Skip to main content

Data Processing Addendum

This Data Processing Addendum ("DPA") supplements our Terms of Service

Version 1.0 · Last updated: January 4, 2026

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between Cloud Cerebro Inc. ("Cloud Cerebro," "we," "us," or "Processor") and the customer ("Customer" or "Controller") for the provision of AI automation services (the "Services").

This DPA applies to the extent that Cloud Cerebro processes Personal Data on behalf of the Customer in providing the Services, where such processing is subject to applicable Data Protection Laws including the GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy regulations.

Effective Date: January 4, 2026

1. Definitions

In this DPA, unless otherwise specified, the following terms have the meanings set out below:

"Controller"

The entity that determines the purposes and means of processing Personal Data.

"Data Protection Laws"

All applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA/CPRA, PIPEDA, and other applicable regulations.

"Data Subject"

An identified or identifiable natural person whose Personal Data is processed.

"Personal Data"

Any information relating to an identified or identifiable natural person.

"Processor"

The entity that processes Personal Data on behalf of the Controller.

"Subprocessor"

Any third party engaged by Cloud Cerebro to process Personal Data on behalf of the Customer.

"Security Incident"

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Roles

2.1 Roles of the Parties

For the purposes of this DPA:

  • The Customer is the Controller of Personal Data
  • Cloud Cerebro is the Processor, processing Personal Data on behalf of the Customer

2.2 Processing Details

The details of processing activities are as follows:

Subject Matter Provision of AI automation services including document processing, data extraction, intelligent chat, and data labelling
Duration For the term of the Services agreement plus any data retention period
Nature & Purpose Processing Customer data through AI models for automation, analysis, and intelligent workflows
Categories of Data As determined by Customer's use of the Services; may include business data, contact information, and other data submitted by Customer
Data Subjects Customer's employees, contractors, customers, and other individuals whose data is submitted to the Services

3. Customer Obligations

The Customer agrees to:

  • Ensure it has a valid legal basis for processing Personal Data and sharing it with Cloud Cerebro
  • Provide all necessary notices and obtain all necessary consents from Data Subjects
  • Ensure that its instructions to Cloud Cerebro comply with applicable Data Protection Laws
  • Ensure the security of Personal Data before it is transferred to Cloud Cerebro

4. Cloud Cerebro Obligations

Cloud Cerebro agrees to:

4.1 Processing Instructions

  • Process Personal Data only on documented instructions from the Customer
  • Inform the Customer if required by law to process data otherwise (unless prohibited)

4.2 Confidentiality

  • Ensure that personnel processing Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need access for service delivery

4.3 Security

  • Implement appropriate technical and organizational measures to ensure security
  • Encrypt Personal Data in transit and at rest
  • Maintain ability to restore availability and access to data in case of incident
  • Regularly test and evaluate the effectiveness of security measures

4.4 Assistance

  • Assist Customer in responding to Data Subject requests
  • Assist with Customer's obligations regarding security, breach notification, and data protection impact assessments

5. Subprocessors

5.1 Authorization

The Customer provides general authorization for Cloud Cerebro to engage subprocessors to assist in providing the Services. A current list of subprocessors is available at /subprocessors.

5.2 Subprocessor Obligations

Cloud Cerebro will:

  • Enter into a written agreement with each subprocessor imposing data protection obligations substantially similar to this DPA
  • Remain liable for the acts and omissions of its subprocessors

5.3 New Subprocessors

Before engaging a new subprocessor, Cloud Cerebro will:

  • Notify Customer at least 30 days in advance
  • Update the subprocessors list on our website
  • Give Customer the opportunity to object on reasonable grounds

6. International Data Transfers

To the extent that Personal Data is transferred from the European Economic Area (EEA), UK, or Switzerland to a country not recognized as providing adequate protection:

  • Cloud Cerebro will implement appropriate safeguards, including Standard Contractual Clauses (SCCs)
  • Additional technical measures will be implemented where necessary
  • Transfer impact assessments will be conducted as required

The EU SCCs are incorporated by reference into this DPA and will apply to transfers of Personal Data subject to GDPR.

7. Security Incidents

In the event of a Security Incident affecting Customer Personal Data, Cloud Cerebro will:

  • Notify Customer without undue delay (and within 72 hours where feasible) after becoming aware of the incident
  • Provide available information about the incident including nature, categories of data, approximate number of affected individuals, and potential consequences
  • Take reasonable steps to contain, investigate, and mitigate the incident
  • Cooperate with Customer's reasonable requests for information and assistance

8. Audits and Certifications

Cloud Cerebro will make available to Customer information necessary to demonstrate compliance with this DPA, including:

  • Security documentation and audit reports upon request
  • Responses to reasonable security questionnaires
  • Documentation of security policies and procedures

Customer may conduct audits upon reasonable notice, subject to confidentiality obligations and reimbursement of reasonable costs.

9. Data Retention and Deletion

Upon termination of the Services or upon Customer's written request:

  • Cloud Cerebro will delete or return all Personal Data within 30 days
  • Subprocessors will be instructed to delete or return data accordingly
  • Deletion confirmation will be provided upon request

Cloud Cerebro may retain Personal Data to the extent required by applicable law, in which case it will continue to protect such data in accordance with this DPA.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the underlying Services agreement, except to the extent such limitations are prohibited by applicable Data Protection Laws.

11. General Terms

11.1 Precedence

In the event of any conflict between this DPA and the Services agreement, this DPA will prevail to the extent of the conflict as it relates to data protection matters.

11.2 Amendments

Cloud Cerebro may update this DPA from time to time. Material changes will be notified to Customers with an active Services agreement.

11.3 Governing Law

This DPA will be governed by and construed in accordance with the laws specified in the Services agreement. If no governing law is specified, this DPA shall be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, unless applicable Data Protection Laws require otherwise.

Request a Signed DPA

Enterprise customers can request a countersigned copy of this DPA. Contact our privacy team to initiate the process.

Request Signed DPA View Subprocessors