Data Processing Agreement

Last updated: April 2026

This DPA supplements our Terms of Service and Privacy Policy for customers who require a formal data processing agreement under GDPR or similar regulations.

downloadRequest DPA as PDF

Table of Contents

01. Definitions

Controller: The customer who determines the purposes and means of the processing of personal data.

Processor: IP Engineering (CalibraLogic AI), which processes personal data on behalf of the Controller.

Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4.

Sub-processor: Any third party appointed by the Processor to process personal data.

Applicable Law: This DPA is entered into pursuant to the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws.

02. Scope and Purpose

CalibraLogic AI processes personal data on behalf of the customer to provide AI-driven automotive engineering and calibration services. This includes account information, user-submitted queries, technical diagnostic files, and performance logs necessary for service delivery.

03. Data Processing Details

AspectDetails
SubjectsCustomer employees, contractors, and authorized platform users.
TypesName, email, phone number, technical queries, automotive diagnostic files.
ActivitiesAuthentication, AI model processing, usage tracking, and technical support.
DurationFor the duration of the Master Services Agreement term.
LocationEuropean Union (EU), United Arab Emirates (UAE), Türkiye, and Singapore.

04. Obligations of the Processor

  • check_circleProcess data only on documented instructions from the Controller.
  • check_circleEnsure all personnel authorized to process data have committed themselves to confidentiality.
  • check_circleImplement appropriate technical and organizational security measures.
  • check_circleAssist Controller in fulfilling obligations regarding Data Subject rights.
  • check_circleDelete or return data at the choice of the Controller upon termination.

Data Usage for Model Training

CalibraLogic AI does not use Customer personal data or user-uploaded content for training underlying AI models without explicit, separate consent. Customer data is processed solely to provide the requested Services and is not repurposed for model improvement, research, or development activities unless the Customer has provided explicit written authorization.

05. Sub-processors

CalibraLogic AI provides a 30-day notice for any changes to our sub-processor list. AI providers process data in-memory only; models are not updated with customer data.

EU

Supabase

Core Infrastructure & Auth

US / EU

Stripe

Billing & Payments

US

Primary AI Processing Provider

LLM Inference

EU

AI Processing Provider B

Calibration Analysis

Singapore

AI Processing Provider C

Regional Processing

EU

AI Processing Provider D

Data Analysis

Right to Object:The Customer has the right to object to CalibraLogic AI's appointment of a new sub-processor on reasonable data protection grounds. Objections must be provided in writing within 15 days of notification. If the objection cannot be accommodated, either party may terminate the affected Services without penalty, and CalibraLogic AI shall provide a pro-rata refund for prepaid fees.

06. International Transfers

Data may be transferred to sub-processor countries as listed above. CalibraLogic AI utilizes Standard Contractual Clauses (SCCs) to ensure equivalent protection. Account and identity data for EU customers is maintained strictly within EU-based Supabase instances.

For transfers subject to UK GDPR, CalibraLogic AI implements the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, as applicable.

Upon request, CalibraLogic AI shall provide reasonable information to assist the Customer in conducting transfer impact assessments as required under GDPR.

07. Security Measures

lock

Encryption

TLS 1.3 in transit and AES-256 encryption at rest.

shield

Access Control

Strict role-based access control (RBAC) and MFA.

verified_user

Regular Audits

Continuous automated security scanning and annual pen-testing.

campaign

Incident Response

Documented incident management and disaster recovery protocols.

08. Data Subject Rights

  • check_circleRight of Access: Obtain confirmation and access to personal data being processed.
  • check_circleRight to Rectification: Request correction of inaccurate or incomplete data.
  • check_circleRight to Erasure: Request deletion of personal data (“right to be forgotten”).
  • check_circleRight to Restriction of Processing: Request temporary limitation of processing.
  • check_circleRight to Data Portability: Receive data in a structured, machine-readable format.
  • check_circleRight to Object: Object to processing on grounds relating to particular situation.
  • check_circleRight Not to Be Subject to Automated Decision-Making: Not be subject to decisions based solely on automated processing.
"CalibraLogic AI guarantees a 5-day response timefor all data subject requests forwarded by the Controller, including access, rectification, and erasure."

09. Data Breach Notification

In the event of a suspected or confirmed breach, CalibraLogic AI will notify the Controller within 72 hours. The notification will describe the nature of the breach, types of data affected, and remedial measures taken or proposed.

10. Audit Rights

Controllers may audit our compliance with this DPA upon 30-day notice. Audits are limited to processing activities relevant to the Controller. As an alternative, CalibraLogic AI may provide independent third-party audit reports (e.g., SOC2).

  • Audits are limited to once per year unless required by a supervisory authority or in response to a suspected data breach.
  • Conducted during normal business hours with minimal disruption to operations.
  • Third-party auditors must be bound by appropriate confidentiality obligations.
  • Audit costs are borne by the Customer unless the audit reveals material non-compliance by CalibraLogic AI.

11. Data Retention

Account Data
Retained for the duration of the active subscription and a reasonable period thereafter for reactivation.
Uploaded Files
Retained only as necessary to provide Services. Automatically deleted per plan-specific retention policies or upon Customer request.
Usage Logs
Retained for security and operational purposes for up to 12 months unless legally required longer.
Billing Records
Retained as required by applicable tax and accounting regulations (typically 7–10 years).
User-Requested Deletion
Customers may request deletion at any time via support@calibralogic.ai. Processed within 30 days.

12. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, personal data will be deleted within 30 days, unless statutory retention requirements apply (see Data Retention section above).

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws governing the Terms of Service between the parties. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts as specified in the Terms of Service, without prejudice to the rights of data subjects to bring claims before the courts of their habitual residence or place of work.

14. Contact

Personnel

Data Protection Officer

dpo@calibralogic.ai

Legal Department

legal@calibralogic.ai

Entity Details

IP Engineering
Dubai, United Arab Emirates

Execute this DPA

To receive a formally signed copy of this agreement, please contact our legal team. Enterprise and dealer customers receive a signed copy during onboarding.

Request Signed DPA

This DPA is provided for transparency. Contact us for a customized version tailored to your specific jurisdictional requirements.