Data Processing Agreement

1. Parties

This Data Processing Agreement (“DPA”) forms part of, and is subject to, the agreement under which Simplification Technologies Inc. (“Processor”) provides the ARIA Platform to the customer organisation that has accepted this DPA (“Controller”). It applies whenever Processor processes Personal Data on Controller’s behalf.

2. Definitions

Capitalised terms not defined here have the meanings given in the Terms of Service, the Privacy Policy, GDPR (Regulation (EU) 2016/679), and UK GDPR.

“Personal Data” means personal data, as defined by GDPR / UK GDPR / PIPEDA / the CCPA, that Processor processes on Controller’s behalf in connection with the ARIA Platform.
“Subprocessor” means a third party engaged by Processor to process Personal Data on Controller’s behalf.
“Standard Contractual Clauses” or “SCCs” means the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

3. Subject matter, duration, nature, and purpose

Subject matter: Provision of the ARIA Platform.
Duration: For the term of the underlying agreement and for the post-termination period required by the Privacy Policy.
Nature and purpose: Processing Personal Data to (a) operate the ARIA Platform on Controller’s instructions, (b) prevent or address service or technical problems, (c) comply with law, and (d) produce de-identified, aggregated statistics.
Categories of Personal Data: Contact information, account information, message content (including any Personal Data Controller’s end users embed in their messages), audit logs, and any further category Controller chooses to submit.
Categories of data subjects: Controller’s personnel, customers, prospects, end users, and any other individual whose Personal Data Controller submits.

4. Processor obligations (GDPR Art. 28)

Processor will:

process Personal Data only on documented instructions from Controller, including with regard to transfers, unless required to do otherwise by Union or Member State law (in which case Processor will inform Controller of that legal requirement before processing unless prohibited from doing so);
ensure that personnel authorised to process Personal Data are bound by confidentiality;
implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures described in Annex II below and on the Security Practices page;
engage Subprocessors only in accordance with Section 6 below;
taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling Controller’s obligation to respond to Data Subject Requests under GDPR Chapter III;
assist Controller in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36, taking into account the nature of processing and the information available;
at the choice of Controller, delete or return all Personal Data after the end of the provision of services and delete existing copies, unless storage is required by Union or Member State law; and
make available to Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller, subject to Section 8.

5. Security measures

Processor implements the technical and organisational measures described on the Security Practices page, which are incorporated into this DPA by reference and form Annex II for SCC purposes. Highlights:

encryption in transit (TLS 1.2+) and at rest (AES-256);
PostgreSQL Row-Level Security ENABLE+FORCE on every table; cross-tenant data leak is architecturally impossible by design;
RFC 6238 TOTP two-factor authentication; backup codes hashed with SHA-256 and protected by a partial unique index;
append-only audit log protected by PostgreSQL triggers; per-org audit-log streaming on the Enterprise tier;
three-layer privacy floor on collective memory aggregations (cohort < 5 → no write);
EU AI Act Article 13 audit envelope on identity synthesis;
BYOK so regulated data does not leave Controller’s elected LLM tier.

6. Subprocessors

Controller authorises Processor to engage Subprocessors to process Personal Data on Controller’s behalf, subject to the conditions below. The current list of Subprocessors is published below and at trust.simplification.io/subprocessors. Both surfaces read from the same canonical source (apps/landing/data/subprocessors.json) so this list stays accurate without a redeploy of this page.

Processor will provide Controller at least thirty (30) days’ prior notice of any addition or replacement of a Subprocessor. Controller may reasonably object on data-protection grounds within that window; if a workable alternative is not available, Controller may terminate the affected service for convenience without penalty.

Processor remains liable to Controller for the performance of every Subprocessor’s data-protection obligations under this DPA.

Current Subprocessors (auto-generated; updated 2026-05-05)

Infrastructure

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
Vercel Inc.	Front-end application hosting (Next.js apps: landing, customer SPA, admin, trust-center)	United States	United States · European Union · Canada	EU SCCs + UK IDTA + Canadian PIPEDA-aligned DPA
Railway Corp.	Back-end application hosting (FastAPI API, Celery workers, scheduled jobs)	United States	United States	EU SCCs + UK IDTA
Cloudflare, Inc.	DNS, edge caching, DDoS protection for public landing + trust-center surfaces	United States	Distributed global edge	EU SCCs + UK IDTA

Data store

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
PostgreSQL (managed via Railway / customer-elected region on Enterprise)	Primary relational data store (multi-tenant with PostgreSQL Row-Level Security on every table)	United States (managed); Canada / EU / AU available on Enterprise	Customer-elected region on Enterprise tier	EU SCCs + Canadian PIPEDA-aligned DPA (region-dependent)
Redis (managed via Railway / customer-elected region on Enterprise)	Ephemeral cache + Celery task queue + session state	United States (managed)	Customer-elected region on Enterprise tier	EU SCCs
Qdrant (managed cluster / self-hosted on Enterprise)	Vector store for retrieval-augmented generation (knowledge-base chunks + memory embeddings)	Germany	European Union (default) · Customer-elected region on Enterprise	GDPR-native (EU-based)

Authentication

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
Supabase Inc.	Authentication (email + magic-link + OAuth) and password hashing	United States	European Union · United States	EU SCCs

AI provider

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
Anthropic, PBC	Large language model inference (Claude family). Used by default LLM router; bypassed when customer brings their own key (BYOK).	United States	United States	EU SCCs + zero-data-retention enterprise terms (data not used to train)
OpenAI, L.L.C.	Large language model inference (GPT family) and embeddings. Used by default LLM router; bypassed when customer brings their own key (BYOK).	United States	United States	EU SCCs + zero-data-retention enterprise terms (data not used to train)
Mistral AI SAS	Large language model inference (Mistral family). Used by default LLM router; bypassed when customer brings their own key (BYOK).	France	European Union	GDPR-native (EU-based)

Billing

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
Stripe, Inc.	Payment processing for Starter / Pro / Agency tier billing. ARIA never stores card numbers; tokenisation happens in Stripe iframes.	United States	United States · Ireland	EU SCCs + PCI-DSS Level 1

Channel adapter

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
WhatsApp Cloud API (Meta Platforms, Inc.)	Channel adapter for WhatsApp Business messaging. Only invoked for customers who connect WhatsApp.	United States / Ireland	European Union · United States	EU SCCs
Telegram FZ-LLC	Channel adapter for Telegram Bot API. Only invoked for customers who connect Telegram.	United Arab Emirates	Distributed (Telegram-managed)	Telegram Bot Terms of Service

Communications

Vendor	Purpose	Headquarters	Processing locations	Transfer mechanism
Resend, Inc.	Transactional email delivery (sign-up, magic links, account-deletion confirmation, DSAR fulfilment, billing receipts)	United States	United States	EU SCCs

7. International transfers

To the extent that the processing of Personal Data under this DPA involves a transfer of Personal Data subject to GDPR or UK GDPR to a country that has not received an adequacy decision by the European Commission or the UK Information Commissioner, Processor and any recipient Subprocessor enter into the Standard Contractual Clauses, which are incorporated into this DPA by reference. The relevant modules are:

Module Two (Controller-to-Processor) for transfers from Controller to Processor;
Module Three (Processor-to-Processor) for transfers from Processor to a Subprocessor outside the EEA.

For UK transfers, the UK International Data Transfer Addendum (issued by the Information Commissioner under section 119A of the Data Protection Act 2018) is incorporated into the SCCs.

For Swiss transfers, the SCCs apply with the modifications set out by the Swiss Federal Data Protection and Information Commissioner.

8. Audits

Once per twelve-month period, on at least sixty (60) days’ written notice, Controller (or an independent auditor mandated by Controller and not a competitor of Processor) may audit Processor’s compliance with this DPA at Processor’s premises during normal business hours, subject to confidentiality undertakings and Processor’s reasonable security and operational requirements. Audit costs are borne by Controller unless the audit identifies a material breach by Processor, in which case Processor will reimburse reasonable audit costs.

Processor will satisfy reasonable audit requests by providing the most recent SOC 2 report (when available), penetration test summaries, and the Article 30 records of processing. Customers may rely on these reports in lieu of an on-site audit.

9. Data Subject Requests

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures in fulfilling Controller’s obligations to respond to requests for exercising data-subject rights. The DSAR self-serve form at trust.simplification.io/dsar and the per-organisation Settings → Data export endpoint are made available to Controller for this purpose.

10. Personal Data breach notification

Processor will notify Controller without undue delay after becoming aware of a Personal Data breach affecting Controller’s Personal Data and, where required by law, within seventy-two (72) hours of becoming aware. The notice will include, to the extent available, the information required by GDPR Article 33(3).

11. Deletion or return of Personal Data

On termination of the underlying agreement, Controller may export Personal Data through the self-serve export tools in Settings. Processor will, on written request received within thirty (30) days of termination, provide a one-time export. After that period, Processor may delete Personal Data, except where retention is required by Union or Member State law (in which case Processor will continue to ensure the confidentiality of the retained Personal Data).

12. Cooperation with authorities

If Processor receives a legally binding request to disclose Personal Data, Processor will, to the extent legally permitted, notify Controller and use reasonable efforts to challenge or limit the request. Processor will keep records of any such request and make them available to Controller on request.