Pay Transparency

Data Processing Agreement

Effective Date: March 1, 2026 | Last Updated: March 1, 2026

This Data Processing Agreement ("DPA") is entered into between you, the customer ("Controller"), and AIGuru LLC, operating as PayTransparency.ai ("Processor"), located in Princeton, NJ, United States. This DPA supplements and forms part of the Terms of Service and is entered into in accordance with Article 28 of the EU General Data Protection Regulation (GDPR).

1. Definitions

  • "Controller" means the entity that determines the purposes and means of processing personal data, as defined in Article 4(7) of the GDPR.
  • "Processor" means AIGuru LLC, which processes personal data on behalf of the Controller, as defined in Article 4(8) of the GDPR.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
  • "Processing" means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2. Scope and Purpose of Processing

The Processor shall process personal data solely for the purpose of providing the PayTransparency.ai compliance assessment platform and related services, as described in the Terms of Service.

2.1 Categories of Data Subjects

  • Employees and authorized representatives of the Controller
  • Individuals whose data is submitted as part of compliance assessments

2.2 Types of Personal Data

  • Account information: name, email address, organization name, job title
  • Assessment data: organizational pay practices, workforce demographics, jurisdictional information
  • Usage data: IP addresses, browser information, pages visited

2.3 Duration of Processing

Processing shall continue for the duration of the service agreement. Upon termination, data shall be handled in accordance with Section 8 of this DPA.

3. Obligations of the Processor

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required to do so by applicable law
  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR
  • Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor
  • Not engage another processor without prior written authorization from the Controller (see Section 4)
  • Assist the Controller in responding to requests from data subjects exercising their rights under the GDPR (see Section 5)
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 of the GDPR

4. Sub-processors

The Controller grants general authorization to the Processor to engage sub-processors. The Processor shall:

  • Maintain an up-to-date list of sub-processors and make it available to the Controller upon request
  • Notify the Controller in writing of any intended changes to sub-processors at least 30 days in advance
  • Ensure that any sub-processor is bound by data protection obligations no less protective than those set out in this DPA
  • Remain fully liable to the Controller for the performance of sub-processor obligations

4.1 Current Sub-processors

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, hosting, storage, and email deliveryUnited States (us-east-1)

5. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR, including requests for:

  • Access to personal data (Article 15)
  • Rectification of personal data (Article 16)
  • Erasure of personal data (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Objection to processing (Article 21)

If the Processor receives a request directly from a data subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by law.

6. Security Measures

The Processor shall implement and maintain the following technical and organizational measures:

  • Encryption: All data encrypted in transit using TLS/SSL and at rest using AES-256 encryption
  • Access controls: Role-based access controls with principle of least privilege; multi-factor authentication for administrative access
  • Password security: User passwords hashed and salted using bcrypt with appropriate work factors
  • Infrastructure security: Hosted on AWS with industry-standard network security, firewalls, and intrusion detection
  • Monitoring: Continuous security monitoring, logging, and alerting for unauthorized access attempts
  • Backups: Regular automated backups with encryption and secure storage
  • Personnel: All personnel with access to personal data are trained on data protection and bound by confidentiality agreements

7. Data Breach Notification

In the event of a data breach, the Processor shall:

  • Notify the Controller without undue delay and in any event within 24 hours of becoming aware of the breach
  • Provide the Controller with sufficient information to enable the Controller to meet its obligations under Articles 33 and 34 of the GDPR, including:
    • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
    • The likely consequences of the breach
    • A description of the measures taken or proposed to address the breach, including measures to mitigate its effects
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
  • Document all breaches, including the facts, effects, and remedial actions taken

8. Data Return and Deletion

Upon termination of the service agreement, the Processor shall:

  • At the Controller's choice, return all personal data to the Controller in a commonly used, machine-readable format, or delete all personal data and existing copies
  • Complete the return or deletion within 30 days of the termination date
  • Provide written certification of deletion upon the Controller's request
  • Notwithstanding the above, the Processor may retain personal data to the extent required by applicable law, in which case the Processor shall continue to protect such data in accordance with this DPA

9. Audit Rights

The Controller shall have the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall:

  • Make available all information necessary to demonstrate compliance with Article 28 of the GDPR
  • Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller
  • Provide reasonable cooperation and access to relevant facilities, equipment, and personnel during normal business hours

The Controller shall provide at least 30 days' written notice before conducting an audit, unless the audit is prompted by a data breach or regulatory investigation.

10. Cross-Border Transfers

The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) unless:

  • The European Commission has issued an adequacy decision for the destination country
  • Appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission
  • A valid derogation under Article 49 of the GDPR applies

Where personal data is transferred to the United States, the Processor ensures that Standard Contractual Clauses are in place and that supplementary measures are taken as necessary to ensure an adequate level of protection.

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damages caused by processing that does not comply with the GDPR or this DPA.

12. Contact

For questions regarding this Data Processing Agreement, please contact us at:

AIGuru LLC
Princeton, NJ, United States
Email: contact@paytransparency.ai