Data Processing Agreement

Last updated · 1 July 2026

This Data Processing Agreement ("DPA") supplements the AVINITY Terms of Service and applies when AVINITY processes personal data on behalf of a customer ("Controller") in connection with the Service.

1. Roles

Controller determines the purposes and means of processing. AVINITY acts as Processor and processes only on documented instructions.

2. Subject-matter and duration

Processing lasts for the duration of the subscription and covers Customer Data uploaded to the Service (project data, governance decisions, member profiles, usage logs).

3. Sub-processors

Controller authorises AVINITY to engage sub-processors for hosting, database, email delivery and AI inference. AVINITY will notify Controller at least 30 days before adding or replacing a sub-processor, and imposes equivalent data-protection obligations by contract.

4. Security measures

  • Encryption of Customer Data in transit (TLS 1.2+) and at rest.
  • Row-level security so each workspace's data is isolated by tenant identifier.
  • Immutable audit log of create, update and delete operations.
  • Least-privilege access for AVINITY personnel; access reviews at least twice per year.
  • Automated backups with defined retention.

5. Data-subject requests

AVINITY provides workspace-level tooling to support access, rectification, deletion and portability requests.

6. Breach notification

AVINITY will notify Controller without undue delay, and in any case within 72 hours, of any confirmed personal-data breach.

7. International transfers

Where required, transfers rely on Standard Contractual Clauses or equivalent lawful safeguards.

8. Return or deletion

On termination, Controller may export Customer Data for 30 days, after which it will be deleted from active systems.

To countersign this DPA, contact legal@avinityconsulting.com.