Data Processing Addendum (DPA)

For customers subject to GDPR, UK GDPR, Swiss FADP, or similar laws.

1. Roles

Customer is the Controller; AI Typing Code is the Processor.

2. Scope

Personal data processed: account info, usage metrics, typed content, payment metadata.

3. Sub-processors

See Privacy Policy §4. We give 30 days’ notice before adding a new sub-processor.

4. Security Measures

• TLS 1.2+ in transit; AES-256 at rest.
• Role-based access; principle of least privilege.
• Supabase RLS + audit logging on privileged tables.
• Annual SOC 2 Type II (in progress) and penetration testing.

5. Breach Notification

We notify the Customer within 72 hours of becoming aware of a Personal Data Breach.

6. International Transfers

SCCs (EU 2021/914) apply to transfers outside the EEA; UK IDTA for UK transfers.

7. Execution

This DPA is executed by accepting the Terms of Service. A counter-signed PDF is available on request at dpa@aitypingcode.com.