Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between The Extreme AI, Inc. and the Client identified in the applicable Statement of Work, and governs the processing of personal data under that engagement.
Effective date: This DPA becomes effective upon execution of a Statement of Work or, for website users, upon acceptance of our Terms of Service.
- Definitions
- Scope and Applicability
- Roles and Responsibilities
- Processing Details
- Processor Obligations
- Technical and Organizational Measures
- Subprocessors
- Cross-Border Data Transfers
- Data Subject Rights
- Data Breach Notification
- Audit Rights
- Data Return and Deletion
- Duration and Termination
- Execute a Signed DPA
1. Definitions
| "Controller" | The entity that determines the purposes and means of processing personal data. In most engagements, this is the Client. |
| "Processor" | The entity that processes personal data on behalf of the Controller. In most engagements, this is The Extreme AI. |
| "Personal Data" | Any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR and CCPA). |
| "Processing" | Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion. |
| "Data Subject" | The natural person to whom Personal Data relates. |
| "GDPR" | The EU General Data Protection Regulation (2016/679) and, as applicable, the UK GDPR. |
| "CCPA" | The California Consumer Privacy Act (Cal. Civ. Code §1798.100 et seq.), as amended by the CPRA. |
| "SCCs" | Standard Contractual Clauses for the transfer of personal data to third countries, as approved by the European Commission. |
2. Scope and Applicability
This DPA applies when The Extreme AI processes Personal Data as a Processor on behalf of a Client (Controller) in the course of delivering AI automation consulting and deployment services. It supplements and is incorporated into the applicable Statement of Work.
Where applicable, this DPA also covers: (a) data processed when prospective clients interact with our website; and (b) data processed in the course of providing the AI Diagnostic, including workflow documentation and business data shared during the 14-day assessment.
3. Roles and Responsibilities
The Client is the Controller of Personal Data it provides to The Extreme AI or that The Extreme AI accesses in the course of the engagement. The Extreme AI is the Processor.
The Extreme AI will process Personal Data only on documented instructions from the Client, unless required by applicable law. If The Extreme AI determines that Client instructions violate applicable data protection law, it will promptly notify the Client.
In limited circumstances (e.g., for website analytics or internal billing), The Extreme AI may act as a Controller of its own data collection. This DPA governs only The Extreme AI's role as a Processor acting on Client's behalf.
4. Processing Details
Subject Matter
AI agent development, deployment, and automation services, including workflow analysis, system integration, and agent operation as specified in the SOW.
Duration
The term of the applicable SOW, plus any post-engagement data retention period required by law or specified in the SOW.
Nature of Processing
Collection, storage, analysis, transformation, and automated processing of Client business data via AI agents and integration pipelines. This may include read/write access to CRM systems, communication platforms, databases, and document repositories as specified in the SOW.
Purpose
Delivering the automation outcomes specified in the Statement of Work. Personal Data will not be used for any purpose beyond those documented in the SOW.
Categories of Personal Data
May include, depending on the engagement scope:
- Business contact information (name, email, phone, job title) of Client's customers and employees
- Transaction and financial data processed by automated workflows
- Communication data (email content, call transcripts) where agents automate outreach or support
- Operational data (scheduling, task assignment, workflow status)
- Any other categories specified in the SOW Annex
Categories of Data Subjects
Client's customers, prospects, employees, contractors, and other individuals whose data is processed through Client's systems in the scope of the engagement.
5. Processor Obligations
The Extreme AI agrees to:
- Process Personal Data only on documented Client instructions and not for any other purpose
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organizational security measures (see Section 6)
- Assist the Client in responding to data subject requests (see Section 9)
- Assist the Client with Data Protection Impact Assessments (DPIAs) where required under GDPR Article 35
- Delete or return Personal Data upon termination of the engagement (see Section 12)
- Provide the Client with all information necessary to demonstrate compliance with this DPA
- Notify the Client without undue delay upon becoming aware of a personal data breach (see Section 10)
6. Technical and Organizational Measures
The Extreme AI implements the following measures to ensure appropriate security of Personal Data:
Organizational Measures
- Designated data protection point of contact with responsibility for compliance oversight
- Annual employee data protection training
- Need-to-know access: Personal Data accessible only to personnel who require it for their specific role
- Vendor due diligence for all subprocessors
- Documented incident response procedures with defined escalation paths
Technical Measures
- AES-256 encryption for data at rest; TLS 1.3 for data in transit
- Multi-factor authentication for all systems that access Personal Data
- Role-based access controls with least-privilege enforcement
- Automated PII detection and masking in agent logs
- Tamper-evident audit logging of all Personal Data access events
- Annual penetration testing and vulnerability assessments
- SOC 2 Type II compliance — reports available upon request under NDA
A full description of current technical and organizational measures is available in our Security & Compliance documentation.
7. Subprocessors
The Extreme AI engages the following categories of subprocessors to assist in delivering services. All subprocessors are bound by data processing obligations consistent with this DPA.
| Subprocessor | Purpose | Data Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and compute | US / EU (configurable) |
| Google Cloud Platform (GCP) | Cloud infrastructure and compute | US / EU (configurable) |
| Microsoft Azure | Cloud infrastructure (optional) | US / EU (configurable) |
| Anthropic | AI model inference (Claude) | US — zero data retention |
| OpenAI | AI model inference (GPT) | US — zero data retention |
| Supabase | Database (client portal) | US-East |
| Google Workspace | Internal collaboration and email | US |
| Calendly | Scheduling (booking page only) | US |
| Stripe | Payment processing | US |
The Extreme AI will notify the Client at least 30 days in advance of adding a new subprocessor or making material changes to existing subprocessors. Client may object to a new subprocessor within 14 days of notification. If The Extreme AI cannot accommodate the objection, Client may terminate the affected portion of the engagement for cause.
8. Cross-Border Data Transfers
Where the Client is located in the EU or UK, or where the engagement involves processing of EU/UK Personal Data:
- Personal Data may be transferred to the United States or other third countries only in accordance with applicable transfer mechanisms.
- Standard Contractual Clauses (SCCs): The Extreme AI relies on SCCs approved by the European Commission (Commission Implementing Decision 2021/914) as the primary transfer mechanism for EU-to-US data transfers. Upon request, we will execute the relevant SCC modules with the Client.
- UK Transfer Mechanism: For UK Personal Data, we rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs.
- EU-Region Hosting: Clients requiring EU-only data residency may request EU-region cloud infrastructure at no additional charge (subject to availability).
9. Data Subject Rights
As Processor, The Extreme AI will assist the Client (Controller) in fulfilling its obligations to respond to data subject requests, including requests to:
- Access personal data held about them
- Correct inaccurate personal data
- Delete personal data ("right to erasure")
- Restrict processing
- Receive personal data in a portable format
- Object to processing
Upon receiving a data subject request that relates to Client's Personal Data, The Extreme AI will: (a) not respond directly to the data subject without Client authorization; (b) forward the request to Client within 48 hours; (c) provide technical assistance to help Client respond within the applicable legal timeframe (30 days under GDPR; 45 days under CCPA).
10. Data Breach Notification
In the event of a personal data breach (unauthorized access, disclosure, alteration, or destruction of Personal Data), The Extreme AI will:
- Notify the Client without undue delay and in no case later than 48 hours after becoming aware of the breach
- Provide: (a) a description of the nature of the breach; (b) categories and approximate number of data subjects and records concerned; (c) likely consequences of the breach; (d) measures taken or proposed to address the breach
- Cooperate with Client's investigation and remediation efforts
- Document all breaches, their effects, and remediation actions
The Client remains responsible for notifying relevant supervisory authorities and data subjects as required by applicable law. The Extreme AI will provide all information and assistance necessary to support such notifications.
11. Audit Rights
The Extreme AI will, upon reasonable written notice (minimum 14 days), allow Client or Client's designated auditor to audit The Extreme AI's data processing activities to verify compliance with this DPA. Such audits may include:
- Review of documentation, policies, and procedures related to Personal Data processing
- Inspection of technical and organizational security measures
- Review of audit logs relevant to Client's Personal Data
Audits are limited to once per year unless there has been a data breach or reasonable evidence of non-compliance. The Client is responsible for the cost of any third-party auditor. The Extreme AI may satisfy audit obligations by providing its current SOC 2 Type II report.
12. Data Return and Deletion
Upon termination or expiration of the engagement, or upon written request from Client, The Extreme AI will:
- Return all Personal Data to the Client in a structured, machine-readable format (CSV, JSON, or as otherwise agreed) within 30 days
- Delete all remaining copies of Personal Data from The Extreme AI systems within 60 days of the return, except where retention is required by applicable law
- Provide written certification of deletion upon Client's request
- Instruct subprocessors to delete Personal Data in the same timeframe
Certain data may be retained beyond these periods where required by: (a) applicable law (e.g., financial records); (b) legal proceedings; or (c) legitimate security monitoring purposes (e.g., audit logs, subject to automatic deletion schedules).
13. Duration and Termination
This DPA remains in effect for the duration of the engagement to which it applies, and until all Personal Data has been returned or deleted in accordance with Section 12.
This DPA terminates automatically upon termination of the applicable SOW, subject to survival provisions for data return/deletion obligations (Section 12), breach notification obligations (Section 10), and confidentiality obligations.
14. Execute a Signed DPA
This webpage provides the standard DPA terms. For clients requiring a formally executed, countersigned DPA document (e.g., for GDPR compliance records or enterprise procurement requirements), we provide a PDF version for bilateral execution.
To request a signed DPA:
- Email info@theextremeai.com with subject line: "DPA Execution Request"
- Include: your company name, registered address, and the name of your Data Protection Officer or legal contact
- We will return a countersigned copy within 3 business days
We can execute a DPA before any sensitive discussion begins. Email us at info@theextremeai.com — we are NDA-ready and DPA-ready from day one.