Data Processing Agreement

🖨️ Print / Save as PDF

This Data Processing Agreement ("DPA") is entered into between the parties identified below and forms part of the RiskAI X Terms of Service. This DPA governs the processing of personal data as required by Article 28 of the EU General Data Protection Regulation (GDPR) (EU) 2016/679.

1. Definitions

In this DPA, the following terms have the meanings set out below:

• "Controller" means the Data Controller identified above — the Client organisation subscribing to the Palladium or Banks tier.
• "Processor" means Diamond Properties Investments SRL, operating the RiskAI X platform.
• "Personal Data" means any data that identifies or could identify a natural person, including property addresses associated with identifiable individuals, email addresses, and IP addresses processed in connection with the Service.
• "Processing" has the meaning given in GDPR Article 4(2).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Services" means the RiskAI X property risk intelligence platform, APIs, and associated tools provided to the Controller under the Palladium or Banks tier subscription.

2. Subject Matter and Nature of Processing

The Processor processes Personal Data on behalf of the Controller solely for the purpose of providing the Services: property risk analysis, seismic scoring, cadastral lookup, ICRAL detection, and related risk intelligence functions.

Element	Details
Duration	For the term of the subscription agreement, plus 30 days post-termination for data return/deletion.
Nature	Automated processing of property addresses via API calls, geocoding, database lookups, and AI analysis.
Purpose	Property risk scoring, mortgage pre-screening, portfolio risk assessment, and related due diligence services.
Type of personal data	Property addresses (which may be associated with identifiable individuals); email addresses for account management; IP addresses for rate limiting and fraud prevention.
Categories of data subjects	Property owners and occupants whose addresses are submitted by the Controller; Controller's employees using the Service.

3. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law.
2. Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organisational measures as set out in Annex 2 to ensure a level of security appropriate to the risk.
4. Respect the conditions for engaging Sub-processors set out in Clause 5 of this DPA.
5. Assist the Controller with data subject rights requests (access, rectification, erasure, portability) to the extent technically feasible, within 72 hours of receiving a forwarded request.
6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIAs).
7. Delete or return all Personal Data to the Controller at the end of the service provision, at the Controller's choice, and delete existing copies unless EU or Member State law requires storage.
8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections.

4. Controller Obligations

The Controller shall:

1. Ensure it has a lawful basis for submitting Personal Data to the Processor.
2. Provide all necessary privacy notices to data subjects whose data is submitted.
3. Not submit to the Processor any Special Category Data (GDPR Article 9) or data relating to criminal convictions.
4. Ensure that property addresses submitted via bulk CSV or API are limited to data the Controller has authority to process.
5. Promptly notify the Processor of any data subject requests or regulator inquiries concerning the Services.

5. Sub-processors

The Controller provides general authorisation for the Processor to engage Sub-processors. Current approved Sub-processors are listed in Annex 1. The Processor shall:

• Give the Controller at least 30 days' notice before adding or replacing a Sub-processor
• Impose data protection obligations on Sub-processors equivalent to those in this DPA
• Remain fully liable for Sub-processor performance

The Controller may object to any Sub-processor change within 14 days of receiving notice. If a reasonable objection cannot be resolved, either party may terminate the subscription with 30 days' notice.

6. International Transfers

Personal Data processed under this DPA is primarily stored and processed within the European Economic Area (EEA) via Cloudflare's European data centres.

The following Sub-processors may involve transfers outside the EEA:

• Anthropic (Claude AI): United States. Transfer basis: Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914. Used for AI analysis only — no full addresses sent, only anonymised coordinates.
• LemonSqueezy: United States. Transfer basis: SCCs. Processes payment information only — no property data.

The Processor shall maintain appropriate transfer mechanisms (SCCs or equivalent) for all international transfers and shall inform the Controller without undue delay of any changes to transfer arrangements.

7. Security Measures

The Processor maintains the technical and organisational measures described in Annex 2, which include at minimum:

• HTTPS/TLS 1.3 encryption in transit for all API communications
• Cloudflare DDoS protection and Web Application Firewall
• Data at rest encryption via Cloudflare D1 (AES-256)
• HMAC-SHA256 webhook signature validation
• IP-based rate limiting and Cloudflare Turnstile bot protection
• API key access controls with per-key usage logging
• Automatic IP address deletion from KV store after 24 hours
• No long-term storage of property addresses (geocode cache TTL: 30 days maximum)

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

1. Notify the Controller without undue delay and in any event within 36 hours of becoming aware of the breach
2. Provide the Controller with sufficient information to meet its own 72-hour GDPR notification obligation to supervisory authorities
3. Include in the notification: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach

9. Audit Rights

The Controller may, upon reasonable prior written notice (minimum 30 business days), audit the Processor's compliance with this DPA. Audits shall be:

• Conducted no more than once per calendar year unless a specific breach gives rise to additional audit rights
• Limited to information necessary to assess DPA compliance
• Conducted during business hours without unreasonable disruption to operations
• Subject to the auditor's signing a confidentiality agreement acceptable to the Processor

The Processor may alternatively provide a current independent third-party audit report (SOC 2 Type II or equivalent) in lieu of an on-site audit.

10. Term and Termination

This DPA is effective from the date of subscription to the Palladium or Banks tier and terminates 30 days after the expiry or termination of the subscription. Within those 30 days, the Processor shall, at the Controller's written election, return or securely delete all Personal Data processed under this DPA.

11. Governing Law

This DPA is governed by Romanian law and EU law, including GDPR. Disputes arising from this DPA shall be subject to the jurisdiction of the competent courts of Romania, except where EU consumer protection law mandates otherwise.

Annex 1 Approved Sub-processors

Sub-processor	Purpose	Location	Transfer Basis
Cloudflare Inc.	CDN, DDoS protection, DNS, Workers, D1 database, KV store	EU (primary), US (failover)	SCCs + Cloudflare DPA
Anthropic PBC	AI analysis — anonymised property data only (coordinates, not full address)	USA	SCCs
LemonSqueezy LLC	Payment processing — no property data processed	USA	SCCs
Resend Inc.	Transactional email (watch alerts, billing confirmations)	USA	SCCs

Annex 2 Technical & Organisational Measures

Access Controls

• Per-API-key access controls with usage logging in Cloudflare D1
• Admin panel access restricted by secret key + IP allowlisting
• LemonSqueezy handles all payment credentials — no internal access to card data

Data Minimisation

• Property addresses are geocoded to coordinates; coordinates, not full addresses, are sent to Anthropic for AI analysis
• IP addresses stored in KV for 24 hours only (rate limiting); auto-deleted thereafter
• Geocode cache expires after 30 days maximum
• No behavioral profiling or tracking cookies used

Transmission Security

• All communications over HTTPS/TLS 1.3 minimum
• Cloudflare terminates TLS at edge; Cloudflare Workers ↔ D1 communication is internal (no external transit)
• LemonSqueezy webhooks validated via HMAC-SHA256 signature

Availability & Resilience

• Cloudflare Pages + Workers: globally distributed, 99.9%+ uptime SLA
• D1 database: automatic daily backups via Cloudflare
• No single point of failure: Cloudflare edge network with automatic failover

Incident Response

• Cloudflare Security Events monitoring for anomalous access patterns
• Worker error logging via Cloudflare Tail Workers
• Breach notification procedure: internal alert → Processor DPO review → Controller notification within 36 hours → Supervisory authority notification as required