Skip to main content

Data Processing Agreement

Last updated: January 28, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller," "Customer," or "you") and Intent AI ("Processor," "we," or "us"). This DPA applies when we process personal data on your behalf in connection with our Services.

1. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR, UK GDPR, CCPA, and other applicable data protection legislation.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf.
  • "Processing" means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Roles and Responsibilities

2.1 Controller

You are the Controller of Personal Data processed through our Services. As Controller, you are responsible for:

  • Ensuring you have a lawful basis for processing Personal Data
  • Providing appropriate privacy notices to Data Subjects
  • Obtaining necessary consents where required
  • Ensuring the accuracy and quality of Personal Data
  • Responding to Data Subject requests
  • Complying with all applicable Data Protection Laws

2.2 Processor

We act as a Processor when processing Personal Data on your behalf. As Processor, we will:

  • Process Personal Data only on your documented instructions
  • Ensure that persons processing the data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to Data Subject requests
  • Delete or return Personal Data upon termination of services
  • Make available information necessary to demonstrate compliance

3. Processing Details

3.1 Subject Matter and Duration

We process Personal Data for the duration of our agreement with you, as necessary to provide our feedback intelligence Services.

3.2 Nature and Purpose

The nature and purpose of Processing includes:

  • Collecting and storing customer feedback (voice and text)
  • Transcribing voice recordings using AI speech-to-text
  • Analyzing feedback using AI for sentiment, categorization, and insights
  • Generating reports and recommendations
  • Enabling team collaboration on feedback
  • Integrating with third-party services at your direction

3.3 Types of Personal Data

Categories of Personal Data that may be processed include:

  • Voice recordings and transcriptions
  • Text feedback and comments
  • Screenshots and images
  • Browser and device information
  • IP addresses and session identifiers
  • Page URLs and navigation data
  • Any personal data included in feedback content

3.4 Categories of Data Subjects

Data Subjects may include:

  • Your customers who provide feedback
  • Your users who interact with your products
  • Your employees who provide internal feedback
  • Any other individuals whose feedback you collect

4. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

4.1 Technical Measures

  • Encryption of Personal Data in transit (TLS 1.2+) and at rest
  • Secure authentication mechanisms (bcrypt password hashing, OAuth)
  • Access controls and principle of least privilege
  • Network security including firewalls and intrusion detection
  • Regular security updates and vulnerability patching
  • Secure software development practices
  • Regular backups with encryption

4.2 Organizational Measures

  • Employee confidentiality agreements
  • Security awareness training
  • Access limited to authorized personnel
  • Incident response procedures
  • Regular security assessments
  • Vendor due diligence for Sub-processors

5. Sub-processors

5.1 Authorization

You provide general authorization for us to engage Sub-processors to process Personal Data on your behalf. We will inform you of any intended changes concerning the addition or replacement of Sub-processors, giving you the opportunity to object.

5.2 Current Sub-processors

The following Sub-processors are currently engaged:

Sub-processorPurposeLocationSafeguards
NeonDatabase hostingUS/EUSCCs
UpstashCache and queueUS/EUSCCs
Cloudflare R2File storageGlobalSCCs
RailwayApplication hostingUSSCCs
OpenAISpeech-to-textUSSCCs, DPA
AnthropicAI analysisUSSCCs, DPA
LemonSqueezyPayment processingUSSCCs
ResendEmail deliveryUSSCCs
SentryError monitoringUSSCCs

5.3 Sub-processor Obligations

We ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

6. International Transfers

Personal Data may be transferred to countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. For such transfers, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Supplementary measures where required

We conduct transfer impact assessments as required and implement supplementary measures to ensure an adequate level of protection for Personal Data.

7. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under applicable Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

We will notify you promptly if we receive a request directly from a Data Subject. We will not respond to such requests directly unless authorized by you or required by law.

8. Security Incidents

8.1 Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data processed on your behalf.

8.2 Notification Content

Our notification will include, to the extent available:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the incident
  • Contact point for further information

8.3 Cooperation

We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.

9. Data Deletion

Upon termination of our agreement or upon your request, we will:

  • Delete or return all Personal Data processed on your behalf
  • Delete existing copies unless retention is required by law
  • Provide certification of deletion upon request

We may retain Personal Data in backups for a limited period (typically 30 days) before complete deletion occurs.

10. Audit Rights

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by you or your designated auditor.

Audits will be subject to:

  • Reasonable advance notice (minimum 30 days)
  • Scope limited to processing activities covered by this DPA
  • Confidentiality obligations for all audit personnel
  • Reasonable timing to minimize disruption
  • Your responsibility for audit costs

We may satisfy audit requirements by providing:

  • Third-party audit reports (SOC 2, ISO 27001)
  • Security questionnaire responses
  • Documentation of security measures

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in our Terms of Service. Nothing in this DPA limits either party's liability for:

  • Death or personal injury caused by negligence
  • Fraud or fraudulent misrepresentation
  • Any matter that cannot be limited by law

12. Term and Termination

This DPA is effective from the date you accept our Terms of Service and remains in effect until the termination of our agreement. Provisions of this DPA that by their nature should survive termination will survive, including data deletion obligations, confidentiality, and liability provisions.

13. Amendments

We may amend this DPA from time to time to comply with changes in Data Protection Laws or our processing activities. We will notify you of material changes at least 30 days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the amended DPA.

14. Contact

For questions about this DPA or to exercise your rights, please contact:

Intent AI - Data Protection
Email: dpo@intentai.com
Address: [Your Business Address]

Annex A: Standard Contractual Clauses

For transfers of Personal Data from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant authority, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA.

For the purposes of the SCCs:

  • Module Two (Controller to Processor) applies
  • The optional docking clause is included
  • Option 2 of Clause 9(a) applies (general authorization for sub-processors)
  • The optional redress clause is not included
  • The governing law is the law of Ireland
  • The courts of Ireland have jurisdiction

A copy of the SCCs with completed annexes is available upon request.