Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Eisberg.ai and the Customer.

1. Purpose and Scope

This DPA establishes the data protection obligations of Eisberg.ai when processing personal data on behalf of the Customer. Each party remains solely responsible for its own compliance with Applicable Data Protection Laws.

2. Definitions

  • Applicable Data Protection Laws: All EU and relevant legislation protecting personal data, including GDPR, UK GDPR, CCPA, and other privacy laws.
  • Customer Personal Data: Any personal data processed by Eisberg.ai on behalf of the Customer.
  • Data Subject: An individual whose personal data is processed.
  • Processing: Any operation performed on personal data, including collection, storage, use, or deletion.

3. Data Processing

Eisberg.ai shall process Customer Personal Data only:

  • On documented instructions from the Customer
  • For the purpose of providing the Services
  • In compliance with applicable data protection laws
  • With appropriate technical and organizational security measures

4. Security Measures

Eisberg.ai implements appropriate administrative, physical, technical, and organizational security measures to protect personal data against unauthorized access, loss, or destruction. We maintain SOC 2 Type II and ISO 27001 accreditations.

5. Data Breach Notification

Eisberg.ai will inform the Customer without undue delay after confirming a personal data breach. We will investigate the breach, identify root causes, and provide detailed reports as information becomes available.

6. International Data Transfers

Transfers of personal data to third countries are made pursuant to EU Standard Contractual Clauses or other appropriate safeguards as required by applicable data protection laws.

7. AI and Machine Learning

Eisberg.ai shall not use Customer Personal Data for training, retraining, or developing AI or machine learning models. Customer data is processed solely for providing, maintaining, and supporting the Services.

8. Data Retention and Deletion

Upon termination of the Agreement, Eisberg.ai will return or delete all Customer Personal Data within 30 calendar days, unless applicable laws require retention. Customers may request specific data return or deletion instructions.

9. Customer Obligations

The Customer confirms that it:

  • Has the right to provide Customer Personal Data to Eisberg.ai
  • Has obtained necessary consents from data subjects
  • Complies with all applicable data protection laws
  • Will not provide sensitive personal data (health, financial, biometric) unless specifically agreed

10. Contact

For questions about this DPA or our data processing practices, please contact our Data Protection Officer at dpo@eisberg.ai.