Skip to main content

Data Processing Agreement

This Data Processing Agreement (DPA) supplements any agreement in place between Client and RAIDS covering Client’s use of RAIDS Services and related services (the Agreement).

Unless otherwise defined in this DPA or in the Agreement, all capitalised terms used in this DPA will have the meanings given to them in Section 1 of this DPA.

Scope, Term, and Definitions

Definitions.

“Applicable Data Protection Law” means all laws applicable to the processing of Personal Data under the Agreement.

“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Client Personal Data'' means Personal Data contained in Client Data that RAIDS Processes under the Agreement solely on behalf of Client.

“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.

“Processing” (and “Process”) means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Sub-processor” means any third party (including RAIDS Affiliates) engaged by RAIDS to Process Client Personal Data.

“Transformed Data” means numerical, vectorised, aggregated, or otherwise derived representations of Client Personal Data created by the Company for analytical purposes, which do not identify the Client or any individual and cannot be reverse engineered into the original Client Personal Data.

Roles of the Parties

  1. Client Personal Data: RAIDS will Process Client Personal Data as Client’s Processor in accordance with Client’s instructions as outlined in Section 2.1 (Client Instructions).
  2. RAIDS will function as Data Controller for Personal Data Processing outlined in its Privacy Policy. This may include usage and Client account data.
  3. Description of the Processing: Details regarding the Processing of Personal Data by RAIDS are stated in Schedule 1.
    • Term of the DPA: The term of this DPA is the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which RAIDS ceases all Processing of Client Personal Data).
    • Client Personal Data: as defined in this clause, contained or integrated in Client data that RAIDS Processes under the Agreement on behalf of Client.
    • Client Responsibilities: Client acknowledges and agrees that, in its capacity as Controller, it is solely responsible for ensuring that the Client Personal Data, including any special categories of Personal Data, is collected, transferred, and disclosed to RAIDS in accordance with Applicable Data Protection Law. Client represents and warrants that it has established all necessary lawful bases under Articles 6 and 9 of the GDPR for the Processing of such data by RAIDS as Processor under the Agreement.

Processing of Personal Data

  1. Client Instructions: RAIDS must Process Client Personal Data in accordance with the documented lawful instructions of Client, as necessary to (i) provide Services, or other RAIDS services, and related Support and Advisory Services to Client and enable the use of various features and functionalities of RAIDS, (ii) transform Client Personal Data into Transformed Data for analytical purposes; (iii) use only Transformed Client Data and non-content user indicators (such as “agree” / “disagree”) to train, tune, or improve the Company’s AI models, the AI Monitoring System, and underlying detection or analytical models; (iv) investigate security incidents, (v) enforce the Agreement and any applicable policies, including the Acceptable Use Policy, (vi) carry out any other Processing expressly permitted under the Agreement or required by Applicable Data Protection Law; and/or (vii) comply with its legal obligations.
  2. RAIDS will notify Client if it becomes aware, or reasonably believes, that Client’s instructions violate Applicable Data Protection Laws, including the General Data Protection Regulation (GDPR).

Security

  1. Security Measures: RAIDS has implemented and will maintain appropriate technical and organisational measures designed to protect the security, confidentiality, integrity, and availability of Client data and protect against security incidents.
  2. Client is responsible for configuring RAIDS Services and using features and functionalities made available by RAIDS to maintain appropriate security in light of the nature of Client Data. RAIDS’s current technical and organisational measures include:
    • Automated Evaluation with No Routine Human Access: Input/output data Processed by the system is stored to support automated evaluation only. There is no routine human review of such data. The Processor’s systems are designed for autonomous operation without human intervention in data analysis. Technical access by personnel is possible but strictly controlled and monitored in compliance with clause 3.2.2.
    • Controlled and Permissioned Access: Only, limited and documented human access to Client Personal Data, including input/output data may occur solely (i) to respond to participant feedback; (ii) to produce AI safety reports, or (iii) to comply with applicable laws. Any such access is granted strictly on a need-to-know basis, subject to internal authorisation and permission controls, confidentiality obligations, and audit logging.
    • Permissioned Access during Beta Features and Services: Without limiting clause 3.2.2, RAIDS personnel may access and review Customer Personal Data in connection with Beta Features and Services strictly to respond to Customer support requests or feedback, or to deliver specific elements of the Services such as preparation of AI safety or performance reports. Any such access shall be limited to authorised individuals with a demonstrable need to know and shall occur solely for documented and lawful purposes related to service delivery, subject to internal controls and confidentiality safeguards.
    • Data Minimisation, Temporary Processing, and Numerical Representation: RAIDS Processes Client Personal Data through different technical pathways depending on the functionality used within the Service:
  3. Certain Client Personal Data submitted to the Service is automatically transformed into Transformed Client Data for analytical purposes. Where the Service does not require the Client Personal Data in its original form after such transformation, RAIDS deletes the original form and retains only the Transformed Client Data.
  4. Where the Service requires Client Personal Data to remain available in its original form, such as to enable display, evaluation, auditability, or user review as part of the Service, is Processed to provide, operate, maintain, and support the Service. RAIDS retains that original form for the duration of the Agreement. Client Personal Data retained in its original form is processed to provide, operate, maintain, and support the Service and is not used to train, tune, or improve RAIDS’ models.
  5. Only Transformed Client Data and non-content user indicators (such as agree or disagree) may be used by RAIDS to train, tune, or improve the AI Monitoring System, RAIDS’ AI models, and any underlying detection or analytical systems. RAIDS do not use Client Personal Data in its original form for model training.
    • Confidentiality of Personnel: The Processor shall ensure that all persons authorised to Process Personal Data on its behalf have committed themselves to confidentiality. RAIDS ensures that any person acting under its authority who is authorised to Process Client Personal Data has entered into a written confidentiality agreement or is under a statutory obligation of confidentiality. Such confidentiality obligations shall survive the termination of that person’s employment or engagement.
    • RAIDS may update or modify all applicable security measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the RAIDS Services during the applicable term.
    • Security Incidents: RAIDS must notify Client without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a security incident, including any breach of security that leads or may lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Data Processed by RAIDS and/or its Sub-processors.

RAIDS must make reasonable efforts to identify the cause of the security incident, mitigate the effects, and remedy the cause to the extent within RAIDS’s reasonable control. Upon Client’s request and taking into account the nature of the Processing and the information available to RAIDS, RAIDS must assist Client by providing information reasonably necessary for Client to meet its security incident notification obligations under Applicable Data Protection Law. RAIDS’s notification of a security incident is not and shall not be taken as an acknowledgment by RAIDS of its fault or liability.

Sub-processing

  1. General Authorisation: By entering into this DPA, Client provides general authorisation for RAIDS to engage Subprocessors to Process Client Personal Data. RAIDS must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Client Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; and (ii) remain liable to Client if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.
  2. Notice of New Sub-processors: The list of current Sub-processors may be made to the Client upon request via email at info@raidsai.ai, and RAIDS will notify Client of any intended changes at least 30 days in advance by email or posting online.
  3. Objection to New Sub-processors. Client may object to RAIDS’s appointment of a new Sub-processor during a 30-day notice period after the sub-processor has been notified either via email or posting online. If Client objects, Client, as its sole and exclusive remedy, may terminate the applicable order for the affected service and related Support and Advisory Services by written notice.

Assistance and Cooperation Obligations

  1. Data Subject Rights: Taking into account the nature of the Processing, RAIDS must provide reasonable and timely assistance to Client to enable Client to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Client Personal Data.
  2. Cooperation Obligations: Upon Client’s reasonable request, and taking into account the nature of the Processing, RAIDS will provide reasonable assistance to Client in fulfilling Client’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Client cannot reasonably fulfill such obligations independently using information made available by RAIDS in its documentation.
  3. Third Party Requests: Unless prohibited by Law, RAIDS will promptly notify Client of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling RAIDS to disclose Client Personal Data.
  4. In the event that RAIDS receives an enquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Client Personal Data, RAIDS will redirect such enquiries to Client, and will not provide any information unless required to do so under applicable law.
  5. Personal Data Breach: Processor shall notify Client without undue delay upon Processor becoming aware of a Personal Data breach affecting Client Personal Data, providing Client with sufficient information to allow the Client to meet any obligations to report or inform data subjects of the Personal Data breach under the Applicable Data Protection Laws. Processor shall co-operate with the Client and take reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data breach.

Deletion and Return of Client Personal Data

  1. During any applicable subscription term under the Agreement, the Client may access and retrieve Client Personal Data through the features of the RAIDS Services. Clients may delete their account, upon which all Client Personal Data associated with the account will be permanently deleted.
  2. Post Termination. Following expiration or termination of the Agreement, RAIDS must delete all Client Personal Data. Notwithstanding the foregoing, RAIDS may retain Client Personal Data (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, RAIDS will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Client Personal Data and not further Process it except as required by Applicable Data Protection Law.
  3. RAIDS may also retain and use de-identified or aggregated Client Personal Data beyond the Term for as long as necessary to maintain, develop, and improve the Service and its detection models, provided that such retained data no longer identifies the Client or any individual and does not constitute Personal Data under Applicable Data Protection Law.

Audit

  1. Audit Reports: RAIDS will make available to the Client, on the condition that Client has entered into an applicable non-disclosure agreement with RAIDS, the information necessary to demonstrate compliance with its obligations as processor and will allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller during reasonable business hours, which do not disrupt RAIDS normal operation.
  2. On-site Audits. Only to the extent Client cannot reasonably satisfy RAIDS’s compliance with this DPA through the exercise of its rights under Section 7.1 above, or where required by Applicable Data Protection Law or a regulatory authority, Client, or its authorised representatives, may, at Client’s expense, conduct audits (including inspections) during the term of the Agreement to assess RAIDS’s compliance with the terms of this DPA. Any audit must (i) be conducted during RAIDS’s regular business hours, with reasonable advance written notice; (ii) be subject to reasonable confidentiality controls obligating Client (and its authorised representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) occur no more than once every twelve (12) months; and (iv) restrict its findings to only information relevant to Client.

International Provisions

RAIDS shall Process Personal Data protected under Applicable Data Protection Laws in any jurisdiction outside the European Economic Area (EEA), whether directly or via onward transfer, only in compliance with the applicable provisions of the GDPR. Such transfers shall be based on:

  • an adequacy decision issued by the European Commission pursuant to Article 45 of the GDPR; or
  • appropriate safeguards, including the Standard Contractual Clauses adopted by the European Commission under Article 46 of the GDPR, subject in each case to any jurisdiction-specific transfer impact assessment or supplementary measures required under applicable EU data protection law and guidance from competent supervisory authorities. RAIDS and its Sub-processors shall enter into the latest version of the Standard Contractual Clauses adopted by the European Commission.

Contact Point

RAIDS has appointed a designated point of contact for data protection matters with appropriate expertise and authority to handle enquiries related to the Processing of Personal Data. RAIDS shall make the contact details of such individual available to the Client upon request.

Liability

Each party’s liability arising out of or relating to this DPA (including its Schedules) shall be subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall increase either party’s liability or create any new liabilities not already provided for in the Agreement.

Schedule 1

Description of Processing

  1. Categories of data subjects whose Personal Data is Processed: Client and its users or clients.
  2. Categories of Personal Data Processed: Client Personal Data.
  3. Sensitive data transferred: Client Personal Data may contain data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) generic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) relating to criminal convictions and offences (altogether “Sensitive Data”) where such is uploaded by Client to RAIDS Services; the extent of such Sensitive Data is determined and controlled solely by Client. The Client represents and warrants that it shall ensure the existence of an appropriate legal basis for the Processing of any Sensitive Data pursuant to Article 9(2) GDPR, including, where applicable, the explicit consent of the data subjects or another lawful derogation.
  4. The frequency of the transfer: Continuous.
  5. Nature of the Processing: RAIDS will Process Personal Data to provide the Services and related Support and Advisory Services in accordance with the Agreement, including this DPA, and provide feedback to Clients.
  6. Purpose(s) of the Processing: RAIDS will Process Client Personal Data as Processor in accordance with Client’s instructions as set out in Section 2.1 (Client Instructions).
  7. Duration of Processing: RAIDS will Process Client Personal Data for the term of the Agreement as outlined in Section 6 (Deletion and Return of Client Personal Data).
  8. Transfers to Sub-processors: RAIDS will transfer Client Personal Data to Sub-processors as permitted in Section 4 (Subprocessing).

Last updated: 12/8/2025