This Data Processing Addendum ('DPA') supplements our Terms of Service when AI Detectors, Inc. processes Personal Data on behalf of a Customer that is a controller under GDPR or an equivalent regime. It is incorporated into the Terms automatically - no separate signature is required.
1. Roles
Customer is the controller. AI Detectors, Inc. is the processor with respect to Personal Data uploaded into scans or stored in the Customer account.
Where AI Detectors acts as a controller (e.g. for billing data), our Privacy Policy applies.
2. Subprocessors
Stripe - billing, US/EU.
Resend - transactional email, US.
Cloudflare - CDN, global.
Vercel - hosting, US/EU.
We provide 30 days' notice of any new subprocessor at /dpa/subprocessors. Customer may object in writing.
3. Security measures
TLS 1.3 in transit. AES-256 at rest. Bcrypt password hashing.
Access to production data is limited to engineers with on-call rotation. Every access is logged.
SOC 2 Type II in progress, target completion Q4 2026.
4. Breach notification
We will notify Customer of any confirmed Personal Data breach affecting Customer data within 72 hours of detection.
Notifications include scope, affected data categories, mitigation steps and a contact for follow-up.
5. Audit rights
Customer may request our most recent SOC 2 report and penetration test summary once per year on reasonable notice.
Customers on the Business plan may request additional audit support, subject to a reasonable cost-recovery fee.
6. International transfers
Transfers between EU and US rely on Standard Contractual Clauses (SCCs) Module Two (controller to processor) and supplementary measures.
Transfers from the UK rely on the UK International Data Transfer Addendum.
7. Termination
On termination of the Customer account, we delete or return Personal Data within 30 days, except as required by law.
8. Contact
Privacy: privacy@ai-detectors.io