Data Processing Agreement (DPA)
Last updated: 28 Aug 2025 • Version: 1.0
Important: This DPA is a template provided for convenience and does not constitute legal advice. Please have your legal counsel review and adapt this document for your specific requirements and jurisdictions.
1. Parties & Roles
This Data Processing Agreement (“DPA”) forms part of the agreement between:
- Processor: DeepDataFusion (operated by SAFE AI SOLUTIONS, registered address: 10, Jalan PJS 11/18, Bandar Sunway, 47500 Petaling Jaya, Selangor) (“DeepDataFusion”, “we”, “us”), and
- Controller: the customer who has entered into the main agreement for the Services (“Customer”, “you”).
Capitalized terms not defined here have the meanings in the main agreement (“Agreement”).
2. Scope & Instructions
DeepDataFusion will process Personal Data on behalf of Customer solely to provide the Services described in the Agreement and in accordance with Customer’s documented instructions. If DeepDataFusion believes an instruction infringes applicable law, it will notify Customer (unless legally prohibited).
3. Nature, Purpose, Categories & Subjects
- Nature & Purpose: AI-assisted document consolidation (ingest PDFs, images, docs, etc.; transform to structured results); hosting; storage; support; billing; security; analytics on public marketing pages.
- Personal Data Categories (may include): account identifiers (name, email), usage metadata (timestamps, IPs/logs), files you upload if they contain personal data, and billing metadata (handled primarily by Stripe).
- Data Subjects: Customer’s users, employees, contractors; individuals referenced in uploaded files.
4. Compliance & Confidentiality
DeepDataFusion will ensure personnel who process Personal Data are subject to confidentiality obligations and process Personal Data in compliance with applicable data protection laws (e.g., GDPR, UK GDPR, Malaysia PDPA, and—if applicable—CCPA/CPRA).
5. Security Measures
DeepDataFusion implements technical and organizational measures appropriate to the risk, including encryption at rest and in transit, access controls, least-privilege IAM, network isolation, continuous monitoring, and backups. Details are in Annex A (TOMs).
6. Subprocessors
Customer provides a general authorization for DeepDataFusion to use Subprocessors. The current list is maintained at /subprocessors. DeepDataFusion will impose data protection obligations on Subprocessors substantially similar to those under this DPA and will remain responsible for their performance. We will provide notice of material changes and allow Customer to object on reasonable grounds.
7. International Transfers
Primary hosting region: ap-southeast-1 (Singapore). Where DeepDataFusion or its Subprocessors transfer Personal Data internationally, such transfers will comply with applicable laws (e.g., EU Standard Contractual Clauses (SCCs) Module 2 for controller-to-processor, UK IDTA/Addendum where applicable). Upon request, DeepDataFusion will provide the applicable transfer mechanisms.
8. Data Subject Rights
Taking into account the nature of the processing, DeepDataFusion will assist Customer, by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligations to respond to requests to exercise data subjects’ rights. Requests received directly by DeepDataFusion will be relayed to Customer without undue delay, unless prohibited by law.
9. Personal Data Breach
DeepDataFusion will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data and provide information reasonably required for Customer to meet its breach reporting obligations, to the extent such information is known and disclosure is permitted.
10. Records, DPIAs & Cooperation
DeepDataFusion will maintain records of processing activities and provide reasonable assistance with data protection impact assessments (DPIAs), consultations with supervisory authorities, and security questionnaires, to the extent required by law and relevant to the Services.
11. Audits
Once per 12-month period, and subject to reasonable notice and confidentiality, Customer may audit DeepDataFusion’s compliance with this DPA through (a) responses to a security questionnaire, and/or (b) review of third-party attestations where available. On-site audits are permitted only where required by law or regulator, limited in scope to this DPA and the Services, and scheduled to minimize disruption.
12. Return & Deletion
Upon termination or expiry of the Services, and at Customer’s choice, DeepDataFusion will delete or return Customer Personal Data, except where retention is required by law or legitimate recordkeeping (e.g., logs/backups for limited periods). Typical retention windows: object storage backups ≤ 30–45 days; logs ≤ 90 days.
13. Liability & Indemnity
The Parties’ liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, unless prohibited by law.
14. Order of Precedence
If there is any conflict between this DPA and the Agreement, this DPA will control with respect to data protection obligations.
15. Term
This DPA remains in force for as long as DeepDataFusion processes Customer Personal Data under the Agreement.
16. Governing Law
[Choose one with counsel] This DPA is governed by (a) the law designated in the Agreement; or (b) failing that, the laws of Malaysia, with courts in Kuala Lumpur having jurisdiction, without prejudice to applicable mandatory data protection law.
Annex A – Technical & Organizational Measures (TOMs)
- Encryption: AES-256 for data at rest (SSE-S3/KMS); TLS 1.2+ for data in transit.
- Access control: least-privilege IAM, MFA for admin, role segregation.
- Network security: VPC isolation, security groups, WAF/ALB where applicable.
- Monitoring & logging: centralized logs, alerting, anomaly detection.
- Reliability: autoscaling, queue-backed workers, backups with periodic restore tests.
- Development hygiene: code review, dependency scanning, secrets management (SSM/Parameter Store), CI/CD safeguards.
- Incident response: documented runbooks; breach notification process.
- Data minimization: no use of Customer Content to train models; scoped analytics on marketing pages only.
Annex B – Subprocessors
See the live list at /subprocessors (incorporated by reference).
Annex C – Contact
Privacy inquiries & DSR requests: support@deepdatafusion.com