Data Processing Agreement

Last updated: September 1, 2025

1. Purpose and Scope

This Data Processing Agreement ("DPA") governs the processing of personal data by IE Petr Guskov ("Processor") on behalf of customers ("Data Controllers") who use our AI-powered knowledge base and automated support system ("Service").

2. Definitions

For the purposes of this DPA:

  • Personal Data: Information relating to an identified or identifiable natural person
  • Data Controller: The customer who determines the purposes and means of processing personal data
  • Data Processor: IE Petr Guskov, who processes personal data on behalf of the Data Controller
  • Data Subject: The individual whose personal data is being processed
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion

3. Nature and Purpose of Processing

The Processor processes personal data for the following purposes:

  • Providing AI-powered knowledge base research capabilities
  • Delivering automated support services
  • Processing and analyzing documents for semantic search
  • Generating AI responses and recommendations
  • Maintaining and improving service functionality
  • Ensuring system security and preventing abuse

4. Categories of Data

The Processor may process the following categories of personal data:

  • Identity and Contact Data: Names, email addresses, phone numbers
  • Account Data: User credentials, account settings, preferences
  • Communication Data: Chat messages, support tickets, feedback
  • Document Content: Text and metadata from uploaded documents
  • Usage Data: Service interactions, feature usage patterns
  • Technical Data: IP addresses, device information, browser data

5. Data Subject Categories

The personal data processed may relate to:

  • Customer employees and authorized users
  • Customer clients and end-users
  • Individuals mentioned in processed documents
  • Support and communication contacts

6. Processor Obligations

The Processor shall:

  • Process personal data only in accordance with documented instructions from the Data Controller
  • Ensure confidentiality of personal data and restrict access to authorized personnel
  • Implement appropriate technical and organizational security measures
  • Not transfer personal data outside the EEA without adequate safeguards
  • Assist the Data Controller in responding to data subject requests
  • Notify the Data Controller of personal data breaches without undue delay
  • Delete or return personal data at the end of the agreement, unless retention is required by law

7. Security Measures

The Processor implements the following security measures:

  • Encryption: Data encryption in transit and at rest using industry-standard protocols
  • Access Control: Role-based access controls and multi-factor authentication
  • Network Security: Secure network architecture and firewall protection
  • Monitoring: Continuous security monitoring and incident detection
  • Regular Updates: Timely security patches and system updates
  • Staff Training: Regular security and privacy training for personnel

8. Sub-processors

The Processor may engage sub-processors for specific processing activities. Current sub-processors include:

  • Cloud Infrastructure: Google Cloud Platform (data hosting and storage)
  • AI Services: OpenAI, Anthropic (language processing and generation)
  • Analytics: Service analytics and monitoring providers

The Data Controller will be notified of any changes to sub-processors with opportunity to object.

9. International Data Transfers

Personal data may be transferred to countries outside the EEA. The Processor ensures adequate protection through:

  • European Commission adequacy decisions
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Certification schemes and codes of conduct

10. Data Subject Rights

The Processor will assist the Data Controller in fulfilling data subject rights, including:

  • Right of access to personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

11. Data Breach Notification

In case of a personal data breach, the Processor will:

  • Notify the Data Controller within 24 hours of becoming aware
  • Provide detailed information about the breach
  • Implement immediate containment measures
  • Assist in breach assessment and notification to authorities
  • Cooperate in breach investigation and remediation

12. Audits and Compliance

The Data Controller may conduct audits to verify compliance with this DPA. The Processor will:

  • Provide reasonable cooperation for audits
  • Make available necessary information and documentation
  • Allow access to relevant facilities and systems
  • Address any compliance issues identified

13. Data Retention and Deletion

Personal data will be retained only as long as necessary for the agreed purposes or as required by law. Upon termination of services, the Processor will:

  • Delete or return all personal data as instructed by the Data Controller
  • Provide certification of deletion when requested
  • Securely dispose of any physical media containing personal data

14. Liability and Indemnification

Each party shall be liable for damages caused by its violation of this DPA or applicable data protection law. The Processor will indemnify the Data Controller against claims arising from the Processor's non-compliance with this DPA.

15. Term and Termination

This DPA remains in effect for the duration of the service agreement. Either party may terminate this DPA with written notice if the other party materially breaches its obligations.

16. Contact Information

For questions regarding this Data Processing Agreement or to report data protection concerns, please contact:

IE Petr Guskov
Data Protection Officer
Merab Kostava 26 4
Tbilisi, 0105
Georgia

Email: pguskov@directflowlabs.com
Phone: +34 656612862