Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Onpilot AI ("Processor") and the customer ("Controller") who has agreed to the Onpilot AI Terms of Service (the "Agreement"). This DPA applies to the extent that Onpilot AI processes Personal Data on behalf of the Controller in providing the Services.

1. Scope & Applicability

This DPA applies when Onpilot AI processes Personal Data on behalf of the Controller under the Agreement. It supplements the Agreement and applies to the extent required by applicable Data Protection Laws, including but not limited to the EU General Data Protection Regulation (GDPR), the UK GDPR, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters relating to the processing of Personal Data.

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Onpilot AI in connection with the Services.
"Controller" means the entity that determines the purposes and means of processing Personal Data.
"Processor" means Onpilot AI, which processes Personal Data on behalf of the Controller.
"Sub-Processor" means any third party engaged by Onpilot AI to process Personal Data on behalf of the Controller.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, UK GDPR, and DPDPA.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

3. Processing Details

Subject matter and purpose

Onpilot AI processes Personal Data to provide the AI agent platform Services as described in the Agreement.

Categories of data subjects

Controller's employees and authorized users of the Services.
End users who interact with agents deployed by the Controller.

Types of Personal Data

Account information (name, email, company).
Conversation data between end users and agents.
Usage data and analytics.
Any Personal Data included in content uploaded by the Controller for agent training and configuration.

Duration of processing

Processing continues for the duration of the Agreement plus any retention period required by law or specified in our Privacy Policy.

4. Processor Obligations

Onpilot AI shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Assist the Controller in ensuring compliance with its obligations regarding security, breach notification, impact assessments, and consultation with supervisory authorities.
Not engage a Sub-Processor without prior written authorization from the Controller, as detailed in Section 6.
Upon termination, delete or return all Personal Data as specified in Section 11.

5. Data Subject Rights

Onpilot AI shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

If Onpilot AI receives a request directly from a Data Subject, we will promptly notify the Controller and will not respond to the request without the Controller's instructions unless legally required to do so.

6. Sub-Processors

The Controller provides general authorization for Onpilot AI to engage the following Sub-Processors:

Sub-Processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure, data storage, and compute	Global (primary: us-east-1)
Cloudflare	CDN, DDoS protection, DNS, and edge caching	Global
Stripe	Payment processing and billing	United States
Resend	Transactional email delivery	United States

Onpilot AI will notify the Controller of any intended changes to Sub-Processors at least 30 days in advance, providing the Controller with an opportunity to object. If the Controller objects on reasonable grounds related to data protection, the parties will discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected Services.

Onpilot AI shall impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA.

7. International Data Transfers

To the extent that Personal Data is transferred outside the EEA/UK, Onpilot AI shall ensure that appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision 2021/914).
UK International Data Transfer Agreement or Addendum, as applicable.
Any other transfer mechanism approved under applicable Data Protection Laws.

8. Security Measures

Onpilot AI implements the following technical and organizational measures:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Network segmentation and firewall protections.
Role-based access control (RBAC) with the principle of least privilege.
Multi-factor authentication for administrative access.
Regular vulnerability assessments and penetration testing.
Automated monitoring, logging, and alerting for security events.
Business continuity and disaster recovery procedures.
Employee security training and confidentiality agreements.

For further details, see our Security page.

9. Breach Notification

Onpilot AI shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

A description of the nature of the breach.
The categories and approximate number of Data Subjects and records concerned.
A description of the likely consequences.
The measures taken or proposed to address the breach and mitigate its effects.

Onpilot AI shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Audit Rights

Onpilot AI shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and at the Controller's expense. Onpilot AI may require the auditor to execute a reasonable confidentiality agreement before conducting the audit.

11. Data Deletion

Upon termination of the Agreement, Onpilot AI shall, at the Controller's choice:

Delete all Personal Data processed on behalf of the Controller within 30 days; or
Return all Personal Data to the Controller in a commonly used, machine-readable format within 30 days.

Onpilot AI may retain Personal Data to the extent required by applicable law, in which case the data protection obligations in this DPA continue to apply.

12. Term & Termination

This DPA takes effect on the date the Controller agrees to the Agreement and remains in effect for the duration of the Agreement. The obligations under this DPA survive termination to the extent Onpilot AI continues to process Personal Data on behalf of the Controller.

Contact

For DPA-related inquiries, data subject requests, or to exercise audit rights, please contact:

Email: info@onpilot.ai
Company: Onpilot AI
Address: Toronto, Ontario, Canada