Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between AIovert, Inc. (“Processor”) and the customer (“Controller”) and reflects the parties' obligations under GDPR Article 28 where AIovert processes personal data on the Controller's behalf.

Subject matter and nature of processing

AIovert processes event metadata generated by the browser extension (data classifications, AI tool domains, action types, timestamps, confidence, and a one-way content hash) to provide detection, risk scoring, and alerting. AIovert does not receive the raw content underlying a detection.

Categories of data and data subjects

• Data subjects: the Controller's employees and authorized end users.
• Data: work email, detection metadata, and per-user risk scores. No raw input content.

Processor obligations

• Process personal data only on documented instructions from the Controller.
• Ensure persons authorized to process data are bound by confidentiality.
• Implement appropriate technical and organizational security measures (Article 32).
• Assist the Controller with data-subject requests and breach notification.
• Delete or return personal data at the end of the engagement, subject to legal retention.

Sub-processors

The Controller authorizes AIovert to engage sub-processors (e.g. cloud hosting, database, payment, and email providers) under written terms no less protective than this DPA. A current list is available on request, and AIovert will give notice of intended changes.

International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on an appropriate transfer mechanism such as the EU Standard Contractual Clauses.

Security measures

On-device classification (raw content never leaves the browser), encryption in transit, row-level access controls scoped per company, and least-privilege access to production systems.

Contact

To request a signed copy or our sub-processor list, email dpo@aiovert.com.