Data Processing Agreement
Last updated: January 28, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller," "Customer," or "you") and Intent AI ("Processor," "we," or "us"). This DPA applies when we process personal data on your behalf in connection with our Services.
1. Definitions
In this DPA, the following terms have the meanings set out below:
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the GDPR, UK GDPR, CCPA, and other applicable data protection legislation.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf.
- "Processing" means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Data Subject" means the individual to whom Personal Data relates.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2. Roles and Responsibilities
2.1 Controller
You are the Controller of Personal Data processed through our Services. As Controller, you are responsible for:
- Ensuring you have a lawful basis for processing Personal Data
- Providing appropriate privacy notices to Data Subjects
- Obtaining necessary consents where required
- Ensuring the accuracy and quality of Personal Data
- Responding to Data Subject requests
- Complying with all applicable Data Protection Laws
2.2 Processor
We act as a Processor when processing Personal Data on your behalf. As Processor, we will:
- Process Personal Data only on your documented instructions
- Ensure that persons processing the data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in responding to Data Subject requests
- Delete or return Personal Data upon termination of services
- Make available information necessary to demonstrate compliance
3. Processing Details
3.1 Subject Matter and Duration
We process Personal Data for the duration of our agreement with you, as necessary to provide our feedback intelligence Services.
3.2 Nature and Purpose
The nature and purpose of Processing includes:
- Collecting and storing customer feedback (voice and text)
- Transcribing voice recordings using AI speech-to-text
- Analyzing feedback using AI for sentiment, categorization, and insights
- Generating reports and recommendations
- Enabling team collaboration on feedback
- Integrating with third-party services at your direction
3.3 Types of Personal Data
Categories of Personal Data that may be processed include:
- Voice recordings and transcriptions
- Text feedback and comments
- Screenshots and images
- Browser and device information
- IP addresses and session identifiers
- Page URLs and navigation data
- Any personal data included in feedback content
3.4 Categories of Data Subjects
Data Subjects may include:
- Your customers who provide feedback
- Your users who interact with your products
- Your employees who provide internal feedback
- Any other individuals whose feedback you collect
4. Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
4.1 Technical Measures
- Encryption of Personal Data in transit (TLS 1.2+) and at rest
- Secure authentication mechanisms (bcrypt password hashing, OAuth)
- Access controls and principle of least privilege
- Network security including firewalls and intrusion detection
- Regular security updates and vulnerability patching
- Secure software development practices
- Regular backups with encryption
4.2 Organizational Measures
- Employee confidentiality agreements
- Security awareness training
- Access limited to authorized personnel
- Incident response procedures
- Regular security assessments
- Vendor due diligence for Sub-processors
5. Sub-processors
5.1 Authorization
You provide general authorization for us to engage Sub-processors to process Personal Data on your behalf. We will inform you of any intended changes concerning the addition or replacement of Sub-processors, giving you the opportunity to object.
5.2 Current Sub-processors
The following Sub-processors are currently engaged:
| Sub-processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Neon | Database hosting | US/EU | SCCs |
| Upstash | Cache and queue | US/EU | SCCs |
| Cloudflare R2 | File storage | Global | SCCs |
| Railway | Application hosting | US | SCCs |
| OpenAI | Speech-to-text | US | SCCs, DPA |
| Anthropic | AI analysis | US | SCCs, DPA |
| LemonSqueezy | Payment processing | US | SCCs |
| Resend | Email delivery | US | SCCs |
| Sentry | Error monitoring | US | SCCs |
5.3 Sub-processor Obligations
We ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.
6. International Transfers
Personal Data may be transferred to countries outside the European Economic Area (EEA), United Kingdom, or Switzerland. For such transfers, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Supplementary measures where required
We conduct transfer impact assessments as required and implement supplementary measures to ensure an adequate level of protection for Personal Data.
7. Data Subject Rights
We will assist you in responding to Data Subject requests to exercise their rights under applicable Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
We will notify you promptly if we receive a request directly from a Data Subject. We will not respond to such requests directly unless authorized by you or required by law.
8. Security Incidents
8.1 Notification
We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data processed on your behalf.
8.2 Notification Content
Our notification will include, to the extent available:
- Description of the nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences of the Security Incident
- Measures taken or proposed to address the incident
- Contact point for further information
8.3 Cooperation
We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
9. Data Deletion
Upon termination of our agreement or upon your request, we will:
- Delete or return all Personal Data processed on your behalf
- Delete existing copies unless retention is required by law
- Provide certification of deletion upon request
We may retain Personal Data in backups for a limited period (typically 30 days) before complete deletion occurs.
10. Audit Rights
We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by you or your designated auditor.
Audits will be subject to:
- Reasonable advance notice (minimum 30 days)
- Scope limited to processing activities covered by this DPA
- Confidentiality obligations for all audit personnel
- Reasonable timing to minimize disruption
- Your responsibility for audit costs
We may satisfy audit requirements by providing:
- Third-party audit reports (SOC 2, ISO 27001)
- Security questionnaire responses
- Documentation of security measures
11. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in our Terms of Service. Nothing in this DPA limits either party's liability for:
- Death or personal injury caused by negligence
- Fraud or fraudulent misrepresentation
- Any matter that cannot be limited by law
12. Term and Termination
This DPA is effective from the date you accept our Terms of Service and remains in effect until the termination of our agreement. Provisions of this DPA that by their nature should survive termination will survive, including data deletion obligations, confidentiality, and liability provisions.
13. Amendments
We may amend this DPA from time to time to comply with changes in Data Protection Laws or our processing activities. We will notify you of material changes at least 30 days before they take effect. Your continued use of the Services after the effective date constitutes acceptance of the amended DPA.
14. Contact
For questions about this DPA or to exercise your rights, please contact:
Intent AI - Data Protection
Email: dpo@intentai.com
Address: [Your Business Address]
Annex A: Standard Contractual Clauses
For transfers of Personal Data from the EEA, UK, or Switzerland to countries not deemed adequate by the relevant authority, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated by reference into this DPA.
For the purposes of the SCCs:
- Module Two (Controller to Processor) applies
- The optional docking clause is included
- Option 2 of Clause 9(a) applies (general authorization for sub-processors)
- The optional redress clause is not included
- The governing law is the law of Ireland
- The courts of Ireland have jurisdiction
A copy of the SCCs with completed annexes is available upon request.