Data Processing Agreement

1. Roles and scope

For Customer Content that contains personal data, the customer is the Controller (or a processor acting for its own customers) and alexich.ai is the Processor. We process such personal data only to provide the Service and on the documented instructions of the Controller, including as set out in the Terms, this DPA, and the Controller's use of the Service.

2. Subject matter and details of processing

• Subject matter: provision of the alexich.ai AI development-team platform.
• Duration: the term of the customer's use of the Service, plus any retention period described in the Privacy Policy.
• Nature and purpose: hosting, storing, transmitting, and processing Customer Content to run agents and produce Output.
• Types of data: account identifiers, project and ticket content, code, prompts, and any personal data the Controller chooses to include in Customer Content.
• Categories of data subjects: the Controller's users, personnel, and any individuals referenced in Customer Content.

3. Processor obligations

• Process personal data only on documented instructions from the Controller, unless required by law (in which case we will inform the Controller unless prohibited).
• Ensure persons authorized to process personal data are bound by confidentiality.
• Implement appropriate technical and organizational measures as described in Section 5.
• Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and impact-assessment obligations.
• At the Controller's choice, delete or return personal data at the end of the provision of services, subject to legal retention requirements.
• Make available information necessary to demonstrate compliance and allow for and contribute to audits, subject to reasonable confidentiality and security conditions.

4. Sub-processors

The Controller provides general authorization for alexich.ai to engage sub-processors to provide the Service. We maintain a current list on our Sub-processors page and will give notice of intended changes so the Controller may object on reasonable grounds. We impose data-protection obligations on sub-processors that are no less protective than those in this DPA and remain responsible for their performance.

5. Security measures

We maintain measures appropriate to the risk, including: encryption of data in transit; encryption of sensitive secrets at rest; role-based access controls and least-privilege access; isolated, ephemeral execution sandboxes for agent runs; logging and monitoring; and regular review of our security practices.

6. Personal data breaches

We will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Content, and will provide information reasonably available to help the Controller meet its own notification obligations.

7. International transfers

Where processing involves transfers of personal data outside the EEA, UK, or other restricted jurisdictions, we rely on an appropriate transfer mechanism, such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

8. AI model providers

To produce Output, Customer Content may be transmitted to AI model providers acting as sub-processors. We engage providers that, by default, do not use API-submitted data to train their models. Where the Controller configures its own model provider key, the Controller is responsible for its relationship with that provider.

9. Liability and precedence

Each party's liability under this DPA is subject to the limitations in the Terms. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

10. Contact

For DPA requests, including a countersigned copy where required, contact privacy@alexich.ai.