Data Processing Agreement (DPA)

Effective date: [EFFECTIVE_DATE] · Last updated: 2026-06-12

This Data Processing Agreement ("DPA") forms part of the Terms of Service between [ENTITY] ("AskRoby", "Processor", "we") and the customer agreeing to it ("Customer", "Controller", "you"), and applies where AskRoby processes Personal Data on your behalf when you use the AskRoby service at www.askroby.io (the "Services").

By registering as a business / company customer, or by using the Services to process the personal data of your end-users, you accept this DPA. Terms such as "controller", "processor", "data subject", "personal data", "personal data breach" and "processing" have the meaning given in the GDPR / UK GDPR and, where applicable, the equivalent concepts under Ecuador's LOPDP and other applicable Data Protection Laws.

1. Roles and Scope

You are the Controller of the Personal Data contained in the content you upload to the Services; AskRoby is the Processor and processes such Personal Data only to provide the Services. The subject matter, nature, purpose, duration, categories of data and data subjects are described in the Schedule below.

2. Customer Obligations

You warrant that: (a) your instructions and your collection of the Personal Data comply with Data Protection Laws; (b) you have a lawful basis and all necessary notices and consents to provide the Personal Data to AskRoby and to have it processed (including by AI sub-processors); and (c) you are solely responsible for the accuracy and legality of the Personal Data.

3. AskRoby's Obligations

To the extent AskRoby processes Personal Data on your behalf, AskRoby will:

1. process it only on your documented instructions (including those in this DPA and the Services configuration), unless required by law (in which case we will inform you unless prohibited);
2. ensure persons authorized to process the Personal Data are bound by confidentiality;
3. implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 5);
4. respect the conditions in Section 4 for engaging sub-processors;
5. taking into account the nature of the processing, assist you by appropriate measures, insofar as possible, in responding to data-subject requests;
6. assist you in ensuring compliance with security, breach-notification, and (where applicable) data-protection impact-assessment and prior-consultation obligations;
7. notify you without undue delay after becoming aware of a personal-data breach affecting your Personal Data;
8. at your choice, delete or return all such Personal Data after the end of the Services and delete existing copies, unless retention is required by law; and
9. make available information necessary to demonstrate compliance with this Section and allow for and contribute to audits, subject to reasonable conditions (notice, frequency, confidentiality and cost) set out in this DPA.

4. Sub-processors

You provide general authorization for AskRoby to engage sub-processors to process Personal Data, provided AskRoby imposes data-protection obligations on each sub-processor no less protective than those in this DPA and remains liable for their performance. The current sub-processors are listed in the Schedule. AskRoby will inform you of intended changes (additions or replacements), giving you the opportunity to object on reasonable, data-protection-related grounds; if such an objection cannot be reasonably resolved, you may terminate the affected part of the Services.

5. Security

AskRoby maintains technical and organizational measures including: encryption of data in transit (TLS); hashing of credentials; logical access controls and least-privilege; network controls; regular patching; logging and monitoring; and secure, access-controlled hosting at its infrastructure providers. These measures may evolve, but AskRoby will not materially decrease the overall level of security during the term.

6. International Transfers

AskRoby and its sub-processors may process Personal Data in the United States and other countries. Where Personal Data is transferred outside the EEA, the UK, Ecuador or another country with applicable transfer restrictions, AskRoby relies on a lawful transfer mechanism such as the Standard Contractual Clauses (or equivalent) or an adequacy decision.

7. Liability and Term

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. This DPA takes effect when you accept it and continues for as long as AskRoby processes Personal Data on your behalf.

8. Governing Law

This DPA is governed by the law and jurisdiction stated in the Terms of Service ([JURISDICTION]), unless mandatory Data Protection Laws require otherwise.

Schedule — Details of Processing

Subject matter: AskRoby's provision of the Services (storing content and answering questions about it using AI) and related support.

Nature and purpose: Hosting, storage, indexing (including generation of text embeddings), retrieval and AI-assisted question-answering over the content the Customer submits, on the Customer's instructions.

Duration: For the term of the Agreement and until deletion/return of the Personal Data in accordance with Section 3(8).

Categories of Personal Data: Any personal data contained in the documents, files and text the Customer (or its end-users) submit; plus account and contact data of the Customer's authorized users (name, email, IP address). The Customer determines and controls the content and therefore the categories, which may include identifiers, contact details and any other data the Customer chooses to upload.

Categories of data subjects: The Customer's authorized users and any individuals whose personal data appears in the content the Customer submits (e.g. the Customer's employees, contractors, clients, suppliers or other third parties).

Current sub-processors:

Contact for DPA matters: [DPA_EMAIL]. [ENTITY], [ADDRESS]. [COMPANY_NUMBER].