Our DPA explains how IONI acts as a data processor, the security measures we apply, and the rights and responsibilities of our customers as data controllers under GDPR.
This Data Processing Agreement (“DPA”) is incorporated into the Terms & Conditions between IONI AI INC., incorporation number: BC1556617,
6463 SILVER AVE, BURNABY, CANADA (“Processor”) and any customer using the IONI services (“Controller”).
By using the IONI services, the Controller accepts this DPA, which forms part of the Agreement. This DPA governs the processing of personal data by Processor on behalf of Controller in connection with the IONI SaaS platform. This includes the provision of AI-powered features, subscription management, billing (via Stripe), and free trial accounts, where applicable.
Processing continues for as long as the Agreement is in force.
Controller decides the purposes and means of personal data processing.
Processor processes data only on instructions from Controller, unless required by law.
Processor provides a SaaS platform that:
- ingests and structures customer-provided content;
- performs analysis using software and AI systems;
- generates structured outputs, insights, and recommendations;
- supports compliance, operational, and audit workflows.
The personal data processed may include:
- Contact details (names, emails, phone numbers);
- Account details (usernames, login credentials);
- Business content and communications uploaded by Controller.
- Billing details (such as billing address, VAT/tax ID, partial payment information received from Stripe).
- Subscription details (plan type, renewal status, trial period information).
- AI inputs and outputs (content submitted to or generated by AI features, to the extent they contain personal data).
Data subjects may include Controller’s employees, contractors, customers, or other individuals whose data is provided by Controller.
Processor will:
- process personal data only under Controller’s instructions;
- ensure authorised personnel are bound by confidentiality;
- implement appropriate technical and organisational measures (“TOMs”) for security;
- assist Controller with data subject rights, breach notifications, and DPIAs;
- delete or return personal data upon termination, unless law requires retention;
- provide information to demonstrate compliance and allow for audits.
– ensure that AI inputs/outputs are processed only for the delivery of the requested functionality, and not used for model training unless Controller has provided explicit consent;
– process free trial data under the same protections as paid subscription data, and delete it within the retention periods set out in this DPA unless converted into a paid plan.
Processor may use AI technologies (including third-party providers) to process data solely for the purpose of delivering requested functionality.
Processor shall ensure:
- data is not used to train third-party models, unless explicitly authorised;
- data is processed only for defined purposes;
- safeguards are applied when using AI subprocessors.
Controller authorises Processor to use subprocessors listed at Annex 3 and Privacy Policy.
This includes Stripe, Inc. (and its affiliates) for payment processing, which acts as an independent controller for payment credentials but may act as a processor for limited billing metadata.
Processor will impose equivalent data protection obligations on all subprocessors.
Controller will be notified of changes and may object.
Personal data may be processed outside the EEA, including in the United States.
Processor ensures appropriate safeguards in accordance with General Data Protection Regulation, including:
- Standard Contractual Clauses;
- EU-US Data Privacy Framework (where applicable).
Processor shall assist Controller in responding to requests from data subjects under GDPR Articles 15–22.
Processor maintains appropriate TOMs (e.g., encryption, access control, monitoring).In the event of a personal data breach, Processor notifies Controller without undue delay.
For payment processing, the Processor relies on Stripe’s PCI-DSS certified infrastructure. Processor does not store full credit card numbers or banking details on its systems.
Controller may conduct audits or inspections once per year (unless otherwise required).
Compliance may also be demonstrated via independent certifications or audit reports.
Liability follows the limitations set out in the Agreement, except where GDPR requires otherwise.
When the Agreement ends, Processor will delete or return all personal data unless retention is required by law. Payment and billing records may be retained for the period required by applicable tax and accounting laws (generally up to 7–10 years). Trial data may be deleted within 30 days following trial expiration unless a paid subscription is activated.
This DPA is governed by the law and jurisdiction specified in the Agreement.
- Purpose: Provision of IONI SaaS platform, including AI-powered features, subscription and billing management, and free trial administration.
- Data Types: Contact details, account data, business content, billing details, subscription information, and AI inputs/outputs.
- Data Subjects: Users, employees, contractors, customers, suppliers and third parties.
- Duration: For the term of the Agreement
1. Technical Security Measures
- Encryption of personal data in transit using TLS 1.2 or higher;
- Encryption of personal data at rest using industry-standard encryption (e.g. AES-256 or equivalent cloud-native encryption);
- Role-based access control (RBAC) with strict access segmentation based on user roles and responsibilities;
- Multi-factor authentication (MFA) for administrative and privileged access;
- Secure API access controls, including authentication, authorization, and rate limitingLogical separation of customer data through multi-tenant isolation mechanisms;
- Data segregation controls preventing unauthorized cross-tenant access;
- Centralized logging and monitoring of system activity, including access logs and security events;
- Intrusion detection and prevention mechanisms;
- Regular vulnerability scanning and timely application of security patches;
- Backup procedures ensuring data availability and integrity;
- Disaster recovery processes to restore data and system functionality;
- Secure key management using cloud-native key management systems.
2. Organisational Security Measures
- Access to personal data is granted strictly on a least privilege basis;
- Regular review and revocation of access rights;
- Confidentiality obligations for all personnel with access to personal data;
- Security awareness and training programs for employees;
- Documented incident response and breach notification procedures;
- Vendor risk management and due diligence processes for subprocessors;
- Internal policies governing data protection and information security.
3. Data Protection Controls
- Data minimisation practices to ensure only necessary data is processed;
- Pseudonymisation or masking where applicable;
- Defined data retention and deletion policies;
- Secure deletion and disposal of personal data.
4. AI-Specific Safeguards
- AI processing is limited strictly to delivering the requested functionality;
- Personal data is not used to train third-party models unless explicitly authorised by the Controller;
- Data shared with AI subprocessors is minimised and limited to required inputsIsolation of prompts and outputs between customers;
- Contractual safeguards applied to all AI providers.
5. Infrastructure and Cloud Security
- Use of enterprise-grade cloud infrastructure providers with recognised compliance certifications;
- High availability and redundancy configurations;
- Continuous monitoring of infrastructure and services;
- Separation of production and non-production environments.
The Controller authorises the Processor to engage the following subprocessors:
1. Infrastructure and Hosting
- Microsoft Azure — primary cloud infrastructure and hosting: United States — SCC + Data Privacy Framework;
- Amazon Web Services (AWS S3) — object storage — United States — SCC + Data Privacy Framework.
2. AI and Machine Learning Services
- Microsoft Azure OpenAI Service: AI processing — United States / EU (depending on configuration) — SCC + Data Privacy Framework;
- OpenAI — embeddings and optional LLM processing — United States — SCC + Data Privacy Framework;
- Amazon Bedrock — AI services — United States — SCC + Data Privacy Framework.
3. Payments
Stripe, Inc. — payment processing — United States — SCC + PCI-DSS
4. Email and Communication
Mailgun / Sinch — transactional email delivery — EU / United States — SCC
5. Logging and Monitoring
Mezmo (LogDNA) — logging and monitoring — United States — SCC
6. Authentication and Integrations
Google (OAuth, Google Drive API) — authentication and integrations — United States — SCC + Data Privacy Framework
The parties agree that the Standard Contractual Clauses adopted by the European Commission under Commission Implementing Decision (EU) 2021/914 apply to all transfers of personal data outside the EEA.
The following modules apply:
- Module 2: Controller to Processor;
- Module 3: Processor to Subprocessor.
For the purposes of the SCC:
- Controller acts as Data Exporter;
- Processor acts as Data Importer.
Annex 1, Annex 2, and Annex 3 of this DPA shall serve as the corresponding annexes to the SCC.
Where applicable, transfers may also rely on the EU-US Data Privacy Framework for certified organisations.
This DPA is pre-signed by IONI AI INC.
Incorporation number: BC1556617
6463 SILVER AVE, BURNABY, CANADA
It automatically applies to all Controllers using the Services.
Customers may request a signed PDF copy via sergey@ioni.ai.
