This Data Processing Agreement ("DPA") forms part of the agreement between Ingecta Inc. ("Datatera.ai", "we", "us") and the customer ("Controller", "you") for the use of Datatera.ai services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws including the GDPR.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by Datatera.ai to process Personal Data on behalf of the Controller.
- "Data Subject" means the individual to whom Personal Data relates.
2. Scope and purpose of processing
Datatera.ai processes Personal Data solely to provide its document extraction, data transformation, and analytics services as described in the main service agreement. The types of Personal Data processed depend on the documents uploaded by the Controller and may include:
- Names, addresses, and contact information contained in uploaded documents
- Financial data (invoices, transaction records)
- Business registration data (company records, tax identifiers)
- Any other data categories present in documents submitted for processing
3. Obligations of Datatera.ai as Processor
Datatera.ai shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256)
- Not engage another processor without prior written authorization of the Controller
- Assist the Controller in fulfilling its obligations to respond to Data Subject requests
- Delete or return all Personal Data to the Controller after the end of the provision of services, at the Controller's choice
- Make available to the Controller all information necessary to demonstrate compliance with this DPA
4. Sub-processors
Datatera.ai uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Hetzner Online GmbH | Cloud infrastructure and hosting | Germany / Finland |
| Stripe, Inc. | Payment processing | United States |
| OpenAI, Inc. | LLM processing (optional, only when self-hosted models are not used) | United States |
| Google LLC | Google Sheets export (only if enabled by Controller) | United States |
The Controller will be notified of any intended changes to sub-processors, giving the Controller the opportunity to object.
5. International data transfers
Where Personal Data is transferred outside of the European Economic Area (EEA), Datatera.ai ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914)
- On-premise deployment option for Controllers requiring that no data leaves their jurisdiction
- Private VPC deployment in the Controller's preferred cloud region
6. Data security measures
Datatera.ai implements the following technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control (RBAC) with least-privilege principle
- Single Sign-On (SSO) and Multi-Factor Authentication (MFA) support
- Comprehensive immutable audit logging of all data access and processing
- Isolated development, staging, and production environments
- Data deletion within 30 days of account cancellation or deletion request
- Regular security assessments and vulnerability scanning
7. Data breach notification
In the event of a Personal Data breach, Datatera.ai shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. Data retention and deletion
Upon termination of the service agreement, Datatera.ai will delete all Personal Data within 30 days unless retention is required by applicable law. The Controller may request return of their data in a machine-readable format before deletion. For customers using the processing-without-storage mode, documents are processed in memory and not persisted to disk.
9. Data Protection Officer
For questions about this DPA, data protection inquiries, or to exercise data subject rights, contact our Data Protection Officer:
Email: dpo@datatera.ai
10. How to execute this DPA
To execute this DPA, contact us at dpo@datatera.ai with your company name and the name and email of your authorized signatory. We will send you a countersigned copy for your records.