Data Processing Agreement
This page summarises the terms of the Data Processing Agreement (DPA) Impetora enters into with clients whose data we process while delivering custom AI work. It is not the contract itself; the executable DPA template is available on request.
1. Roles
For client data processed during a delivery engagement, the client is the Data Controller and Impetora acts as the Data Processor under Article 28 of the EU GDPR. Impetora processes personal data only on documented instructions from the client, including with regard to international transfers.
2. Scope and duration
The scope of processing is limited to the delivery of the contracted services as described in the engagement statement of work. Duration matches the engagement term plus any agreed retention period. On termination Impetora returns or deletes all client personal data, at the client's choice, unless retention is required by EU or member-state law.
3. Sub-processors
A current list of sub-processors, with the type of processing each performs and their location, is maintained on our security page. We provide 14 days' notice before adding a new sub-processor. Clients may object on reasonable data-protection grounds and request termination if no alternative arrangement is reached.
4. International transfers
Default processing happens within the EEA. Where a sub-processor or onward transfer involves a third country, transfers are governed by EU Standard Contractual Clauses (Module 3, processor-to-sub-processor) and supplementary measures appropriate to the data category and destination country.
5. Security
Impetora implements technical and organisational measures including:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Access controls, single sign-on, and multi-factor authentication on internal accounts
- Least-privilege access and time-bound elevation for production systems
- Audit logging of processing activities and access to client data
- Regular vulnerability scanning and dependency review
6. Data subject requests
Where Impetora receives a data subject request relating to client data, we forward the request to the client within 5 business days and assist the client with response within reason and at no additional cost.
7. Personal data breach notification
Impetora notifies the client of a confirmed personal data breach affecting client data without undue delay and in any event within 24 hours of confirmation. Notice includes the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.
8. Audit
The client may audit Impetora's compliance with this DPA once per year on 30 days' written notice, or on a shorter timeline following a confirmed breach. Audit may take the form of a written questionnaire, a video review, or an on-site visit at the client's cost.
9. Liability
Liability for breach of this DPA is governed by the underlying engagement contract. Statutory rights of data subjects under the GDPR are not affected.
10. Requesting the full DPA
The executable DPA template (PDF, including Standard Contractual Clauses) is available on request. Email justas@ainora.lt with your company name and the engagement context. We typically return a signed counterpart within 3 business days of receiving the executed copy.