Skip to main content
Dpa
Legal

Data Processing Addendum

Last updated: 19 April 2026 · Equaliser AI Ltd

This DPA applies when Equaliser AI (“Processor”) processes personal data on behalf of a customer (“Controller”) under UK GDPR / EU GDPR. It forms part of the Terms of Service and takes precedence over anything conflicting in those Terms for matters of personal data processing.

1. Subject matter & duration

Processing is the service described in the Terms, for as long as the Controller maintains an active subscription plus any agreed retention period.

2. Nature & purpose of processing

Providing AI-driven paid-media intelligence, reports, and audits. This includes connecting to the Controller’s advertising platforms (Google Ads, Meta, GA4, etc.), aggregating and analysing the resulting data, generating recommendations, and delivering reports to recipients the Controller nominates.

3. Categories of data subjects

  • Customer’s employees and team members using the platform
  • Report recipients the Customer nominates (e.g. their clients)
  • End-users whose behavioural data flows via connected ad platforms (aggregate only, no PII)

4. Categories of personal data

  • Identification & contact data: email, name, role, organisation
  • Authentication data: password hashes, session tokens
  • Usage telemetry: feature interactions, agent outputs, tenancy-scoped reports
  • Aggregate advertising-performance data imported from connected platforms

5. Sub-processors

The following sub-processors are pre-authorised. The Customer is notified 30 days in advance of any addition or change.

  • Supabase (Supabase Inc., US — data hosted in EU) — auth, database, storage
  • Vercel (Vercel Inc., US) — hosting, edge compute
  • Anthropic (Anthropic PBC, US) — LLM inference for AI-generated outputs
  • Google Cloud (Alphabet Inc., US — data hosted in EU) — BigQuery warehouse
  • Resend (Resend Inc., US — data hosted in EU) — transactional email
  • Sentry (Functional Software Inc., US — data hosted in EU) — error monitoring
  • Langfuse (Langfuse GmbH, Germany) — AI observability

6. International transfers

Where data flows to jurisdictions outside the UK / EEA, we rely on EU Standard Contractual Clauses and the UK International Data Transfer Addendum. Details per sub-processor available on request.

7. Technical & organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-tenant row-level security (RLS) on every tenant-scoped table
  • Role-based access control with least-privilege default
  • Penetration testing prior to GA + annually
  • Incident response with 24-hour notification commitment for personal-data breaches
  • SOC 2 Type II in progress (expected Q3 2026)

8. Data subject rights

The Processor assists the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) at no additional cost for paid plans.

9. Breach notification

The Processor notifies the Controller within 24 hours of becoming aware of any personal data breach. Notification includes nature of the breach, affected data, mitigation taken, and likely consequences.

10. Audit rights

Once per calendar year, the Controller may request (with 30 days’ notice) a summary of the Processor’s security posture and sub-processor register. On-site audits are available at the Controller’s expense.

11. Deletion on termination

On termination or expiry, personal data is deleted or anonymised within 90 days, unless retention is legally required (e.g. accounting records). Written confirmation of deletion is provided on request.

Contact

DPO inquiries: privacy@equaliser.ai

A countersigned copy of this DPA is available on request for procurement / legal review processes.