Data Processing Agreement (DPA)
Effective Date: April 15, 2026 | Last Updated: April 15, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service or Master Service Agreement ("Agreement") between:
Data Processor: Smalt AI PLT ("Processor", "we", "us")
Data Controller: The customer entity that has agreed to the Terms of Service ("Controller", "you")
Data Controller: The customer entity that has agreed to the Terms of Service ("Controller", "you")
This DPA sets out the terms under which the Processor processes personal data on behalf of the Controller in connection with the Smalt AI platform (the "Service").
1. Definitions
- "Data Protection Laws" means the UK GDPR, EU GDPR (Regulation 2016/679), the UK Data Protection Act 2018, and any other applicable data protection legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Scope and Purpose of Processing
| Detail | Description |
|---|---|
| Subject Matter | Provision of the Smalt AI platform, including AI-powered financial modelling, document generation, research, and productivity services. |
| Duration | For the term of the Agreement, plus any post-termination data retention period. |
| Nature and Purpose | Processing Customer inputs through AI models to generate outputs; storing conversation history; managing user accounts; providing customer support. |
| Types of Personal Data | Name, email address, IP address, company information, job title, usage data, and any personal data included in content submitted to the Service by the Controller. |
| Categories of Data Subjects | Controller's employees, contractors, and authorised users of the Service. |
3. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for providing Personal Data to the Processor.
- Provide clear instructions to the Processor regarding the processing of Personal Data.
- Ensure that data subjects have been informed about the processing in accordance with Data Protection Laws.
- Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
4. Processor Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, unless required by law.
- Ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
- Implement appropriate technical and organisational security measures (see Section 6).
- Not engage another processor (sub-processor) without prior specific or general written authorisation of the Controller (see Section 7).
- Assist the Controller in responding to data subject rights requests.
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
- Not use Personal Data for any purpose other than providing the Service, including not using Personal Data to train AI models.
5. Data Subject Rights
The Processor shall:
- Promptly notify the Controller if it receives a request from a data subject to exercise their rights under Data Protection Laws.
- Not respond to such requests directly unless authorised by the Controller.
- Provide reasonable assistance to enable the Controller to respond to data subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
- Provide self-service tools within the platform to enable the Controller to manage data subject requests where feasible (e.g., data export, account deletion).
6. Security Measures
The Processor shall implement and maintain appropriate technical and organisational measures, including:
Technical Measures
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Logical separation of customer data (tenant isolation)
- Access controls with role-based permissions and least-privilege principle
- Automated vulnerability scanning and security monitoring
- Secure software development lifecycle practices
- Regular backups with encryption
- DDoS protection and network security controls
Organisational Measures
- Access limited to authorised personnel on a need-to-know basis
- Confidentiality obligations for all personnel
- Security awareness training
- Documented incident response procedures
- Regular review and testing of security measures
7. Sub-processors
7.1 Authorised Sub-processors
The Controller provides general written authorisation for the Processor to engage the sub-processors listed below. An up-to-date list is maintained on our Sub-processors page.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States / EU |
| Supabase | Authentication (email/password, optional Google Sign-In) | United States |
| Anthropic | AI model provider (Claude) | United States |
| Google (Gemini) | AI model provider | United States |
| Composio | Third-party tool integrations (OAuth connections) | United States |
| Apollo | Contact and company lookup | United States |
| Firecrawl | Web scraping and research | United States |
| Stripe | Payment processing | United States |
| Amazon SES | Transactional email delivery | United States |
| Resend | Email delivery | United States |
7.2 Changes to Sub-processors
- The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor.
- The Controller may object to a new sub-processor by notifying the Processor in writing within 14 days of notification.
- If the Controller objects, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected portion of the Service.
- The Processor shall impose data protection obligations on sub-processors no less protective than those in this DPA.
8. Data Breach Notification
- The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Data Breach affecting the Controller's Personal Data.
- The notification shall include:
- A description of the nature of the breach, including categories and approximate number of data subjects and records affected
- The name and contact details of the Processor's contact point
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
- The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
9. International Data Transfers
- Where Personal Data is transferred outside the UK/EEA, the Processor shall ensure appropriate safeguards are in place.
- Transfers to the United States and other third countries are protected by:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller to Processor)
- The UK International Data Transfer Addendum (IDTA) where applicable
- The SCCs and/or IDTA are incorporated into this DPA by reference and shall be deemed executed between the parties.
10. Audits
- The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
- The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable notice and scope.
- Audits shall be conducted during normal business hours, no more than once per year (unless required by a Data Protection Authority or following a Data Breach), and subject to reasonable confidentiality obligations.
11. Data Retention and Deletion
- Upon termination of the Agreement, the Processor shall:
- Provide the Controller with the ability to export their data for a period of 30 days
- Delete all Personal Data within 30 days of the end of the export period
- Provide written confirmation of deletion upon request
- The Processor may retain Personal Data to the extent required by applicable law, and only for the purposes and duration required by such law.
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.
13. Term and Termination
This DPA shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. It shall automatically terminate when the Agreement terminates and all Personal Data has been deleted or returned.
14. Contact
Smalt AI PLT - Data Protection
Email: support@smaltai.com
Email: support@smaltai.com
By using the Service, the Controller acknowledges and agrees to this Data Processing Agreement.