Data Processing Addendum
Contractual terms governing how aimp.dev processes personal data on behalf of business customers.
Last updated: July 2026
1. Parties and Scope
This Data Processing Addendum ("DPA") forms part of the agreement between the business customer ("Customer", "Controller") and aimpworks ltd ("Processor") for use of aimp.dev. It applies where Data Protection Laws require a written data processing agreement, including UK GDPR, EU GDPR, and applicable US state privacy laws.
This DPA applies to personal data processed by us on Customer's behalf through the Service, including workflow data, connected integrations, and document signing recipient data.
2. Definitions
- "Personal Data" means information relating to an identified or identifiable natural person.
- "Customer Personal Data" means Personal Data processed by us on Customer's behalf through the Service.
- "Subprocessor" means a third party engaged by us to process Customer Personal Data.
- "Data Protection Laws" means applicable privacy and data protection legislation.
3. Roles
- Customer is the Controller (or Business) for Customer Personal Data.
- We act as Processor (or Service Provider) except where we determine purposes and means independently, in which case we act as Controller for those limited activities (e.g., billing, fraud prevention, account administration).
4. Processing Instructions
We will process Customer Personal Data only on documented instructions from Customer, including: (a) the Terms of Service and this DPA; (b) Customer configuration of the Service; and (c) documented support requests. We may refuse instructions that violate Data Protection Laws.
5. Security Measures
- Encryption in transit and at rest where appropriate.
- Access controls, authentication, and least-privilege access.
- Monitoring, logging, and incident detection.
- Business continuity and backup controls.
- Personnel confidentiality obligations.
6. Subprocessors
Customer grants general authorization for us to engage Subprocessors listed by category in our Subprocessor List. Specific vendor names are available to business customers on written request. We will impose data protection obligations on Subprocessors and remain responsible for their performance. We will notify Customer of new Subprocessors and provide a reasonable opportunity to object on documented reasonable grounds.
7. Data Subject Requests
We will provide reasonable assistance to Customer in responding to data subject requests (access, correction, deletion, restriction, portability, objection) using available Service functionality or support channels.
8. Personal Data Breach Notification
We will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and provide information reasonably available about the nature of the breach, categories of data affected, likely consequences, and remediation steps.
9. Return and Deletion
Upon termination of the Service or upon Customer request, we will delete or return Customer Personal Data within a reasonable period, except where retention is required by law or permitted under our retention policy.
10. International Transfers
Where Customer Personal Data is transferred outside the UK or EEA, we will implement appropriate safeguards such as UK International Data Transfer Agreement, EU Standard Contractual Clauses, or other mechanisms recognized by applicable law.
11. Customer Obligations
- Ensure a lawful basis and required notices for all Personal Data submitted to the Service.
- Configure retention, access, and sending settings appropriately.
- Not submit special-category data unless permitted and configured in writing.
- Ensure document campaigns and marketing communications comply with applicable law.
- Obtain required consents from recipients and connected account holders.
12. Audit and Cooperation
Upon reasonable written request, we will provide information necessary to demonstrate compliance with this DPA and allow audits subject to confidentiality, security, and frequency limits.
13. Conflict
If this DPA conflicts with the Terms of Service regarding processing of Customer Personal Data, this DPA prevails to the extent of the conflict.
14. Contact
DPA inquiries: privacy@aimp.dev.