AI2BIHub

Legal & Trust

Data Processing Addendum (DPA)

Last updated: April 25, 2026

A Data Processing Addendum (DPA) is the contract that governs how we process personal data on your behalf under GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA), and similar privacy laws. Most AI2BI Hub customers benefit from having a DPA in place — it’s usually free to execute and takes a few business days.

1. What the DPA is

Our DPA is an addendum to your subscription agreement. It does not change pricing or functionality; it formalises the data-protection commitments we make as your data processor (or sub-processor, where you are processing third-party data inside our platform). Standard Contractual Clauses (SCCs) are appended where international transfers apply.

2. Who needs one

  • You handle personal data of EU, UK, or Swiss residents → DPA + SCCs.
  • You handle personal data of California residents → DPA covers the CCPA service-provider obligations.
  • You answer to a security/privacy review during procurement → DPA is usually required.
  • You are an enterprise customer with internal data-protection policy → DPA on file is best practice.

If your data is purely your own business operational metrics (e.g., AWS cost data with no personal data), a DPA isn’t strictly required, but we can still execute one if your procurement team prefers it.

3. What our DPA covers

  • Roles. You are the data controller; AI2BI Hub (CostTrail Inc.) is the data processor for Customer Data, sub-processor for end-user data passing through your tenant.
  • Processing scope. Limited to what is needed to deliver the Service. We never process your data for our own marketing, profiling, or model training.
  • Sub-processors. Listed at /legal/subprocessors. You receive 30 days advance notice of changes and may object on reasonable grounds.
  • International transfers. EU Standard Contractual Clauses (Module 2: controller-to-processor) appended for transfers from the EEA / UK / Switzerland to the US. UK addendum included where applicable.
  • Security. Technical and organisational measures: encryption at rest (AES-256, AWS KMS), TLS 1.2+ in transit, access controls, audit logging, incident response. Full list at /legal/data-handling.
  • Data subject rights. We assist you in fulfilling GDPR/CCPA access, deletion, correction, and portability requests within 30 days.
  • Breach notification. We notify you within 72 hours of confirming a Personal Data Breach affecting your data, consistent with GDPR Article 33.
  • Data deletion. On termination or written request, we delete or return Customer Data within 90 days, except where applicable law requires retention.
  • Audits. Right to audit our compliance once per year (or more often after a Security Incident), via a mutually agreed independent auditor or by accepting our most recent SOC 2 / similar report.

4. How to request a signed DPA

Email legal@ai2bihub.com with the subject “DPA request” and include:

  • Your company’s legal name and address
  • Signatory name and title
  • Whether SCCs (Module 2 / 3) and / or the UK addendum are needed
  • Any in-house DPA template you’d like us to review (we typically agree on our standard template, but we’ll review redlines)

Typical turnaround: 1–3 business days for our standard template, 1–2 weeks for material redlines. Counter-signed copies are countersigned via DocuSign.

Heads up: Our standard DPA template is currently being finalised by counsel (Mamadou Bah). If you need a DPA right now, email legal@ai2bihub.com and we’ll send the working draft for your review while the final template lands.