LEGAL

LEGAL

Ajax Data Processing Addendum

Ajax Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and subject to the terms of the Agreement between NapoleonScout, Inc., d/b/a Ajax and the Customer. It governs how Ajax processes Customer Data under applicable Data Protection Laws, including GDPR, CCPA, and other international privacy regulations.


1. Definitions

  • Affiliate – Any entity that controls, is controlled by, or is under common control with another entity.

  • Agreement – Ajax’s Terms of Use or other written/electronic agreements that govern the provision of the Service.

  • Customer Data – Any personal data processed by Ajax on behalf of the Customer.

  • Data Protection Laws – Includes GDPR, CCPA, CPA, CTDPA, UCPA, VCDPA, PIPEDA, LGPD, Australian Privacy Law, and other applicable regulations.

  • Security Incident – Any unauthorized breach that results in the loss, alteration, or unauthorized access to Customer Data.


2. Roles and Responsibilities

  • Ajax acts as a processor for Customer Data.

  • Ajax will process data only in accordance with:

    • Customer’s lawful instructions

    • Applicable laws

  • Customer responsibilities:

    • Ensure compliance with all Data Protection Laws

    • Provide proper notice and consent where required


Note: Ajax will not train, retrain, or fine-tune any general-purpose AI or machine learning models using Customer Data. Ajax also prohibits its Subprocessors—such as OpenAI, Anthropic, or other LLM providers—from retaining or using Customer Data for their own model training or fine-tuning. Any improvements to the Service are performed solely on anonymized analytics or usage patterns that do not include raw or identifiable Customer Data.


3. Subprocessing

  • Ajax may engage Subprocessors to assist in fulfilling its obligations.

  • The list of authorized Subprocessors includes:

    • OpenAI

    • Anthropic

    • Google Gemini

    • Amazon Web Services

    • Vercel

    • PostHog

  • Ajax remains responsible for ensuring Subprocessors comply with data protection obligations.


4. Security and Compliance

  • Ajax implements and maintains industry-standard security measures to protect Customer Data.

  • In the event of a Security Incident:

    • Ajax will notify the Customer within 48 hours.

    • Take appropriate remediation steps.

  • Customers are responsible for:

    • Securely managing authentication credentials.

    • Ensuring secure data transmission.


5. Data Subject Rights

  • Ajax provides tools to help Customers:

    • Retrieve, correct, delete, or restrict Customer Data.

  • Customers must handle data subject requests and provide legal justification for data processing.

  • Ajax may offer additional assistance for compliance with GDPR and CCPA data rights.


6. International Data Transfers

  • Customer Data may be processed in the United States and other countries where Ajax operates.

  • For European Data Transfers – Ajax complies with Standard Contractual Clauses (SCCs).

  • For Australian Data Transfers – Compliant with Australian Privacy Law.


7. Deletion or Retention of Data

7.1 Standard Retention Periods

  • Ajax follows its published Data Retention Policy, under which raw Customer Data (e.g., logs, screenshots) is deleted after 30 days, and processed data (e.g., structured records derived from Customer interactions) is deleted after 60 days, unless the Customer provides alternative written instructions in compliance with applicable Data Protection Laws.


7.2 Post-Termination Deletion

Within 30 days after termination or expiration of the Agreement, Ajax shall permanently delete or render anonymized all remaining Customer Data, except where applicable law requires longer retention.


7.3 Anonymized Data

Ajax may retain and use anonymized or aggregated data that cannot identify the Customer or any individual for legitimate business and product improvement purposes. Such data is not considered Customer Data once it has been irreversibly anonymized.

8. Governing Law

  • The DPA is governed by the jurisdiction stated in the Customer Agreement, in compliance with applicable Data Protection Laws.