This Data Processing Agreement ("DPA") forms part of the agreement between BeyondScreen.ai ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you", "Customer") for the provision of BeyondScreen.ai services (the "Services"). This DPA applies where and only to the extent that we process Personal Data on your behalf in the course of providing the Services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Services.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
- "Data Protection Laws" means the UK GDPR, the EU General Data Protection Regulation (EU 2016/679), and any applicable national implementing legislation.
- "SCCs" means the European Commission's Standard Contractual Clauses for international data transfers.
2. Scope and Roles
You are the Controller of Personal Data. We are the Processor. We process Personal Data solely to provide the Services as described in our Terms of Service and as further documented in your instructions to us.
2.1 Categories of Data
- Account information (email address, profile data)
- User-generated content (messages, conversations, prompts)
- Usage metadata (feature usage, device info, log data)
- Third-party integration data (as authorised by you via OAuth)
2.2 Data Subjects
Customer's end users and any individuals whose Personal Data is submitted to the Services.
3. Processing Obligations
We shall:
- Process Personal Data only on your documented instructions, unless required by law.
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures as described in Section 6.
- Assist you in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection).
- Assist you in meeting your obligations regarding data protection impact assessments and prior consultations with supervisory authorities, where applicable.
- At your choice, delete or return all Personal Data upon termination of the Services, and delete existing copies unless retention is required by law.
- Make available to you all information necessary to demonstrate compliance with this DPA.
4. No Use for Model Training
We do not use Customer Personal Data to train, fine-tune, or improve AI models. Your data is processed solely to fulfil your requests in real time. Our AI provider sub-processors (e.g. Anthropic) similarly do not train on API-tier inputs.
5. Data Residency
Personal Data is processed and stored in the region(s) agreed with the Customer. Available hosting regions are documented at the time of onboarding. Where data is transferred outside the Customer's designated region, we rely on the safeguards described in Section 9 (International Transfers).
6. Security Measures
We implement and maintain the following measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256 / AWS KMS).
- Access controls with role-based permissions and multi-factor authentication for infrastructure.
- Regular security monitoring and logging.
- Encryption of sensitive credentials (OAuth tokens, API keys) using AWS KMS or AES at rest.
- Logical tenant isolation — Customer data is ringfenced and not accessible to other customers.
7. Sub-processors
7.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, data storage, email delivery | As configured per Customer |
| Cloudflare | Content delivery, frontend hosting, DDoS protection | Global edge network |
| Anthropic | AI model inference (API tier, no training on inputs) | United States |
| LogRocket | Session analytics (only with user consent) | United States |
7.2 Changes to Sub-processors
We will notify you at least 30 days before engaging a new sub-processor. You may object to a new sub-processor by notifying us in writing within 14 days of receiving notice. If we cannot reasonably accommodate your objection, you may terminate the affected Services.
8. Data Breach Notification
We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to mitigate the breach.
9. International Data Transfers
Where Personal Data is transferred outside the UK or EEA to a country not recognised as providing adequate protection, we rely on the European Commission's Standard Contractual Clauses (SCCs), supplemented by additional safeguards where necessary. Copies of the applicable SCCs are available upon request.
10. Audit Rights
You may audit our compliance with this DPA up to once per year, with at least 30 days' written notice. Audits shall be conducted during business hours and shall not unreasonably interfere with our operations. We will provide reasonable cooperation, access to relevant documentation, and access to facilities where Personal Data is processed.
11. Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests under Data Protection Laws. If we receive a request directly from a data subject, we will promptly redirect them to you unless otherwise instructed.
12. Term and Termination
This DPA is effective for the duration of your use of the Services. Upon termination, we will, at your election, delete or return all Personal Data within 30 days, except where retention is required by applicable law.
13. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
14. Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
15. Contact
For questions or requests relating to this DPA:
- Email: hello@beyondscreen.ai
- Website: https://beyondscreen.ai