BOOK NOW
BOOK NOW
effortless AI effortless AI

Data Processing Agreement

effortless AI effortless AI
Terms & Conditions
Privacy Policy
Cookie Policy

Effective Date: September 14, 2025

Last Updated: September 14, 2025

This Data Processing Agreement (“Agreement” or “DPA”) is entered into by and between EffortlessAI, LLC (“Processor”) and the customer entity agreeing to the EffortlessAI Terms and Conditions (“Controller”). This DPA forms part of the Terms and Conditions and governs EffortlessAI’s Processing of Personal Data on behalf of the Controller.

  1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person.

“Processing” has the meaning set out in GDPR Article 4(2).

“Applicable Data Protection Laws” means all laws governing data protection, privacy, or security applicable to the Processing, including GDPR, UK GDPR, and CCPA/CPRA.

“Sub‑processor” means any third party engaged by EffortlessAI to Process Personal Data on behalf of the Controller.

  1. Roles of the Parties

2.1 Controller. Controller determines the purposes and means of Processing.

2.2 Processor. EffortlessAI acts as Processor and shall process Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required otherwise by law. If Processing is required by law, EffortlessAI shall inform the Controller before Processing, unless legally prohibited.

2.3 Unlawful Instructions
If we believe that an instruction infringes Applicable Law, we will promptly notify the Controller and may decline to carry out such instruction until it has been modified to comply with Applicable Law.

  1. Obligations of Processor

EffortlessAI shall: (a) process Personal Data only for the purposes of providing the Service; (b) ensure persons authorized to process data are subject to confidentiality; (c) implement technical and organizational measures required by GDPR Article 32; (d) assist Controller, at Controller’s expense, in responding to data subject rights requests; (e) notify Controller without undue delay of a Personal Data Breach; and (f) make available information necessary to demonstrate compliance and allow for audits in accordance with Section 7.

We shall provide reasonable assistance, at Controller’s expense, with data protection impact assessments and consultations with supervisory authorities related to the Processing of Personal Data.
We maintain records of processing activities and require Sub-processors to accept no less protective obligations.

3.1 Security Incidents. Processor shall notify Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach and will provide updates reasonably necessary for Controller’s notifications to authorities or data subjects.

  1. Sub‑processors

EffortlessAI may engage Sub‑processors. A current list is maintained at our Sub‑processors Page. EffortlessAI shall provide advance notice of intended changes. Controller may object to changes on reasonable grounds; if unresolved, Controller may terminate the affected Service.

  1. International Transfers

Where Personal Data is transferred outside the EEA, UK, or other jurisdictions requiring safeguards, EffortlessAI shall ensure lawful mechanisms, including the EU Standard Contractual Clauses (SCCs) (Module 2 or 3, as appropriate) and the UK International Data Transfer Addendum (IDTA), or any successor instruments recognized under Applicable Data Protection Laws.

The parties hereby enter into the EU Standard Contractual Clauses (Modules 2 and/or 3) and the UK International Data Transfer Addendum, which are incorporated by reference and completed by Annex I (Details of Processing) and Annex II (Technical and Organizational Measures). In the event of conflict, the Standard Contractual Clauses and/or the Addendum shall control.

  1. Data Retention and Deletion

Upon termination or expiration of the Service, EffortlessAI shall, at Controller’s choice, delete or return all Personal Data, unless retention is required by law. Where Personal Data is returned, Controller is responsible for ensuring secure deletion thereafter.

Upon termination of the Services, we will delete or return all Personal Data within sixty (60) days, unless a longer retention period is required by Applicable Law.

  1. Audit Rights

7.1 Standard Audits. Controller may, once annually with thirty (30) days’ notice, audit EffortlessAI’s compliance with this DPA. Audits must be conducted during normal business hours, not unreasonably disrupt operations, and be subject to confidentiality.

7.2 Additional Audits. In the event of a confirmed security incident, suspected material breach, or upon request of a competent supervisory authority, EffortlessAI shall allow additional audits limited to what is reasonably necessary to verify compliance.

7.3 Alternatives. EffortlessAI may satisfy audit obligations by providing independent third‑party audit reports (e.g., SOC 2, ISO 27001) or certifications.

Controller agrees that independent third-party audit reports such as SOC 2 Type II or ISO 27001 certifications will ordinarily satisfy its audit rights. On-site audits are permitted only when reasonably necessary and after review of such reports.

7.4 Audit Costs. Except where audits are mandated by a supervisory authority or required due to EffortlessAI’s material breach, Controller shall bear all reasonable costs and expenses of audits, including EffortlessAI’s internal costs, staff time, and third-party expenses incurred in supporting the audit.

  1. Liability

Liability under this DPA is subject to the limitations and exclusions set forth in the Terms and Conditions. Nothing in this DPA expands liability beyond what is provided in the Terms.

8A. Breach Liability Allocation
EffortlessAI shall not be responsible for any Personal Data Breach caused by (a) Controller’s failure to implement appropriate security controls within its systems; (b) Controller’s submission of prohibited or unlawful data; or (c) misuse, misconfiguration, or negligent handling of the Service by Controller or its Authorized Users.

Processor will be responsible for data breaches solely to the extent caused by Processor’s failure to comply with this DPA, and will not be responsible for incidents arising from Controller’s systems, instructions, or submission of prohibited data.

  1. Governing Law

This DPA shall be governed by and construed under the same law and jurisdiction as the Terms and Conditions, unless Applicable Data Protection Laws require otherwise.

  1. Entire Agreement

This DPA, together with the Terms and Conditions, Privacy Policy, and Cookie Policy, constitutes the entire agreement between the parties regarding data Processing and supersedes all prior agreements.

  1. Contact

EffortlessAI, LLC — 81 Broadway St., Suite 201, Asheville, NC 28801 • info@effortlessai.com

EXHIBITS AND ANNEXES

Annex I – Details of Processing
  1. Subject Matter and Duration

The subject matter of the Processing is the provision of the Services as defined in the Agreement. The Processor shall Process Personal Data strictly for the purpose of performing the Services, including hosting, storage, transmission, inference generation, analytics, logging, monitoring, and support. The Processing shall continue for the Subscription Term of the Agreement and for any additional period reasonably necessary to return or delete Personal Data following termination or expiration of the Agreement, unless a longer retention period is required by Applicable Law.

  1. Nature and Purpose of Processing

The Processor shall Process Personal Data solely as necessary to:
(a) provide, operate, secure, and support the Services;
(b) enable inference generation, scoring, and automated responses requested by the Controller;
(c) provide technical support, account management, billing, and related functions;
(d) perform usage monitoring, logging, fraud detection, and abuse prevention;
(e) maintain and improve the Services, provided that such improvement Processing is limited to aggregated or pseudonymized data where feasible; and
(f) comply with Applicable Law, including responding to lawful requests from public authorities.

  1. Categories of Data Subjects

The categories of Data Subjects include, without limitation:
(a) individuals who are end users of the Controller’s services or websites and whose Personal Data is submitted to or generated by the Services;
(b) employees, contractors, and representatives of the Controller;
(c) prospects, leads, and business contacts Processed through the Controller’s CRM integrations; and
(d) any other individuals whose Personal Data is included in User Content or otherwise provided to the Processor by or on behalf of the Controller.

  1. Types of Personal Data

The types of Personal Data include, without limitation:
(a) identifiers such as names, email addresses, telephone numbers, IP addresses, device identifiers, account credentials, and cookie identifiers;
(b) commercial information such as billing addresses, payment information (processed by PCI-compliant payment processors), and subscription details;
(c) internet and network activity such as logs, browsing events, session data, chatbot transcripts, and API calls;
(d) geolocation data derived from IP addresses;
(e) professional or employment-related information, including job title, employer, role, and industry (where voluntarily submitted);
(f) inferences derived from interaction data, including lead scores and AI-generated summaries; and
(g) any other Personal Data that the Controller elects to submit, provided that Special Categories of Personal Data are excluded unless expressly authorized in writing by the Processor with additional safeguards.

The Processor does not require or intentionally collect Special Categories of Personal Data (as defined in Article 9 GDPR). The Controller shall not provide such data unless expressly authorized in writing.

  1. Sub-Processors

The Processor may engage Sub-Processors in accordance with Section [Sub-Processor clause of the DPA]. A current list of Sub-Processors engaged by the Processor is made available at https://effortlessai.com/legal/sub-processors. The Processor shall update such list in accordance with its notification obligations and shall remain liable for the acts and omissions of all Sub-Processors as if they were its own.

Annex II – Technical and Organizational Measures

The Processor shall implement and maintain, and shall require its Sub-Processors to implement and maintain, the following technical and organisational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as required by Article 32 GDPR and other Applicable Law:

  1. Access Controls

The Processor shall restrict access to Personal Data to authorized personnel with a legitimate business need, enforce role-based access controls, require multi-factor authentication for administrative accounts, and review access rights on a regular basis. Accounts shall be promptly deactivated upon termination or role change.

  1. Encryption and Data Protection

The Processor shall encrypt all Personal Data in transit using TLS 1.2 or higher and at rest using AES-256 or equivalent standards. Keys shall be generated, stored, and managed securely using industry-standard key management systems. Payment information shall be tokenized and processed solely by PCI DSS-compliant payment processors.

  1. Application and Network Security

The Processor shall implement firewalls, intrusion detection and prevention systems, DDoS protection, and other network safeguards. The Processor shall conduct regular vulnerability scans and penetration tests, remediate identified issues promptly, and follow secure development lifecycle practices, including code reviews and dependency monitoring. APIs shall require authentication by key or token, and the Processor shall enforce rate-limits and throttling to prevent abuse.

  1. Data Minimisation and Retention

The Processor shall limit the Processing of Personal Data to what is necessary for the purposes set forth in Annex I. The Processor shall delete or anonymize Personal Data in accordance with the retention periods specified in the Privacy Policy and upon the Controller’s written request, unless retention is required by Applicable Law.

  1. Incident Response and Breach Notification

The Processor shall maintain and follow a written incident response plan. In the event of a Personal Data Breach, the Processor shall notify the Controller without undue delay and in any event within seventy-two (72) hours after becoming aware of such breach, and shall provide information reasonably necessary to enable the Controller to meet its legal obligations.

  1. Business Continuity and Disaster Recovery

The Processor shall maintain redundant infrastructure, perform regular backups, and implement disaster recovery procedures designed to ensure the availability and resilience of Processing systems. The Processor shall test its disaster recovery plan at least annually.

  1. Personnel and Confidentiality

The Processor shall ensure that all personnel with access to Personal Data are subject to a binding duty of confidentiality and receive regular training on security and data protection obligations. The Processor shall conduct background checks on personnel with privileged access, where permitted by Applicable Law.

  1. Vendor and Sub-Processor Management

The Processor shall conduct risk-based due diligence on all Sub-Processors and service providers that will Process Personal Data. All Sub-Processors shall be bound by written agreements imposing data protection obligations equivalent to those set out in this DPA. The Processor shall monitor compliance of Sub-Processors on an ongoing basis.

  1. Audit and Compliance

The Processor shall conduct periodic internal audits of its security, privacy, and compliance practices. The Processor shall provide the Controller with information reasonably necessary to demonstrate compliance with this Annex II and shall permit audits as provided in the DPA. The Processor shall maintain or pursue industry certifications (including SOC 2 Type II or ISO 27001) as appropriate.

  1. AI-Specific Risk Management

The Processor shall implement risk management procedures tailored to AI systems, including: testing models for bias and fairness; monitoring outputs for accuracy and safety; restricting prohibited uses in line with the Agreement and Applicable Law; and adopting governance frameworks consistent with the NIST AI Risk Management Framework and ISO/IEC 42001 standards.

Exhibit A – U.S. State Privacy Addendum

This Addendum supplements the Agreement and the DPA and applies when and to the extent that Processor Processes Personal Data of residents of California, Colorado, Connecticut, Utah, Texas, or Virginia in the capacity of “service provider,” “contractor,” or “processor” under Applicable U.S. State Privacy Laws.

  1. Role of the Parties

Controller is the “business” or “controller” and Processor is the “service provider,” “contractor,” or “processor,” as defined under Applicable U.S. State Privacy Laws.

  1. Processing on Instructions

Processor shall Process Personal Data only on documented instructions from Controller and solely for the business purposes specified in the Agreement, the DPA, and Annex I.

  1. Confidentiality

Processor shall ensure that each person authorized to Process Personal Data is subject to a duty of confidentiality with respect to such data.

  1. Security Measures

Processor shall implement and maintain the technical and organisational measures described in Annex II to protect Personal Data.

  1. Sub-Processors

Processor shall not engage any Sub-Processor without:
(a) ensuring such Sub-Processor is bound by a written contract imposing materially the same obligations as this Addendum; and
(b) remaining liable for the Sub-Processor’s performance. Controller authorizes the Sub-Processors listed at https://effortlessai.com/legal/sub-processors, subject to the change notification mechanism in the DPA.

  1. Data Subject Requests

Processor shall provide reasonable assistance to Controller in responding to verified consumer requests under Applicable U.S. State Privacy Laws, including access, correction, deletion, portability, and opt-out requests.

  1. Sale and Sharing

Processor shall not:
(a) sell Personal Data;
(b) share Personal Data for cross-context behavioral advertising; or
(c) Process Personal Data for targeted advertising or profiling except as expressly authorized by Controller.

  1. Deletion and Return

Upon termination of the Services, Processor shall delete or return all Personal Data as directed by Controller, unless retention is required by law.

  1. Assessments and Audits

Processor shall make available information reasonably necessary to demonstrate compliance with this Addendum and shall permit audits as provided in the DPA.

  1. Notification

Processor shall notify Controller if it determines it can no longer meet its obligations under Applicable U.S. State Privacy Laws.

We’re a team of creatives who are excited about unique ideas and help fin-tech companies to create amazing identity by crafting top-notch UI/UX.

Contact Us

Phone +880254615566
Email info@exand.com
Address 13/A, Miranda Halim City.

Stay Connected

Create your account