Data Processing Agreement

“Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (2016/679) (“EU GDPR”), the UK GDPR and Data Protection Act 2018, and, where applicable, US state privacy laws.

The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-processor” and “Personal Data Breach” have the meanings given in the Data Protection Laws.

The Controller (the customer) determines the purposes and means of processing. Diligio acts as Processor (or, under US state privacy laws, as a “service provider”) and processes Personal Data only on the Controller’s documented instructions, including those set out in this DPA and the underlying Terms of Service.

Diligio processes Personal Data only as necessary to provide the Services, namely the ingestion of customer documents and questionnaires, AI-assisted drafting and verification of answers, collaboration and review workflows, and export of completed responses. The subject matter, duration, types of Personal Data and categories of Data Subjects are described in Annex I below.

Diligio will not process Personal Data for any purpose other than performing the Services and complying with the law. Diligio will not sell or share Personal Data, and customer content is never used to train AI foundational models.

• Process Personal Data only on the Controller’s documented instructions, including for international transfers, unless required to do otherwise by law (in which case Diligio will notify the Controller before processing unless legally prohibited).
• Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations and are subject to least-privilege access.
• Implement and maintain the technical and organisational security measures described in Annex II and the Infrastructure & Data Security Policy.
• Promptly inform the Controller if, in Diligio’s opinion, an instruction infringes the Data Protection Laws.

The Controller warrants and undertakes that it will:

• have a valid legal basis for the processing it instructs, and have provided all notices and obtained all consents required under the Data Protection Laws;
• ensure its instructions to Diligio are lawful and will not cause Diligio to breach the Data Protection Laws;
• be responsible for the accuracy, quality and legality of the Personal Data it provides and the means by which it acquired that data; and
• not upload special-category data, or data relating to children, unless strictly necessary, lawful, and notified to Diligio in advance.

The Controller provides general written authorisation for Diligio to engage Sub-processors to support the Services. A current list of Sub-processors, including the processing they perform and their location, is maintained at diligio.co/legal/subprocessors.

Diligio imposes data protection obligations on each Sub-processor by written contract that are no less protective than those in this DPA, and remains fully liable to the Controller for each Sub-processor’s performance. Diligio will give the Controller reasonable prior notice of any intended addition or replacement of a Sub-processor (Controllers may subscribe to change notifications via the Sub-processor page).

The Controller may object, on reasonable data-protection grounds, within 30 days of notice. The parties will work in good faith to resolve the objection; if they cannot, the Controller may suspend or terminate the affected part of the Services without penalty as its sole remedy.

Taking into account the nature of the processing, Diligio will assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability and objection). Where Diligio receives such a request directly, it will promptly forward it to the Controller and will not respond except on the Controller’s instructions.

Diligio will also provide reasonable assistance to the Controller with its obligations regarding the security of processing, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the information available to Diligio.

Diligio will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller’s Personal Data. The notification will describe, to the extent then known, the nature of the breach, the likely consequences, and the measures taken or proposed to address it, so that the Controller can meet its own notification obligations. Diligio will provide reasonable assistance with the Controller’s investigation and remediation. Such notification is not, and will not be construed as, an acknowledgement of fault or liability.

Where providing the Services involves transferring Personal Data outside the UK or EEA (for example to AI inference or email Sub-processors), Diligio ensures an appropriate transfer mechanism is in place: the European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor) and/or the UK International Data Transfer Addendum to those Clauses (the “UK Addendum”), together with any supplementary measures required, so that transferred data receives a level of protection essentially equivalent to that guaranteed under the Data Protection Laws.

On termination or expiry of the Services, and at the Controller’s choice, Diligio will return or delete all Personal Data processed on the Controller’s behalf and delete existing copies, unless retention is required by law. Backups containing Personal Data are retained for disaster-recovery purposes and purged on their ordinary rotation cycle, in any event within 30 days. The Controller may also export its data at any time during the term using the in-product export tools.

Diligio may generate and use aggregated, anonymised and de-identified data derived from the processing for the purposes of operating, securing, analysing and improving the Services, provided that such data does not, and cannot reasonably be used to, identify the Controller, any Data Subject, or any of the Controller’s content. For the avoidance of doubt, this does not include using Controller content to train third-party foundational AI models, which Diligio does not do.

To the extent US state privacy laws (such as the California Consumer Privacy Act, as amended) apply, Diligio acts as a “service provider” (or “processor”) and will: (a) process Personal Data only to provide the Services or as otherwise permitted by those laws; (b) not “sell” or “share” Personal Data, and not retain, use or disclose it outside the direct business relationship or for any purpose other than the Services; and (c) not combine it with data from other sources except as permitted. Diligio certifies that it understands and will comply with these restrictions.

Diligio will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28, and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable prior notice and no more than once per year (or following a Personal Data Breach). To minimise disruption, Diligio may satisfy audit requests by providing its security documentation, completed security questionnaires, and (once available) third-party attestations such as SOC 2 and ISO 27001.

This DPA is incorporated into and subject to the Diligio Terms of Service. In the event of a conflict, this DPA prevails over the Terms of Service in respect of the processing of Personal Data; and where the Standard Contractual Clauses apply, they prevail over this DPA to the extent of any conflict. Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service; nothing in this DPA excludes or limits liability in a way not permitted by the Data Protection Laws.