This Data Processing Addendum (“DPA”) is incorporated into and subject to the terms of the Agreement between NapoleonScout, Inc., d/b/a Ajax and the Customer. It governs how Ajax processes Customer Data under applicable Data Protection Laws, including GDPR, CCPA, and other international privacy regulations.
1. Definitions
Affiliate – Any entity that controls, is controlled by, or is under common control with another entity.
Agreement – Ajax’s Terms of Use or other written/electronic agreements that govern the provision of the Service.
Customer Data – Any personal data processed by Ajax on behalf of the Customer.
Data Protection Laws – Includes GDPR, CCPA, CPA, CTDPA, UCPA, VCDPA, PIPEDA, LGPD, Australian Privacy Law, and other applicable regulations.
Security Incident – Any unauthorized breach that results in the loss, alteration, or unauthorized access to Customer Data.
2. Roles and Responsibilities
Ajax acts as a processor for Customer Data.
Ajax will process data only in accordance with:
Customer’s lawful instructions
Applicable laws
Customer responsibilities:
Ensure compliance with all Data Protection Laws
Provide proper notice and consent where required
Note: Ajax will not train, retrain, or fine-tune any general-purpose AI or machine learning models using Customer Data. Ajax also prohibits its Subprocessors—such as OpenAI, Anthropic, or other LLM providers—from retaining or using Customer Data for their own model training or fine-tuning. Any improvements to the Service are performed solely on anonymized analytics or usage patterns that do not include raw or identifiable Customer Data.
3. Subprocessing
Ajax may engage Subprocessors to assist in fulfilling its obligations.
The list of authorized Subprocessors includes:
OpenAI
Anthropic
Google Gemini
Amazon Web Services
Vercel
PostHog
Ajax remains responsible for ensuring Subprocessors comply with data protection obligations.
4. Security and Compliance
Ajax implements and maintains industry-standard security measures to protect Customer Data.
In the event of a Security Incident:
Ajax will notify the Customer within 48 hours.
Take appropriate remediation steps.
Customers are responsible for:
Securely managing authentication credentials.
Ensuring secure data transmission.
5. Data Subject Rights
Ajax provides tools to help Customers:
Retrieve, correct, delete, or restrict Customer Data.
Customers must handle data subject requests and provide legal justification for data processing.
Ajax may offer additional assistance for compliance with GDPR and CCPA data rights.
6. International Data Transfers
Customer Data may be processed in the United States and other countries where Ajax operates.
For European Data Transfers – Ajax complies with Standard Contractual Clauses (SCCs).
For Australian Data Transfers – Compliant with Australian Privacy Law.
7. Deletion or Retention of Data
7.1 Standard Retention Periods
Ajax follows its published Data Retention Policy, under which raw Customer Data (e.g., logs, screenshots) is deleted after 30 days, and processed data (e.g., structured records derived from Customer interactions) is deleted after 60 days, unless the Customer provides alternative written instructions in compliance with applicable Data Protection Laws.
7.2 Post-Termination Deletion
Within 30 days after termination or expiration of the Agreement, Ajax shall permanently delete or render anonymized all remaining Customer Data, except where applicable law requires longer retention.
7.3 Anonymized Data
Ajax may retain and use anonymized or aggregated data that cannot identify the Customer or any individual for legitimate business and product improvement purposes. Such data is not considered Customer Data once it has been irreversibly anonymized.
8. Governing Law
The DPA is governed by the jurisdiction stated in the Customer Agreement, in compliance with applicable Data Protection Laws.