Data Processing Agreement (DPA)

Last updated: June 9, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between ControlShift AI ("Processor," "we," "our," or "us") and the customer ("Controller," "you," or "your") for the ControlShift AI platform and related services. This DPA applies where we process personal data on your behalf and supplements our Terms of Service and Privacy Policy.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person processed through the Service.
  • Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
  • Subprocessor: A third party engaged by ControlShift AI to process Personal Data on behalf of the Controller.
  • Data Subject: The individual to whom Personal Data relates.

3. Scope and Roles

You act as the Controller of Personal Data you submit to or generate through the Service, including end-user chat or voice interaction data, contact details, and integration data. ControlShift AI acts as Processor, processing Personal Data only on your documented instructions as set out in the Terms, this DPA, and your account configuration.

4. Processor Obligations

ControlShift AI will:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures as described in our Security Policy
  • Assist the Controller with Data Subject requests where technically feasible
  • Notify the Controller without undue delay after becoming aware of a Personal Data breach
  • Delete or return Personal Data upon termination of the Service, subject to legal retention requirements
  • Make available information necessary to demonstrate compliance with this DPA

5. Controller Obligations

You are responsible for:

  • Ensuring a lawful basis exists for Processing Personal Data through the Service
  • Providing required notices and obtaining necessary consents from Data Subjects
  • Configuring the Service in compliance with applicable privacy laws
  • Responding to Data Subject requests unless we are required to assist
  • Ensuring instructions to us comply with applicable law

6. Subprocessors

You authorize ControlShift AI to engage Subprocessors to support the Service. We maintain an up-to-date Subprocessor List and will impose data protection obligations on Subprocessors consistent with this DPA. We will provide notice of material Subprocessor changes where required by law or contract.

7. International Transfers

Where Personal Data is transferred outside the European Economic Area, United Kingdom, or other jurisdictions with transfer restrictions, we implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms. See our GDPR Compliance page for additional information.

8. Audits

Upon reasonable written request, we will provide information to demonstrate compliance with this DPA. Formal audits may be conducted no more than once per year with at least 30 days' notice, subject to confidentiality and security restrictions.

9. Term and Termination

This DPA remains in effect for as long as ControlShift AI processes Personal Data on your behalf. Upon termination, we will delete or return Personal Data in accordance with our data retention practices and your Data Deletion instructions, unless retention is required by law.

10. Executed DPA Requests

Enterprise customers requiring a countersigned DPA may request one by contacting support@controlshiftai.com. For most customers, acceptance of our Terms of Service incorporates this DPA by reference.

11. Contact Us