Data Processing Agreement
This Data Processing Agreement ("DPA") supplements and is incorporated into the Terms of Service between GIDOPAY LLC ("Processor") and the client ("Controller") engaging our AI automation services. It applies where we process personal data on behalf of the client.
1. Definitions
- "Personal Data" — any information relating to an identified or identifiable natural person.
- "Controller" — the client who determines the purposes and means of processing personal data.
- "Processor" — GIDOPAY LLC, acting on the Controller's behalf.
- "Processing" — any operation performed on personal data (collecting, storing, using, transmitting, deleting).
- "Sub-processor" — any third party engaged by the Processor to process data on behalf of the Controller.
2. Scope and Nature of Processing
The Processor will process personal data solely to deliver the agreed services as described in the relevant Statement of Work. The types of data and categories of data subjects are determined by the Controller and described in the SOW.
Typical categories may include:
- Customer contact data (names, emails, phone numbers) — for CRM automation or lead generation services.
- Behavioural data (engagement metrics, click data) — for SMM funnel and content automation.
- Business operational data (transaction records, support tickets) — for process automation.
3. Processor Obligations
The Processor agrees to:
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorised to process the data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures.
- Assist the Controller in responding to data subject rights requests.
- Delete or return all personal data upon termination of the services (at Controller's choice) within 30 days.
- Make available all information necessary to demonstrate compliance.
- Notify the Controller without undue delay (and within 72 hours if feasible) of any personal data breach.
4. Sub-processors
The Processor currently uses the following sub-processors when delivering services. The Controller provides general authorisation for their use:
- OpenAI, L.L.C. (USA) — large language model API for AI agent functionality. OpenAI Enterprise Privacy.
- Anthropic, PBC (USA) — large language model API for AI agent functionality. Anthropic Privacy Policy.
- n8n GmbH (Germany) — workflow automation platform. n8n Privacy Policy.
- Make (Celonis SE) (Germany) — workflow automation platform. Make Privacy Notice.
- Cloudflare, Inc. (USA) — infrastructure and CDN. Cloudflare Privacy Policy.
The Processor will notify the Controller of any intended changes to sub-processors with at least 14 days' notice, giving the Controller the opportunity to object.
5. International Transfers
Where personal data is transferred to countries outside the EEA or the Controller's jurisdiction, the Processor will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses or adequacy decisions) in accordance with applicable data protection law.
6. Security Measures
We implement measures including:
- Encryption in transit (TLS 1.2+) and at rest where feasible.
- Access controls: least-privilege principle, MFA for administrative access.
- Regular security reviews of tooling and integrations.
- Contractual security obligations with all sub-processors.
7. Controller Obligations
The Controller warrants that it has a lawful basis for sharing personal data with the Processor and that data subjects have been informed of the processing as required by applicable law.
8. Duration and Termination
This DPA remains in force for the duration of the service engagement. Upon termination, the Processor will delete or return all personal data within 30 days unless retention is required by law.
9. Governing Law
This DPA is governed by the laws of US, Nevada.
10. Contact for Data Protection Matters
Email: info@gidopay.tech
GIDOPAY LLC, 400 South 4th Street, Suite 500, Las Vegas, NV 89101, US, Nevada