Data Processing Agreement (DPA)
This document governs your use of The AI Lab's services and platforms. Please read it carefully.
1. Scope and Purpose
This Data Processing Agreement ("DPA") is entered into between The AI Lab ("Data Processor") and the customer entity ("Data Controller") in connection with The Global Seal of Trust™ and/or AI Trust Council™ services. This DPA forms part of the main service agreement. In the event of conflict regarding data protection, this DPA shall prevail.
2. Nature and Purpose of Processing
The AI Lab processes Personal Data solely to provide contracted services, including conducting AI asset certification audits; managing AI Trust Council™ membership accounts; maintaining the AI Trust Registry™ public listing; and communicating regarding service delivery, audit status, and renewal.
3. Data Controller Obligations
The Data Controller warrants that it has a lawful basis for providing Personal Data; it has informed data subjects as required by applicable law; it has obtained all necessary consents; and it will promptly notify The AI Lab of changes affecting the processing.
4. Data Processor Obligations
The AI Lab as Data Processor shall process Personal Data only on documented instructions from the Data Controller; ensure that authorised personnel are subject to confidentiality obligations; implement appropriate technical and organizational security measures; assist the Data Controller in fulfilling data subject rights requests; delete or return all Personal Data upon termination; and notify the Data Controller within 72 hours of a Personal Data breach.
5. Security Measures
The AI Lab implements and maintains: encryption of Personal Data at rest and in transit (AES-256 and TLS 1.3); access controls and role-based permissions; regular security assessments and penetration testing; incident response procedures and business continuity planning; and staff training on data protection and security practices.
6. Sub-processors
The AI Lab will notify the Data Controller of sub-processor changes with at least 14 days' notice. The Data Controller may object within this period. All sub-processors are bound by equivalent data protection obligations.
7. International Transfers
Where Personal Data is transferred outside the EEA, The AI Lab shall ensure adequate safeguards are in place, including EU Standard Contractual Clauses where required.
8. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, The AI Lab shall, at the Data Controller's election, delete or return all Personal Data within 30 days and provide written certification of deletion.
Questions about this document?
Contact our legal team: info@theailab.org | The AI Lab, 131 Continental Dr, Suite 305, Newark, DE 19713 US
Contact Us ›