Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the contract between you ("Customer", "Data Controller") and AI Governance Hub, operated by ITNextGen Limited ("Processor", "we", "us"), for the use of the AI Governance Hub platform ("Services").

This DPA reflects the parties' agreement on the processing of Personal Data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

In this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person processed using the Services
• "Data Controller" means the Customer who determines the purposes and means of processing Personal Data
• "Data Processor" means AI Governance Hub (ITNextGen Limited), who processes Personal Data on behalf of the Data Controller
• "Sub-processor" means any third-party processor engaged by the Processor
• "Data Subject" means the individual to whom Personal Data relates

2. Scope and Duration of Processing

2.1 Subject Matter

The Processor will process Personal Data as necessary to provide the Services, including storing, retrieving, and displaying Customer data via the AI Governance Hub platform.

2.2 Duration

Processing will continue for the duration of the subscription period and for 30 days thereafter to allow data export. After 30 days, all Personal Data will be securely deleted.

2.3 Nature and Purpose of Processing

The Processor will process Personal Data to:

• Provide access to the AI Governance Hub platform
• Store and retrieve Customer data (AI system details, risk assessments, documents)
• Generate compliance reports and PDFs
• Provide customer support
• Detect and prevent fraud or security incidents

2.4 Types of Personal Data

The Processor may process the following categories of Personal Data:

• Account Data: Email addresses, organization names, user roles
• AI System Data: AI system descriptions, vendor names, deployment dates, risk levels
• Risk Assessment Data: Questionnaire responses, risk scores, mitigation notes
• AIIA Content: Impact assessment text, consultation records
• Documents: Uploaded files and metadata (policies, assessments, contracts)
• Usage Data: Log data, analytics, error reports

2.5 Categories of Data Subjects

• Customer employees and users of the Services
• Individuals referenced in Customer data (e.g., AI system owners, data subjects of AI systems)

3. Processor Obligations

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by UK law. The initial instructions are set out in this DPA and the Terms of Service.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
• Row-Level Security (RLS) policies to prevent unauthorized data access
• Multi-factor authentication (MFA) for administrative access
• Periodic security reviews and planned third-party penetration testing
• Automated backups with encryption
• Access controls and audit logging
• Incident response procedures

3.4 Sub-processors

The Data Controller consents to the Processor engaging the following Sub-processors:

The Processor will notify the Data Controller of any intended changes to Sub-processors with 30 days' notice, allowing the Data Controller to object.

3.5 Data Subject Rights

The Processor shall, to the extent possible, assist the Data Controller in responding to Data Subject requests to exercise their rights under UK GDPR (access, rectification, erasure, restriction, portability, objection).

3.6 Data Breach Notification

The Processor shall notify the Data Controller without undue delay after becoming aware of a Personal Data breach. (Note: the 72-hour notification obligation under UK GDPR Article 33 runs from the Processor to the ICO directly, or via the Data Controller — the Processor will cooperate to meet this deadline.) Notification will include:

• Nature of the breach
• Categories and approximate number of Data Subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

Breach Contact: security@aigovernancehub.uk

3.7 Data Protection Impact Assessments (DPIAs)

The Processor shall provide reasonable assistance to the Data Controller in conducting DPIAs where required by UK GDPR.

3.8 Audits and Inspections

The Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for audits. Audits may be conducted:

• Providing relevant compliance documentation available at the time of audit (SOC 2 and ISO 27001 certifications are planned — see our Security Policy for current status)
• Via questionnaire (annual)
• On-site or remote audit (upon reasonable notice, at Data Controller's expense, max once per year)

4. Data Controller Obligations

The Data Controller warrants that:

• It has a lawful basis for processing Personal Data under UK GDPR
• It has provided appropriate privacy notices to Data Subjects
• It will not instruct the Processor to process Personal Data in a way that violates UK GDPR or other laws

5. International Data Transfers

Personal Data is primarily stored in UK/EU data centers. Where Sub-processors may transfer data outside the UK/EU, the Processor ensures appropriate safeguards are in place:

• UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs
• Adequacy decisions (e.g., EU-US Data Privacy Framework for certain processors)

6. Data Deletion and Return

Upon termination of Services or at the Data Controller's written request, the Processor shall:

• Provide the Data Controller with 30 days to export their data (CSV, PDF, JSON formats available)
• Delete or return all Personal Data after the 30-day period
• Delete all existing copies unless UK law requires storage (e.g., financial records for 7 years for HMRC)

7. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Where a regulatory fine or penalty is imposed as a direct result of the Processor's demonstrable non-compliance with its obligations under this DPA, the parties will cooperate in good faith to apportion liability appropriately. Any liability of the Processor is subject to the caps set out in the Terms of Service.

Note: This clause will be reviewed and formalised by a qualified solicitor prior to public launch.

8. Changes to This DPA

The Processor may update this DPA to reflect changes in UK GDPR requirements or Sub-processor arrangements. Material changes will be communicated 30 days in advance.

9. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the exclusive jurisdiction of the courts of England and Wales.

10. Contact Information

Data Processor:
AI Governance Hub (ITNextGen Limited)
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom

Data Protection Contact: privacy@aigovernancehub.uk

Execution

This DPA forms part of the contract between the Data Controller and ITNextGen Limited. For the purposes of UK GDPR Article 28, this published version constitutes the standard terms. Organisations requiring a countersigned DPA for their records should contact privacy@aigovernancehub.uk.

This DPA is subject to legal review prior to public launch. Organisations with specific contractual requirements should request a reviewed version.