This DPA is between AiEGIS Ltd ("Processor") and the customer entity that accepts the Terms of Service ("Controller"). It applies where Processor processes personal data on behalf of Controller in connection with the Service. It does not apply to personal data Processor processes as a controller (e.g. billing contact details), which are covered by the Privacy Policy.
Subject matter: provision of the AiEGIS hosted Service to Controller. Duration: the term of the Controller's subscription plus any retention period required by law. Nature and purpose: governance, identity issuance, registry of agents, retention of audit receipts. Categories of data subjects: Controller's employees, end-users, and AI agents acting on Controller's behalf.
The endpoint capture product (Eye daemon + browser extension) processes prompt content on Controller's own machines and does not transmit prompt content to AiEGIS Ltd. AiEGIS Ltd is not the processor for endpoint-captured prompt data.
Processor will: (a) process personal data only on documented instructions from Controller (this DPA + Controller's configuration of the Service constitute those instructions); (b) ensure persons authorised to process the data are bound by confidentiality; (c) take all measures required under Article 32 (technical and organisational security measures, set out below); (d) assist Controller with data subject requests and Articles 32-36 obligations; (e) on termination, delete or return personal data within 30 days (Controller's choice); (f) make available all information necessary to demonstrate compliance with Article 28.
Controller authorises Processor to engage sub-processors. Current sub-processors are listed at aiegis.ie/subprocessors (page may be a sub-section of this DPA where Controller does not maintain an account). Processor will: notify Controller of any intended changes at least 14 days in advance; ensure each sub-processor is bound by data protection obligations no less protective than this DPA; remain liable for sub-processor performance.
Processor's primary infrastructure is hosted in the European Union (Ireland). Where personal data is transferred outside the EEA, Processor uses the EU Standard Contractual Clauses (Commission Decision 2021/914) as the transfer mechanism. Controller may request a copy of the executed SCCs by contacting privacy@aiegis.ie.
Processor will assist Controller in responding to access, rectification, erasure, restriction, portability, and objection requests. Where a data subject contacts Processor directly, Processor will forward the request to Controller and not respond substantively unless legally required.
Processor will make available a current audit report (SOC 2 or ISO 27001 once obtained) or, on reasonable notice, allow a Controller-conducted audit limited to relevant systems, no more than once per year, at Controller's cost, subject to confidentiality. For enterprise customers, an extended audit right may be negotiated separately.
The liability cap and exclusions in the Terms of Service apply to this DPA, except where Article 82 GDPR imposes joint liability that cannot lawfully be limited.
This DPA is governed by the laws of Ireland and is subject to the exclusive jurisdiction of the Irish courts, consistent with the underlying Terms of Service.
Privacy / DPA: privacy@aiegis.ie · Security incidents: security@aiegis.ie
See also: Terms of Service · Privacy Policy · Cookie Policy · Company info