Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the GetAiVIS Terms of Service between GetAiVIS (as defined below) and the Customer. It applies where, in the provision of the GetAiVIS service, GetAiVIS processes personal data on behalf of the Customer and that processing is subject to the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the UK GDPR, or the EU GDPR.
1. Definitions
Capitalised terms not defined here have the meaning given in the Terms of Service or applicable Data Protection Law. "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the GDPR. "GetAiVIS" means Robert Jones trading as GetAiVIS, operating from the United Arab Emirates. "Customer" means the entity that has accepted the Terms of Service.
2. Role of the parties
For Personal Data processed in the provision of the service, the Customer is the Controller and GetAiVIS is the Processor. For Personal Data processed by GetAiVIS for its own internal purposes (account administration, billing, security, product analytics, legal compliance), GetAiVIS is an independent Controller and its Privacy Policy governs that processing.
3. Subject matter & duration
Subject matter: provision of the GetAiVIS AI visibility intelligence service.
Duration: for the term of the Customer's subscription, plus any post-termination retention period set out in the Privacy Policy.
Nature and purpose: generating AI visibility scans, producing reports, delivering account and billing functions.
Types of Personal Data: Customer account contact details (name, email), Customer end-user contact details where the Customer chooses to add team members, and any Personal Data contained in Customer-supplied prompts or brand configuration.
Categories of Data Subject: Customer's employees, contractors, and — only to the extent the Customer chooses to submit such data — third parties referenced in prompts.
4. Customer instructions
GetAiVIS will process Personal Data only on documented instructions from the Customer, including as set out in the Terms, this DPA, and the Customer's use of the service's configuration options. If GetAiVIS is required to process Personal Data for a purpose not authorised by the Customer (for example, to comply with a legal obligation), GetAiVIS will inform the Customer before that processing unless prohibited by law.
5. Confidentiality of personnel
GetAiVIS will ensure that any person authorised to process Personal Data on its behalf is subject to an appropriate duty of confidentiality.
6. Security measures
GetAiVIS has implemented and will maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current measures are described at /security.html and include, at minimum:
- TLS 1.2+ encryption in transit; encryption at rest provided by the underlying cloud platform
- bcrypt one-way password hashing
- Role-based access controls and least-privilege principles
- Secure session management (Secure/HttpOnly/SameSite cookies)
- Automated dependency vulnerability scanning and incident response procedures
7. Subprocessors
The Customer gives GetAiVIS a general authorisation to engage the subprocessors listed at /subprocessors.html. GetAiVIS will:
- Impose data protection obligations on each subprocessor that are substantively equivalent to those in this DPA;
- Remain liable to the Customer for the acts and omissions of its subprocessors;
- Give the Customer at least 30 days' prior notice of any new or replacement subprocessor processing Personal Data, during which the Customer may object in writing on reasonable data-protection grounds. Where the parties cannot agree a resolution, the Customer may terminate the affected services for convenience.
8. Assistance with Data Subject rights
GetAiVIS will, taking into account the nature of the processing, provide reasonable assistance to the Customer (through appropriate technical and organisational measures, insofar as this is possible) to respond to requests from Data Subjects exercising their rights under applicable Data Protection Law. Where a Data Subject contacts GetAiVIS directly in respect of the Customer's data, GetAiVIS will forward the request to the Customer without undue delay.
9. Personal data breach
GetAiVIS will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Customer's data. The notification will include, to the extent known: the nature and scope of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
10. Data Protection Impact Assessments
GetAiVIS will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to perform.
11. Return or deletion of Personal Data
On termination or expiry of the Customer's subscription, GetAiVIS will — at the Customer's choice — delete or return all Personal Data processed on behalf of the Customer, and delete existing copies, unless applicable law requires continued storage (for example, billing records required by tax authorities). Deletion of account data occurs within 30 days of cancellation; billing records are retained for 5 years to comply with UAE Federal Tax Authority requirements.
12. Audits
GetAiVIS will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Given GetAiVIS's small size, on-site audits are not practical; instead, GetAiVIS will respond in good faith to reasonable security questionnaires and will provide relevant documentation (this DPA, the Privacy Policy, the Security page, the Subprocessors page, and answers to specific written questions) no more than once per year unless an incident or regulatory requirement justifies additional review.
13. International transfers
Where the provision of the service involves the transfer of Personal Data outside the UAE, UK, or EEA, such transfers are made in reliance on: (a) EU Standard Contractual Clauses (2021), which are incorporated into this DPA by reference where the Customer is located in the EEA; (b) the UK International Data Transfer Agreement or the UK Addendum to the SCCs, where the Customer is located in the UK; (c) EU-US Data Privacy Framework certification for US vendors that participate; or (d) other lawful transfer mechanisms available under applicable law. The Customer authorises these transfers.
14. Liability
The liability of each party under or in connection with this DPA (and any claims brought by the other party under or in connection with this DPA) is subject to the limitations and exclusions of liability set out in the Terms of Service.
15. Governing law
This DPA is governed by the same law and jurisdiction clause as the Terms of Service (the federal laws of the United Arab Emirates), save that where the Customer is established in the EEA and mandatory local law applies, the law of the Customer's establishment will apply to the extent required by that mandatory law.
16. Order of precedence
In the event of a conflict between this DPA and the Terms of Service in relation to the processing of Personal Data, this DPA prevails. In the event of a conflict between this DPA and any applicable standard contractual clauses, the standard contractual clauses prevail.
17. Execution
This DPA takes effect automatically when the Customer accepts the Terms of Service and uses the service for any processing of Personal Data, without the need for a signature. A countersigned PDF version is available on request at legal@getaivis.ai for customers whose internal procurement processes require one.