Paitho
Talk to Sales
Legal · Data Processing Addendum

You are the Controller.
We are the Processor.

Last updated: 2026-04-26 · v1.0

Draft · pending counsel review

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Customer and Paitho Labs, Inc. ("Paitho"). It applies to Personal Data processed by Paitho on Customer's behalf in connection with the Service. Capitalized terms not defined here have the meanings given in the Terms.

01 · Definitions

In plain English: standard GDPR vocabulary. The customer (you) controls what gets processed. We process on your instructions. A sub-processor is a vendor we use to do part of the job.
Controller
The natural or legal person, public authority, agency, or other body that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, the Controller is Customer.
Processor
A natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller. For purposes of this DPA, the Processor is Paitho.
Sub-processor
Any third party engaged by Paitho to process Personal Data on Paitho's behalf in connection with the Service.
Data Subject
An identified or identifiable natural person to whom Personal Data relates.
Personal Data
Any information relating to a Data Subject that is processed by Paitho on Customer's behalf in connection with the Service, as further described in Section 3.
Applicable Data Protection Law
All laws and regulations applicable to the Processing of Personal Data, including without limitation the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act of 2018, as amended ("CCPA/CPRA").

02 · Roles of the parties

In plain English: you decide whose data to upload and why. We do what you tell us with it. Period.
Customer
Controller of Personal Data
Paitho
Processor acting on Customer's documented instructions

Each party shall comply with its respective obligations under Applicable Data Protection Law. Where Customer is itself a Processor acting on behalf of a third party Controller, Customer warrants that it has obtained all necessary authorisations to engage Paitho as a Sub-processor under this DPA.

03 · Scope of processing

In plain English: we only process the personal data needed to make the product work — names, work emails, public role context, and your account data.

The subject matter of the processing is the provision of the Service to Customer. The duration of processing is the term of the underlying agreement plus any post-termination retention period set out in Section 12.

Nature and purpose: account administration; ingestion of lead data uploaded by Customer; generation of research briefs and draft messages; storage of approval signals; transmission of approved messages via Customer-owned infrastructure; provision of audit logs.

Categories of Personal Data:

  • Customer user account data (name, work email, role, password hash).
  • Lead and prospect data uploaded by Customer (typically: name, work email, job title, company affiliation, public profile URLs).
  • Communication content (drafts, edits, approval/rejection records).
  • Technical and usage data (IP, user-agent, session timestamps).

Categories of Data Subjects: Customer's authorized users; Customer's prospects and leads as uploaded by Customer.

Special categories: Customer shall not upload special-category Personal Data (Article 9 GDPR) into the Service. Paitho is not designed to process such data.

04 · Customer instructions

In plain English: we only do what you tell us, plus what the law forces us to do. If you ask for something illegal we'll tell you no.

Paitho shall process Personal Data only on documented instructions from Customer, including: (a) the instructions set out in the Terms and this DPA; (b) Customer's configurations within the Service; (c) any additional written instructions issued by Customer that are technically and operationally feasible.

If Paitho is required by law to process Personal Data otherwise than on Customer's instructions, Paitho shall notify Customer of that requirement before processing, unless prohibited by law from doing so. Paitho shall promptly inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law; however, Paitho is not obligated to provide legal advice.

05 · Confidentiality of personnel

In plain English: anyone at Paitho who can see your data is bound by confidentiality and only sees what they need to see.

Paitho shall ensure that all personnel authorised to process Personal Data are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have received appropriate training. Access to Personal Data is granted on a least-privilege basis and is reviewed at least quarterly.

06 · Security measures

In plain English: encryption in transit and at rest, hardware-backed key management, least-privilege access, audit logs, regular penetration testing. The full list is on the security page.

Paitho shall implement and maintain appropriate technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data, taking into account the state of the art, the costs of implementation, and the risks involved.

Such measures include, at minimum: encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); role-based access control with least-privilege defaults; multi-factor authentication for administrative access; immutable audit logging; vulnerability management; annual third-party penetration testing; and a documented incident response plan.

The current technical security measures are described at /security and may be updated from time to time, provided that the overall level of protection is not materially diminished.

07 · Sub-processors

In plain English: we publish every vendor that touches your data. We give you 30 days notice before adding a new one. You can object.

Customer grants Paitho general written authorisation to engage Sub-processors for the purposes of providing the Service. The current list of Sub-processors is published at /security#sub-processors.

Paitho shall:

  • Notify Customer at least thirty (30) days in advance of adding or replacing a Sub-processor (the "Notice Period"), via email to the account's notification contacts and via the Sub-processor list page.
  • Impose contractual obligations on each Sub-processor that are no less protective than those set out in this DPA.
  • Remain fully liable to Customer for the performance of each Sub-processor's obligations under this DPA.

Right to object. Customer may object in writing to a new Sub-processor on reasonable data-protection grounds within the Notice Period. The parties shall work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected Service component without penalty as Customer's sole and exclusive remedy.

08 · Data subject rights — Paitho assists Customer

In plain English: when one of your prospects asks to see, fix, or delete their data, you handle the request. We give you the tools and the data.

Taking into account the nature of the processing, Paitho shall assist Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of Customer's obligations to respond to requests for exercising Data Subject rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

Paitho provides self-service tooling within the Service to export, modify, and delete Personal Data. For requests that cannot be fulfilled via self-service, Customer may contact privacy@paitho.ai; Paitho will respond within ten (10) business days. Paitho will not respond directly to a Data Subject's request relating to Customer's Personal Data without Customer's prior authorisation, except where required by law.

09 · Personal data breach notification

In plain English: if there's a confirmed breach affecting your data, we tell you within 48 hours. We tell you what we know, what we don't, and what we're doing about it.

Paitho shall notify Customer without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a confirmed Personal Data Breach affecting Customer's Personal Data. Such notification shall include, to the extent then known:

  • The nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach and to mitigate its possible adverse effects.
  • The name and contact details of Paitho's Data Protection Contact for follow-up information.

Where information cannot be provided at the same time, it shall be provided in phases without undue further delay. Paitho shall reasonably cooperate with Customer in Customer's notifications to supervisory authorities and Data Subjects, where required.

10 · Audits

In plain English: every year we publish a SOC 2 report you can review. If you have a real reason to come look in person, we'll let you, with reasonable notice.

Paitho shall make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and equivalent provisions of other Applicable Data Protection Law. Paitho shall, on annual basis:

  • Make available to Customer Paitho's most recent SOC 2 Type II report (or equivalent) under reasonable confidentiality terms.
  • Respond to Customer's reasonable security and privacy questionnaires.

On-site audits. Where the SOC 2 report is insufficient to address a specific, documented concern, Customer may, at Customer's expense and on at least thirty (30) days' written notice, conduct an on-site audit of Paitho's processing facilities relevant to the Service. Audits shall be conducted during normal business hours, no more than once per twelve (12) month period (except in the event of a material security incident), and shall not unreasonably interfere with Paitho's business operations. Both parties shall cooperate in good faith to minimise disruption.

11 · Cross-border transfers

In plain English: when EU data has to leave the EU, we use the EU's Standard Contractual Clauses to keep your protections intact.

To the extent that Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (Decision 2021/914) are hereby incorporated into this DPA by reference, with the following module elections:

  • Module Two (Controller to Processor) shall apply where Customer is a Controller and Paitho is a Processor.
  • Module Three (Processor to Sub-processor) shall apply where Customer is itself a Processor.
  • Clause 7 (docking clause): not used.
  • Clause 11(a) (independent dispute resolution): the optional language is not adopted.
  • Clause 17 (governing law): the law of Ireland.
  • Clause 18 (forum): the courts of Ireland.
  • Annex I is populated by reference to Section 3 of this DPA. Annex II is populated by reference to Section 6 of this DPA. Annex III is populated by reference to the Sub-processor list at /security#sub-processors.

For UK transfers, the UK International Data Transfer Addendum to the SCCs (issued by the ICO) is incorporated and applies as a layer above the SCCs.

12 · Return and deletion of data

In plain English: when the contract ends, you have 90 days to export. After that, we delete from production within 30 days and from backups within 35 days.

Upon termination of the underlying agreement, Customer may request, within ninety (90) days of the termination date (the "Export Window"), that Paitho return all Personal Data via the export tooling provided in the Service or via written request to support@paitho.ai.

Following the expiry of the Export Window, Paitho shall delete Personal Data from production systems within thirty (30) days. Personal Data residing in routine backup systems shall be purged through normal backup-rotation cycles, which complete within thirty-five (35) days of the production deletion date. Paitho shall not access backup-resident Personal Data during this period except for legally required preservation or to restore production in a disaster-recovery scenario.

Paitho may retain Personal Data to the extent required by Applicable Data Protection Law or other applicable law, in which case it shall remain subject to the confidentiality and security obligations of this DPA for the duration of such retention.

13 · Liability and indemnification

In plain English: the liability cap and indemnification rules in the main Terms apply to this DPA too.

Each party's liability under this DPA, taken together with any liability under the Terms, shall be subject to the exclusions and limitations of liability set forth in the Terms. Indemnification rights and obligations under this DPA shall be exercised in accordance with the indemnification procedure set forth in the Terms.

14 · Term

In plain English: this DPA lives as long as the main agreement does, plus whatever time we need to finish deleting your data.

This DPA shall remain in effect for the duration of the underlying agreement and shall continue to apply after termination for so long as Paitho processes Personal Data on Customer's behalf, including during the Export Window and any post-termination retention period required by law.

15 · Governing law

In plain English: same as the main Terms — Delaware. The SCCs themselves use Irish law where they apply.

Except where the SCCs require otherwise, this DPA is governed by the laws of the State of Delaware, USA, without regard to conflict-of-laws principles. The SCCs incorporated under Section 11 are governed by the law of Ireland as expressly stated therein.

Questions about this doc?
Email legal@paitho.ai

For DPA execution requests (countersigned PDF) or to receive a copy of the SCCs in force for your account: privacy@paitho.ai. We turn DPAs around within five business days.