Data Processing Agreement

1. Introduction and Scope

When Tonoy Akanda, operating as Aikraft ("Aikraft", "Processor"), processes personal data on behalf of its customers ("Controller") in the course of providing the Aikraft platform and related services, he does so as a data processor within the meaning of Article 4(8) of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

This Data Processing Agreement ("DPA") governs that processing relationship and fulfils the requirements of Article 28 GDPR. It applies to all personal data processed by Aikraft in connection with its services to the Controller.

For information on how Aikraft processes personal data in its own capacity as a data controller (for example, account data), please see our Privacy Policy.

2. How This DPA Is Executed

This DPA is incorporated by reference into Aikraft's Terms of Service and applies automatically to all customers who are data controllers subject to the GDPR. By accepting the Terms of Service, you also accept this DPA. No separate signature is required for the DPA to be legally effective, in accordance with the European Data Protection Board's guidance on Article 28 agreements.

Countersigned paper copy: If your organisation requires a separately executed, countersigned PDF for audit or contractual purposes, please contact dpa@aikraft.eu. Enterprise customers may also negotiate additional terms through their contract process.

3. Subject Matter of Processing

Aikraft processes personal data on behalf of the Controller for the following purposes and subject matter:

• Storing and processing AI system descriptions, technical parameters, and compliance records entered by the Controller's users into the Aikraft platform;
• Maintaining user accounts and authentication credentials for individuals authorised by the Controller to access the platform;
• Generating, storing, and exporting compliance documentation (including EU AI Act technical documentation under Annex IV) on behalf of the Controller; and
• Providing monitoring, alerting, and reporting features in connection with the Controller's AI system compliance programme.

4. Categories of Data Subjects

The personal data processed under this DPA may relate to the following categories of data subjects:

• Controller's employees and staff — individuals employed by or contracted to the Controller who are named as owners, developers, or operators of AI systems documented in the platform;
• Controller's platform users — employees or contractors authorised to access the Aikraft platform on the Controller's behalf; and
• Third parties described in AI system documentation — individuals (such as customers, patients, job applicants, or other end users of the Controller's AI systems) whose roles may be mentioned in system descriptions or impact assessments entered by the Controller.

5. Types of Personal Data

The categories of personal data that may be processed under this DPA include:

• Names and professional identifiers (e.g., employee ID, job title, department);
• Professional contact information (work email address, work telephone number);
• User account data (username, hashed password, last login, access logs); and
• Any personal data included by the Controller in free-text descriptions of AI systems or their use cases.

Special categories of data: Aikraft's platform is not designed or intended to process special categories of personal data as defined in Article 9 GDPR (such as health data, biometric data, or data concerning racial or ethnic origin). The Controller must not upload special category data to the platform without first concluding a specific written addendum to this DPA. Contact dpa@aikraft.eu if this is a requirement.

6. Duration of Processing

Aikraft will process personal data under this DPA for the duration of the service agreement between the parties. Upon termination or expiry of the service agreement for any reason:

• Personal data will remain available for the Controller to export for a period of 30 days following the effective termination date;
• After the 30-day export window, Aikraft will securely delete all personal data processed under this DPA unless retention is required by applicable law; and
• Application and access logs containing personal data will be deleted within 90 days of the termination date.

7. Processor Obligations

Aikraft, as Processor, undertakes the following obligations:

7.1 Processing on Instructions

Aikraft will process personal data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service. If Aikraft is required by EU or member state law to process personal data in a way that goes beyond these instructions, it will inform the Controller before carrying out such processing unless prohibited by law.

7.2 Confidentiality of Processing Staff

Aikraft ensures that all personnel authorised to process the Controller's personal data are subject to binding obligations of confidentiality, either by contract or by statutory obligation, and receive appropriate data protection training.

7.3 Security Measures (Art. 32 GDPR)

Aikraft implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Section 9 of this DPA.

7.4 Breach Notification

In the event of a personal data breach affecting the Controller's data, Aikraft will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach and approximate number of data subjects affected; the likely consequences; the measures taken or proposed to address the breach; and the contact details of Aikraft's privacy team.

7.5 Assistance with Data Subject Rights

Aikraft will provide reasonable technical and organisational assistance to enable the Controller to fulfil its obligations to respond to data subject requests under Chapter III GDPR (access, rectification, erasure, portability, restriction, and objection), taking into account the nature of the processing and the information available to Aikraft.

7.6 Assistance with Controller's GDPR Obligations

Aikraft will assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities), taking into account the nature of the processing and information available to Aikraft.

7.7 Deletion or Return of Data on Termination

At the choice and written request of the Controller made within the 30-day post- termination export window, Aikraft will either return all personal data to the Controller in a portable format (JSON or CSV) or securely delete it. After the 30-day window, deletion is carried out automatically. Aikraft will provide written confirmation of deletion upon request.

7.8 Audit Assistance

Aikraft will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and, where requested, will allow for and contribute to audits conducted by the Controller or its appointed auditor, subject to reasonable confidentiality protections and prior notice of at least 30 days. Before commencing any audit, the parties will agree the scope and timing to minimise disruption to Aikraft's operations.

8. Sub-Processors

The Controller provides general written authorisation for Aikraft to engage the following sub-processors. These sub-processors are bound by data processing agreements at least as protective as this DPA.

Sub-processor	Role	Location	Transfer mechanism
Amazon Web Services (AWS)	Cloud infrastructure, compute, database, object storage	Frankfurt, Germany (eu-central-1)	EEA — no transfer required
Hetzner Online GmbH	Encrypted offsite backup storage	Nuremberg, Germany	EEA — no transfer required
Postmark (ActiveCampaign)	Transactional email delivery	USA (EU data centre)	Standard Contractual Clauses (SCCs)
Stripe, Inc.	Payment processing and billing infrastructure	USA (Stripe Payments Europe, Ltd. for EU)	SCCs; UK adequacy decision where applicable
Plausible Analytics	Privacy-first website analytics (no personal data processed)	Frankfurt, Germany (Hetzner)	EEA — no transfer required

Changes to sub-processors

Aikraft will notify the Controller at least 30 days in advance of adding or replacing any sub-processor. Notification will be provided by email to the account's registered address and by updating this page. If the Controller objects to a new sub-processor on reasonable data protection grounds, it may notify Aikraft in writing within 14 days of notification. Aikraft will work in good faith to resolve the objection; if it cannot be resolved, the Controller may terminate the service agreement without penalty.

9. Security Measures (Art. 32 GDPR)

Aikraft implements the following technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:

Measure	Implementation
Encryption at rest	AES-256 for all data at rest, including database volumes and backups
Encryption in transit	TLS 1.3 for all data in transit; HSTS enforced on all endpoints
Access control	Role-based access control (RBAC); MFA enforced for all Aikraft staff; principle of least privilege; quarterly access reviews; privileged access management (PAM) for production systems
Data isolation	Logical tenant isolation; no cross-tenant data access; dedicated workspace encryption keys for Enterprise customers
Compliance & attestations	GDPR-aligned processing. Aikraft does not currently hold SOC 2 or ISO 27001 certification as an organisation; such attestations may be pursued as the business matures.
Vulnerability management	Automated dependency scanning (Dependabot + Snyk); SAST in CI/CD pipeline; quarterly penetration testing by qualified external firm
Incident response	24/7 monitoring with automated anomaly detection; documented incident response plan; P0 response time < 1 hour; post-incident reports for Enterprise customers
Physical security	All infrastructure is hosted in AWS Frankfurt facilities operated under AWS's security and compliance programmes, including physical access controls and monitoring.
Business continuity	Multi-AZ deployment; RTO < 4 hours; RPO < 1 hour; daily encrypted backups

10. International Transfers

All primary processing takes place within the EEA (Frankfurt, Germany). Where any sub-processor is located outside the EEA, Aikraft ensures that an appropriate transfer mechanism is in place as set out in Section 8. Aikraft will not transfer personal data outside the EEA to any sub-processor that has not entered into appropriate SCCs or benefited from an adequacy decision.

11. Data Subject Rights Assistance

When Aikraft receives a data subject request relating to the Controller's personal data (for example, an access or erasure request submitted directly to Aikraft), it will promptly forward that request to the Controller and will not respond to the data subject directly except to confirm that the request has been forwarded, unless the Controller has expressly authorised Aikraft to respond on its behalf.

Aikraft provides data export and deletion tools within the platform that enable Controllers to respond to data subject requests without requiring Aikraft engineering involvement in most cases.

12. Governing Law

This DPA is governed by the law of the Federal Republic of Germany. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Berlin, Germany, consistent with the governing law provisions of the Terms of Service.

13. Contact and Execution

For DPA-related enquiries, to request a countersigned PDF, or to exercise any right under this DPA, please contact:

Aikraft (Tonoy Akanda) — Data Processing
Berlin, Germany
E-mail: dpa@aikraft.eu