Menu
Sign in Create workspace

Ailistair Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the Terms of Service and applies when Customer Data includes personal data governed by the GDPR, UK GDPR, CCPA, or similar laws. Capitalized terms not defined here have the meanings given in the Terms.

1. Roles & Scope

Ailistair acts as a processor (and where applicable, sub-processor) of Customer Data. Customer acts as controller or processor, as determined by applicable law. This DPA applies to processing of personal data submitted, stored, or generated through the Services.

2. Processing Instructions

Ailistair processes Customer Data only in accordance with documented instructions provided through the Terms, this DPA, and Customer’s configuration of guardrails, knowledge sources, and tools. If we are required by law to process data beyond Customer’s instructions, we will notify Customer unless prohibited.

3. Confidentiality & Security

  • Ailistair ensures that personnel authorized to process Customer Data are bound by confidentiality obligations.
  • We maintain technical and organizational measures including encryption in transit, network segregation, access controls, logging, and regular security assessments.
  • Customer is responsible for configuring guardrails, managing access credentials, and enforcing least-privilege policies for its end users.

4. Sub-processors

Customer authorizes Ailistair to engage sub-processors listed in Annex A (e.g., Microsoft Azure, Stripe, Mailgun, Twilio, OpenAI). We will provide notice of changes via dashboard or email and allow Customer to object on reasonable grounds. If unresolved, Customer may terminate the affected Services.

5. Data Subject Requests

Ailistair will assist Customer in responding to requests from data subjects (e.g., access, deletion, portability) by providing tooling or reasonable cooperation. If we receive a request directly, we will forward it to Customer unless prohibited by law.

6. Security Incidents

In the event of a confirmed personal data breach, Ailistair will notify Customer without undue delay, include relevant details, and support Customer’s compliance with breach obligations. Notifications will be sent to the primary account owner or security contact on file.

7. Data Transfers

When Customer Data is transferred outside the EEA, UK, or Switzerland, Ailistair relies on approved transfer mechanisms such as the EU Standard Contractual Clauses (Module 2) and UK Addendum. Sub-processors are bound by equivalent safeguards.

8. Audits & Compliance

Upon reasonable written request and subject to confidentiality obligations, Ailistair will make available information necessary to demonstrate compliance with this DPA and allow for audits by Customer or an independent auditor. Audits may occur once per 12-month period and must not disrupt operations.

9. Return & Deletion

Upon termination or expiry of the Services, Customer may export Customer Data via available tooling. After 30 days Ailistair will delete Customer Data from active systems, except where retention is required by law or for dispute resolution.

10. Liability

The parties’ aggregate liability under this DPA is subject to the limitations set out in the Terms of Service.

Annex A – Authorized Sub-processors

  • Microsoft Azure – Application hosting, databases, storage (EU & US regions).
  • OpenAI – Model inference, embeddings, tool orchestration.
  • Stripe – Payment processing, invoicing, customer portal.
  • Mailgun – Transactional email delivery and logs.
  • Twilio – SMS notifications (optional, invitation flows).
  • Raygun / Application Insights – Error monitoring and diagnostics (anonymized telemetry).

Questions about this DPA? Email legal@ailistair.com or write to Dotfo ApS, Gunnar Clausens Vej 68, 8260 Viby J, Denmark. We can execute a signed copy upon request.

Last updated: November 30, 2025