Data Processing Agreement
Last updated:
This Data Processing Agreement ("DPA") is entered into between Nerdic AI ("Processor") and the customer entity that has agreed to the Mother AIOS Terms of Service ("Controller"). It forms part of and is incorporated into the Terms of Service.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person as defined in applicable data protection law, including GDPR Article 4(1). "Processing" has the meaning given in GDPR Article 4(2). "Sub-processor" means any third-party processor engaged by the Processor to carry out processing activities on behalf of the Controller.
2. Data controller
The Controller (the customer) determines the purposes and means of processing personal data uploaded to or generated within the Mother AIOS platform. The Processor acts solely on the documented instructions of the Controller.
3. Categories of data processed
The Processor processes the following categories of personal data on behalf of the Controller:
- End-user account data:names, email addresses, and authentication tokens of the Controller's team members.
- Brand content data: text, images, and structured data submitted by the Controller for AI processing and publishing.
- Platform audience data: anonymised or pseudonymised analytics data retrieved from connected social and advertising platforms, where the Controller has granted the necessary permissions.
- Communication data: email addresses of recipients of campaigns sent via the platform, where provided by the Controller.
4. Purposes and legal basis
Processing is carried out for the purpose of providing the Mother AIOS service as described in the Terms of Service. The legal basis for processing under GDPR is the performance of a contract (Article 6(1)(b)) or compliance with a legal obligation (Article 6(1)(c)) where applicable.
5. Processor obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by applicable law.
- Ensure that persons authorised to process personal data are bound by appropriate confidentiality obligations.
- Implement technical and organisational security measures as described in the Security Policy.
- Assist the Controller in responding to data subject rights requests within the timescales required by applicable law.
- Delete or return all personal data upon termination of the agreement, at the Controller's choice.
- Provide all information necessary to demonstrate compliance with the obligations set out in this DPA.
6. Sub-processors
The Controller grants general authorisation to engage the following sub-processors. The Processor will notify the Controller at least 14 days before adding a new sub-processor, giving the Controller the opportunity to object.
- Clerk (clerk.com): Authentication and identity management. EEA data transfer covered by SCCs.
- Stripe (stripe.com): Payment processing. PCI-DSS Level 1 certified. Adequacy decision applicable.
- Cloudflare (cloudflare.com): CDN, edge network, and R2 object storage. SCCs in place.
- Vercel (vercel.com): Cloud infrastructure hosting and workflow orchestration. Data centre region configurable per plan.
- Neon (neon.tech): Managed Postgres database. SCCs in place.
- Sentry (sentry.io): Error monitoring. SCCs in place; data minimised via scrubbing rules.
7. International transfers
Where personal data is transferred outside the European Economic Area (EEA), the Processor relies on Standard Contractual Clauses (SCCs) issued by the European Commission (Implementing Decision 2021/914) or an applicable adequacy decision. A Transfer Impact Assessment (TIA) is available on request.
8. Security measures
The Processor maintains technical and organisational measures appropriate to the risk, including encryption at rest (AES-256) and in transit (TLS 1.2+), row-level security on the database, least-privilege access controls, and annual penetration testing. Full details are in the Security Policy.
9. Data retention
Personal data is retained for the duration of the subscription plus 30 days following termination, after which it is securely deleted. Audit logs are retained for 12 months. The Controller may request earlier deletion at any time.
10. Your rights as data subject
Data subjects whose personal data is processed under this DPA may exercise the following rights under GDPR: right of access (Article 15), right to rectification (Article 16), right to erasure (Article 17), right to restriction of processing (Article 18), right to data portability (Article 20), and right to object (Article 21). Requests should be directed to privacy@mother.ai.
11. Data breach notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing all information required under GDPR Article 33.
12. Audit rights
The Controller may audit the Processor's compliance with this DPA once per calendar year, on reasonable notice of at least 30 days. The Processor may satisfy audit requests by providing relevant third-party audit reports (SOC 2 Type II or equivalent) in lieu of an on-site audit.
13. Contact
Data protection queries: email privacy@mother.ai. Nerdic AI, Attn: Data Protection, Copenhagen, Denmark.