Data Processing Agreement

• "Personal Data" means any information relating to an identified or identifiable natural person that the Controller inputs into the Platform.
• "Compliance Data" means assessment responses, maturity scores, remediation tasks, control notes, framework self-assessment scores, gap analysis results, and any other data you input or generate through use of the Platform.
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
• "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Protection Laws" means all applicable data protection and privacy legislation, including the Australian Privacy Act 1988 (Cth), the EU General Data Protection Regulation (EU 2016/679), the UK Data Protection Act 2018, and any successor legislation.

For the purposes of Data Protection Laws:

• You are the Controller — you determine the purposes and means of processing the Personal Data you input into the Platform.
• We are the Processor — we process Personal Data solely on your documented instructions to provide the Platform services.

This DPA does not apply to data we process as a Controller in our own right (e.g., account registration details, billing information), which is governed by our Privacy Policy.

We will process Personal Data only in accordance with your documented instructions, which are deemed to include:

• Providing the Platform services as described in our Terms of Service.
• Storing Compliance Data in the Platform's database (Neo4j graph database hosted in Germany).
• Generating assessment results, maturity scores, and cross-framework analysis from your inputs.
• Processing AI advisory queries through our LLM inference provider to return compliance guidance.
• Caching query results temporarily to improve Platform performance.
• Enabling you to export your data as PDF or Excel files.

We will not process Personal Data for any purpose other than providing the Platform services unless required to do so by applicable law, in which case we will inform you of that legal requirement before processing (unless prohibited from doing so by law).

You authorise us to engage the following Sub-processors to assist in providing the Platform:

We will notify you at least 30 days before engaging any new Sub-processor, giving you the opportunity to object. If you have a reasonable objection, we will work with you to address your concerns or offer an alternative solution. Sub-processor notifications will be sent to the email address associated with your account.

We implement appropriate technical and organisational measures to protect Personal Data, including:

• Encryption in transit — all data transmitted between your browser, our API, and our database uses TLS/HTTPS. Caddy provides automatic certificate management via Let's Encrypt.
• Encryption at rest — database storage on Hetzner servers uses encrypted volumes.
• Access control — database access is restricted to internal Docker networks not exposed to the internet. Administrative access requires SSH key authentication.
• Authentication — user passwords are hashed using bcrypt. Session tokens use signed JWTs with configurable expiry.
• Network isolation — the database (Neo4j) and cache (Redis) run on an isolated internal Docker network, accessible only by the API service.
• Rate limiting — API endpoints enforce rate limits to prevent abuse.
• Credential management — all secrets (database passwords, API keys, signing keys) are stored in environment variables, not in source code.

We will assist you in responding to requests from data subjects exercising their rights under Data Protection Laws (access, rectification, erasure, portability, restriction, objection), taking into account the nature of the processing.

• We will promptly notify you if we receive a data subject request directly, and will not respond to it without your instruction unless legally required to do so.
• We provide data export capabilities (PDF, Excel) to assist with portability requests.
• Account and data deletion requests can be fulfilled within 30 days by contacting privacy@theartofservice.com.

In the event of a personal data breach, we will:

• Notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
• Provide you with sufficient information to enable you to meet your own notification obligations to supervisory authorities and data subjects.
• Cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
• Document the breach including its effects and the corrective measures taken.

Our primary data storage is in Germany (Hetzner). Where Personal Data is transferred to Sub-processors located outside the European Economic Area (specifically the United States), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914).
• Data processing agreements with each Sub-processor requiring equivalent data protection standards.
• Where applicable, the Sub-processor's participation in recognised data transfer frameworks.

AI advisory queries sent to Cerebras for LLM inference are anonymised (stripped of user identifiers) and are not stored by Cerebras beyond the duration of the inference request.

We will make available to you, on request, all information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. This includes:

• Responding to reasonable written audit questionnaires within 30 days.
• Providing documentation of our security measures and Sub-processor arrangements.
• Allowing audits or inspections conducted by you or an independent auditor mandated by you, subject to reasonable notice (at least 30 days), scope limitations, and confidentiality obligations.

Audits shall be conducted during normal business hours (AEST), no more than once per 12-month period unless required by a supervisory authority or following a data breach.

Upon termination of the agreement or upon your written request:

• We will provide you with a copy of all Compliance Data in a structured, commonly used, and machine-readable format (JSON, CSV, or Excel) within 30 days.
• After providing the data export (or upon your instruction to skip the export), we will delete all Personal Data and Compliance Data from our systems within 30 days, except where retention is required by applicable law.
• We will confirm deletion in writing upon request.
• Cached data (Redis) expires automatically and is not retained beyond its cache TTL (maximum 24 hours).

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

We will indemnify you against any losses arising from our breach of this DPA or our failure to comply with applicable Data Protection Laws in our capacity as Processor, except to the extent the breach was caused by your instructions or your failure to comply with Data Protection Laws.

This DPA commences on the date you accept it (or begin using the Platform under an Enterprise subscription) and continues for the duration of your use of the Platform.

The obligations in Sections 6 (Data Security), 8 (Data Breach Notification), 11 (Data Return and Deletion), and 12 (Liability) survive termination of this DPA.

This DPA is governed by the laws of Queensland, Australia, without regard to conflict of laws principles. Where the Controller is located in the EEA or UK, the provisions of the GDPR or UK GDPR (as applicable) take precedence to the extent of any conflict with Australian law.

For questions about this DPA or to exercise your rights under it, contact us at: