Data Processing Agreement

This DPA forms part of the Terms of Service between FaradayMind (Processor) and the subscribing organisation (Controller). A countersigned copy is provided to each client on subscription.

1. Definitions

Controller: The subscribing organisation that determines the purposes and means of processing personal data submitted to the API.

Processor: FaradayMind, operated by [YOUR FULL NAME / COMPANY NAME], which processes personal data on behalf of the Controller.

UK GDPR: The UK General Data Protection Regulation as retained in UK law.

Processing: The submission of data to the FaradayMind API and the return of a generated response.

2. Subject matter and duration

This DPA governs the processing of personal data submitted by the Controller to the FaradayMind API for the purpose of AI-assisted document analysis, summarisation, extraction, and drafting. It applies for the duration of the Controller's subscription.

3. Nature of processing

The Processor receives text submitted by the Controller via API request, processes it using a local AI language model, and returns a generated text response. Processing is stateless: no input data is written to persistent storage at any point. Data exists only in system memory during the inference operation and is discarded immediately upon completion.

4. Categories of personal data

The categories of personal data processed depend entirely on what the Controller chooses to submit. The Processor does not prescribe or restrict this. The Controller is responsible for ensuring appropriate lawful basis for any personal data submitted.

5. Categories of data subjects

As determined by the Controller. Typically: the Controller's clients, employees, or counterparties whose data appears in documents submitted for processing.

6. Processor obligations

The Processor shall:

Process personal data only on documented instructions from the Controller, unless required to do otherwise by law
Ensure that all personnel with access to personal data are bound by appropriate confidentiality obligations
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see clause 8)
Not engage sub-processors without prior written consent of the Controller
Assist the Controller in responding to data subject rights requests, to the extent possible given the stateless nature of processing
Assist the Controller in meeting its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIAs)
At the Controller's election, delete or return all personal data after the end of service provision. Given the stateless architecture, no persistent data is held beyond the duration of each API request
Make available all information necessary to demonstrate compliance with this DPA and permit audits by the Controller or its designees on reasonable notice

7. Sub-processors

The Processor does not use any sub-processors for AI inference. All processing is performed on hardware operated exclusively by the Processor, located in the United Kingdom. The Processor will notify the Controller in advance of any intended changes to sub-processor arrangements.

8. Security measures

The Processor implements the following technical and organisational measures:

Encryption in transit: All API traffic is encrypted via TLS 1.3 through Cloudflare's network
Authentication: Each client is issued a unique 256-bit API key. Requests without a valid key are rejected
Rate limiting: Per-key request rate limits prevent abuse and limit blast radius in case of key compromise
No persistent storage: Inference data is processed in volatile memory only and is not written to disk
No logging of content: Request and response content is not logged. Only non-identifying metadata (response time, error codes) may be recorded for operational purposes
Physical security: Hardware is located at a private UK address with appropriate physical access controls
Network isolation: The inference server is not directly exposed to the internet; external traffic is routed via an encrypted tunnel

9. Data breach notification

The Processor will notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a personal data breach affecting data processed under this DPA. Notification will include: the nature of the breach, categories of data subjects affected, likely consequences, and measures taken or proposed.

10. International transfers

All processing under this DPA takes place within the United Kingdom. No personal data is transferred outside the UK.

11. Term and termination

This DPA remains in effect for the duration of the Controller's subscription. On termination, given the stateless architecture, no data deletion procedure is required for inference data. Any retained account data will be handled per the Privacy Policy.

12. Governing law

This DPA is governed by the laws of England and Wales.

Contact

For DPA queries or to request a countersigned copy, contact hello@faradaymind.com.