Data Processing Agreement (DPA)

1. Definitions

"Controller" means the G8KEPR customer that determines the purposes and means of processing Personal Data.
"Processor" means G8KEPR (operated by Wesley Ellis), which processes Personal Data on behalf of the Controller.
"Personal Data" has the meaning given in applicable Data Protection Laws, including the GDPR.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the GDPR, UK GDPR, and CCPA.
"Sub-processor" means any third party engaged by G8KEPR to process Personal Data in connection with the Services.

G8KEPR processes Personal Data solely to provide the Services described in the applicable subscription agreement.
The categories of data subjects whose Personal Data is processed include: the Controller's end users, API consumers, and system administrators.
The types of Personal Data processed include: identifiers (email address, user ID, IP address), usage logs, and AI system outputs as submitted by the Controller.
Processing activities include: storing, analysing, transmitting, and securing AI system outputs and API traffic on behalf of the Controller.
G8KEPR will not process Personal Data for any purpose other than as instructed by the Controller or as required by applicable law.

G8KEPR processes Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
The Controller's instructions are set out in the subscription agreement and this DPA. Additional instructions may be given in writing.
If G8KEPR believes an instruction infringes Data Protection Laws, it will promptly notify the Controller before processing.
The Controller warrants that it has a lawful basis for processing Personal Data under applicable Data Protection Laws.

G8KEPR ensures that persons authorised to process Personal Data are subject to a duty of confidentiality.
Access to Personal Data is limited to employees and contractors who need it to provide the Services.
G8KEPR maintains access controls and logs access to systems processing Personal Data.

G8KEPR implements and maintains technical and organisational measures appropriate to the risks of processing, including:
• TLS 1.3-only transport encryption for all data in transit (TLS 1.2 explicitly disabled)
• AES-256-GCM encryption for sensitive fields stored at rest
• RBAC access controls on 96.3% of API endpoints
• Per-tenant data isolation enforced at 9,299 database query points
• 7-year tamper-evident audit trail with S3 Object Lock
• CSRF, CSP, and timing-safe comparison controls verified by internal security audit
G8KEPR will notify the Controller without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data Breach.

The Controller authorises G8KEPR to engage the following categories of sub-processors: cloud infrastructure providers, monitoring services, and payment processors.
Current sub-processors are listed at https://g8kepr.com/sub-processors (updated on a rolling basis with 30 days' notice of material changes).
G8KEPR imposes equivalent data protection obligations on sub-processors via written agreements.
G8KEPR remains liable to the Controller for the performance of sub-processors' obligations.

G8KEPR will provide the Controller with reasonable assistance to respond to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection).
Where G8KEPR receives a Data Subject request directly, it will promptly notify the Controller unless prohibited by law.
G8KEPR implements a data erasure workflow that covers primary database records, Redis cache, and associated audit metadata.

G8KEPR stores data in the United States. Transfers of Personal Data from the EEA, UK, or Switzerland to the United States are made subject to the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated herein by reference.
Enterprise customers requiring EU/EEA data residency may request a dedicated deployment — contact sales for availability.
G8KEPR will not transfer Personal Data to a third country unless adequate safeguards are in place.

The Controller may audit G8KEPR's compliance with this DPA by: (a) requesting written responses to an audit questionnaire, or (b) with 30 days' prior notice, engaging a mutually agreed independent auditor at the Controller's cost.
G8KEPR will provide all information reasonably necessary to demonstrate compliance.
G8KEPR maintains SOC 2 Type II audit preparations. Evidence packages are available to enterprise customers on request.

Upon termination of the subscription agreement, G8KEPR will, at the Controller's election, delete or return all Personal Data.
Deletion will be completed within 30 days of termination, except where retention is required by applicable law.
G8KEPR will provide written confirmation of deletion upon request.

This DPA is governed by the law stated in the underlying subscription agreement.
This DPA is incorporated into and forms part of the subscription agreement between G8KEPR and the Controller.
Enterprise and Growth plan customers can request a countersigned DPA by contacting privacy@g8kepr.com. G8KEPR targets a 5 business day turnaround.