Data Processing Agreement (DPA)
Version: 1.0
Last updated: 30 April 2026
Effective date: 30 April 2026
Preamble
This Data Processing Agreement ("DPA") is entered into between:
Data Processor: ai.verest, operated by Tamir Spiegel Ltd, United Kingdom ("Processor", "we", "us")
Data Controller: The entity or individual that has accepted the ai.verest Terms and Conditions and is using the Service ("Controller", "you")
This DPA forms part of and is incorporated into the ai.verest Terms and Conditions. By using the Service, you agree to this DPA.
This DPA applies to the extent that the Processor processes Personal Data on behalf of the Controller in connection with the Service.
Article 1 — Definitions
In this DPA:
"UK GDPR" means the UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.
"Personal Data" has the meaning given in Article 4(1) UK GDPR: any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in Article 4(2) UK GDPR.
"Data Subject" means a natural person whose Personal Data is processed.
"Controller" means the party who determines the purposes and means of processing Personal Data (the customer).
"Processor" means ai.verest, which processes Personal Data on behalf of the Controller.
"Sub-processor" means any third-party processor engaged by the Processor to carry out processing activities on the Controller's behalf.
"Service" means the ai.verest CRM and AI workforce platform as described in the Terms and Conditions.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
"IDTA" means the UK International Data Transfer Agreement issued by the ICO under Section 119A of the Data Protection Act 2018.
Article 2 — Subject Matter and Nature of Processing
Subject matter: The Processor provides a CRM and AI platform through which the Controller uploads and manages Personal Data about the Controller's own contacts, customers, and leads.
Nature of processing: Storage, organisation, retrieval, use (including AI-assisted processing), transmission, and deletion of Personal Data as instructed by the Controller through the Service.
Purpose of processing: To provide the Service features including lead management, AI Agent email generation, task management, calendar, chat, and workspace tools, in accordance with the Controller's instructions.
Duration: For the term of the Controller's subscription plus such further period as is required to securely delete the data in accordance with Article 8.
Article 3 — Categories of Personal Data and Data Subjects
3.1 Categories of Personal Data processed under this DPA:
The Controller determines the categories of data they upload. Typically, this may include:
- Identification data: names, email addresses, phone numbers
- Business data: company names, job titles, professional contact details
- Interaction data: notes, correspondence, activity history
- Any other personal data the Controller chooses to upload into the Service
3.2 Categories of Data Subjects:
- The Controller's customers, leads, and prospects
- The Controller's business contacts
- Any other natural persons whose data the Controller uploads into the Service
3.3 Data the Processor holds about the Controller's own users:
The Controller's end-users (staff, team members) who access the Service are subject to the Processor's own Privacy Policy in its capacity as a data controller. This DPA does not govern that processing.
Article 4 — Controller's Obligations
4.1 The Controller warrants and represents that:
(a) It has a valid lawful basis under UK GDPR Article 6 for each processing activity it instructs the Processor to carry out;
(b) It has provided all necessary privacy notices to Data Subjects whose data is uploaded to the Service;
(c) It will process Personal Data within the Service in compliance with all applicable data protection laws, including UK GDPR;
(d) Where it uses AI Agent features to contact third parties, it has obtained the necessary consent or has a lawful basis for such communications, and complies with PECR and all applicable anti-spam regulations;
(e) It will not upload Special Category Data (as defined in Article 9 UK GDPR) unless expressly agreed in writing with the Processor.
4.2 The Controller acknowledges it is solely responsible for the accuracy, quality, and lawfulness of the Personal Data it uploads.
4.3 The Controller acknowledges that the Processor acts only on the Controller's instructions and that the Processor cannot verify the lawfulness of those instructions.
Article 5 — Processor's Obligations
5.1 Processing on Instructions Only
The Processor shall process Personal Data only on documented instructions from the Controller, as set out in this DPA and through the Controller's use of the Service features.
If the Processor is required to process Personal Data by applicable law, the Processor shall inform the Controller before such processing unless prohibited by law.
5.2 Confidentiality
The Processor shall ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security
The Processor shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR. Full details are set out in the Security Annex.
5.4 Sub-processors
The Processor shall not engage a Sub-processor for processing the Controller's Personal Data without prior general or specific authorisation from the Controller.
By accepting this DPA, the Controller grants general authorisation to use the Sub-processors listed in Schedule 1 to this DPA.
The Processor shall impose on Sub-processors data protection obligations equivalent to those set out in this DPA. The Processor remains fully liable for Sub-processor performance.
The Processor shall notify the Controller of any intended changes to Sub-processors (additions or replacements) by updating Schedule 1 and notifying via the Service or by email. The Controller may object to changes within 30 days of notification.
5.5 Data Subject Rights
The Processor shall, taking into account the nature of the processing, assist the Controller in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under Chapter III UK GDPR, to the extent reasonably practicable via the Service's existing features. Further assistance requests should be directed to info@aiverest.io.
5.6 Compliance Assistance
The Processor shall assist the Controller in ensuring compliance with its obligations under Articles 32–36 UK GDPR (security, breach notification, data protection impact assessments, prior consultation).
5.7 No Selling or Training
The Processor shall not:
- Sell or monetise the Controller's Personal Data
- Use the Controller's Personal Data (or the personal data of the Controller's contacts) to train, improve, or fine-tune any AI or machine learning model
- Process the Controller's Personal Data for any purpose other than providing the Service
Article 6 — International Transfers
6.1 The Processor may transfer Personal Data outside the UK only where appropriate safeguards are in place as required by Chapter V UK GDPR.
6.2 Transfers to Sub-processors in the US or other non-adequate countries are made pursuant to the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.
6.3 The Processor maintains signed transfer agreements with all relevant Sub-processors and will provide copies to the Controller on request at info@aiverest.io.
Article 7 — Security Incidents (Data Breaches)
7.1 The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident affecting the Controller's Personal Data.
7.2 The notification shall include, to the extent available: (a) A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected; (b) The name and contact details of the Processor's data protection contact; (c) The likely consequences of the Security Incident; (d) Measures taken or proposed to address the Security Incident, including measures to mitigate its effects.
7.3 Notification shall be sent to the email address on the Controller's Account, unless the Controller has designated an alternative contact at info@aiverest.io.
7.4 The Processor shall maintain a log of all Security Incidents, including those not reportable to the ICO.
7.5 The Controller is responsible for determining whether any Security Incident must be reported to the ICO (within 72 hours) or to Data Subjects, and for making such notifications. The Processor will provide reasonable assistance.
Article 8 — Deletion and Return of Data
8.1 Upon termination of the Controller's subscription or Account, the Processor shall: (a) Delete all Personal Data of the Controller from live systems instantly; (b) Delete Personal Data from backup systems within 90 days of termination.
8.2 The Processor shall certify deletion in writing upon request.
8.3 Notwithstanding the above, the Processor may retain certain data where required by applicable law (e.g. billing records for 7 years under UK tax law). Such retained data will be kept secure and not used for any other purpose.
Article 9 — Audit Rights
9.1 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in Article 28 UK GDPR.
9.2 The Processor shall allow for and contribute to audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller, subject to: (a) Reasonable advance notice of at least 30 days; (b) Audit conducted during business hours and in a manner that minimises disruption; (c) The Controller bearing the cost of any third-party audit; (d) No more than one audit per calendar year unless a Security Incident has occurred.
9.3 The Processor may require the execution of a non-disclosure agreement before permitting an audit.
Article 10 — Data Protection Impact Assessments
Where a processing activity is likely to result in a high risk to the rights and freedoms of natural persons, the Processor shall provide reasonable assistance to the Controller in conducting a Data Protection Impact Assessment (DPIA) and, if required, prior consultation with the ICO.
Article 11 — Limitation of Liability
The Processor's liability under this DPA is subject to the limitations set out in the Terms and Conditions. Nothing in this DPA excludes liability that cannot be excluded under applicable law.
Article 12 — Precedence
In the event of any conflict between this DPA and the Terms and Conditions, this DPA shall prevail in respect of the processing of Personal Data.
Article 13 — Governing Law
This DPA is governed by the laws of England and Wales. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Article 14 — Updates
The Processor may update this DPA from time to time. Material changes will be notified to the Controller at least 30 days in advance. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.
Schedule 1 — Approved Sub-processors
| Sub-processor | Entity | Location | Processing Purpose | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Supabase Inc. | UK (London — AWS eu-west-2) | Database, file storage, real-time features | No transfer — UK region |
| Stripe | Stripe Payments UK Ltd / Stripe Inc. | UK / US | Payment processing and subscription management | UK entity: no transfer; US entity: UK IDTA |
| Kinde | Kinde Pty Ltd | US / AU | Authentication, user identity management | UK IDTA |
| OpenAI | OpenAI Inc. | US | AI content generation (Sales Agent, Marketing Agent) | UK IDTA |
| Hostinger | Hostinger International Ltd | EU / US | Application hosting, CDN, infrastructure | UK IDTA (US) / UK adequacy (EU) |
| Cookiebot | Cybot A/S | EU (Netherlands) | Cookie consent management | UK adequacy (EEA) |
| Simple Analytics | Simple Analytics B.V. | EU (Netherlands) | Privacy-friendly website analytics | UK adequacy (EEA) |
| Apollo.io | Apollo.io Inc. | US | Lead intelligence and contact enrichment (OAuth) | UK IDTA |
| Microsoft OneDrive | Microsoft Corporation | US / EU | Cloud file storage and document integration | UK IDTA (US) / UK adequacy (EU) |
A current, public-facing version of this sub-processor list is maintained at /legal/sub-processors.
The Processor will notify the Controller of any changes to this Schedule in accordance with Article 5.4 of this DPA.
Schedule 2 — Technical and Organisational Security Measures
The Processor's security measures are set out in full in the Security Annex, which is incorporated into this DPA by reference.
Summary:
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase)
- Multi-factor authentication enforced for administrative access
- Role-based access controls limiting staff access to minimum necessary data
- 72-hour breach notification procedure
- Incident response plan with documented escalation procedures
Signing This DPA
This DPA takes effect automatically upon acceptance of the Terms and Conditions. No separate signature is required for standard use of the Service.
Enterprise and whitelabel customers requiring a countersigned DPA for their own compliance purposes may request a signed copy by contacting: info@aiverest.io
We will provide a signed PDF copy within 5 business days.
Version 1.0 — Last updated 30 April 2026