Last updated: January 2025
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between d/b/a Takeoff Convert AI ("Processor") and the customer organization ("Controller"). It governs the processing of Personal Data on behalf of the Controller in connection with the Service.
2. Definitions
"Personal Data", "Processing", "Controller", and "Processor" have the same meanings as defined by applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
"Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Processing Instructions
Processor will process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country.
Controller is responsible for ensuring that its instructions are lawful and comply with applicable data protection laws.
4. Confidentiality
Processor will ensure that persons authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training regarding data protection responsibilities.
5. Security Measures
Processor implements technical and organizational security measures appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, and regular vulnerability assessments.
A summary of current security controls is available upon request. Processor will not materially decrease the security of the Service during the subscription term.
6. Subprocessors
Controller authorizes Processor to engage Subprocessors necessary to provide the Service. Processor maintains an up-to-date list of Subprocessors at https://takeoffconvert.com/subprocessors.
Processor will impose data protection obligations on Subprocessors that are no less protective than those in this DPA and remains responsible for their performance.
7. International Transfers
When transferring Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, Processor will ensure appropriate safeguards are in place, such as Standard Contractual Clauses or another lawful transfer mechanism.
8. Data Subject Rights
Taking into account the nature of the Processing, Processor will assist Controller in fulfilling data subject rights requests (access, rectification, deletion, restriction, portability, and objection) by providing necessary tools within the Service or reasonable cooperation.
Controller is responsible for responding to data subject requests and verifying the identity of the requestor.
9. Incident Notification
Processor will promptly notify Controller without undue delay after becoming aware of a Personal Data Breach. The notification will include relevant information reasonably available to Processor to help Controller meet its legal obligations.
10. Data Retention & Deletion
Upon termination or expiration of the Service, Processor will delete or return Personal Data to Controller, except to the extent retention is required by law. Processor may retain aggregated, de-identified data that does not identify Controller or data subjects.
11. Audits
Upon reasonable notice and subject to confidentiality, Processor will make available information necessary to demonstrate compliance with this DPA and applicable data protection laws. Controller may conduct audits once per year or more frequently if required by a supervisory authority.
12. Liability & Order of Precedence
The parties agree that any liability arising from or in connection with this DPA is subject to the limitations of liability set forth in the underlying agreement between the parties.
In the event of a conflict between this DPA and the underlying agreement, this DPA will prevail with respect to processing of Personal Data.
13. Contact Information
Data protection inquiries should be directed to support@takeoffconvert.com.