Our DPA explains how IONI acts as a data processor, the security measures we apply, and the rights and responsibilities of our customers as data controllers under GDPR.
This Data Processing Agreement (“DPA”) is incorporated into the Terms & Conditions between IONI (legal name - Springs LLC) (“Processor”) and any customer using the IONI services (“Controller”).
By using the IONI services, the Controller accepts this DPA, which forms part of the Agreement. This DPA governs the processing of personal data by Processor on behalf of Controller in connection with the IONI SaaS platform. This includes the provision of AI-powered features, subscription management, billing (via Stripe), and free trial accounts, where applicable.
Processing continues for as long as the Agreement is in force.
Controller decides the purposes and means of personal data processing.
Processor processes data only on instructions from Controller, unless required by law.
The personal data processed may include:
- Contact details (names, emails, phone numbers);
- Account details (usernames, login credentials);
- Business content and communications uploaded by Controller.
- Billing details (such as billing address, VAT/tax ID, partial payment information received from Stripe).
- Subscription details (plan type, renewal status, trial period information).
- AI inputs and outputs (content submitted to or generated by AI features, to the extent they contain personal data).
Data subjects may include Controller’s employees, contractors, customers, or other individuals whose data is provided by Controller.
Processor will:
- process personal data only under Controller’s instructions;
- ensure authorised personnel are bound by confidentiality;
- implement appropriate technical and organisational measures (“TOMs”) for security;
- assist Controller with data subject rights, breach notifications, and DPIAs;
- delete or return personal data upon termination, unless law requires retention;
- provide information to demonstrate compliance and allow for audits.
– ensure that AI inputs/outputs are processed only for the delivery of the requested functionality, and not used for model training unless Controller has provided explicit consent;
– process free trial data under the same protections as paid subscription data, and delete it within the retention periods set out in this DPA unless converted into a paid plan.
Controller authorises Processor to use sub-processors listed at Privacy Policy.
This includes Stripe, Inc. (and its affiliates) for payment processing, which acts as an independent controller for payment credentials but may act as a processor for limited billing metadata.
Processor will impose equivalent data protection obligations on all sub-processors.
Controller will be notified of changes and may object.
If data is transferred outside the EEA/UK, Processor ensures appropriate safeguards like EU Standard Contractual Clauses.
Processor shall assist Controller in responding to requests from data subjects under GDPR Articles 15–22.
Processor maintains appropriate TOMs (e.g., encryption, access control, monitoring).In the event of a personal data breach, Processor notifies Controller without undue delay.
For payment processing, the Processor relies on Stripe’s PCI-DSS certified infrastructure. Processor does not store full credit card numbers or banking details on its systems.
Controller may conduct audits or inspections once per year (unless otherwise required).
Compliance may also be demonstrated via independent certifications or audit reports.
Liability follows the limitations set out in the Agreement, except where GDPR requires otherwise.
When the Agreement ends, Processor will delete or return all personal data unless retention is required by law. Payment and billing records may be retained for the period required by applicable tax and accounting laws (generally up to 7–10 years). Trial data may be deleted within 30 days following trial expiration unless a paid subscription is activated.
This DPA is governed by the law and jurisdiction specified in the Agreement.
- Purpose: Provision of IONI SaaS platform, including AI-powered features, subscription and billing management, and free trial administration.
- Data Types: Contact details, account data, business content, billing details, subscription information, and AI inputs/outputs.
- Data Subjects: Users, employees, contractors, customers
- Duration: For the term of the Agreement
- Encryption in transit (TLS) and at rest;
- Access controls, strong authentication, role-based permissions;
- Regular backups and secure storage;
- Monitoring, logging, intrusion detection;
- Security awareness training for staffIncident response and breach management procedures
– PCI-DSS reliance for Stripe payment processing;
– Separation of trial and paid customer data environments where applicable.
This DPA is pre-signed by IONI (legal name - Springs LLC)
It automatically applies to all Controllers using the Services.
Customers may request a signed PDF copy via sergey@ioni.ai.
