall be governed by the laws of England and Wales, and any disputes shall be resolved in accordance with the dispute resolution clause of the Terms of Service.
15. Changes
15. Changes
Plexe AI may update this DPA from time to time. We will notify you of material changes and publish the current version at www.plexe.ai/dpa.
For questions regarding this DPA, contact: privacy@plexe.ai