← Back to Aevum Encyclopedia

Data Processing Agreement

Aevum Encyclopedia

Effective Date: January 1, 2025 Version: 1.2 Region: Global (GDPR/CCPA Compliant)

1.Parties & Relationship

This Data Processing Agreement ("Agreement") is entered into by and between the organization providing access to or administering the Aevum Encyclopedia platform ("Controller") and Aevum Encyclopedia ("Processor"). The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.

2.Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom the Personal Data relates.
  • "Applicable Data Protection Laws" includes GDPR, CCPA/CPRA, LGPD, PIPEDA, and other relevant jurisdictional regulations.

3.Subject Matter, Nature & Purpose

The Processor shall provide the Aevum Encyclopedia knowledge platform, including AI-powered search, semantic indexing, user authentication, analytics, and customer support services. Processing is necessary solely to:

  1. Deliver, maintain, and improve the Encyclopedia platform;
  2. Enable user authentication, account management, and contribution workflows;
  3. Generate usage analytics and system performance metrics;
  4. Comply with legal, regulatory, and contractual obligations;
  5. Facilitate lawful research, education, and knowledge-discovery activities.
The duration of processing shall correspond to the active term of the underlying service agreement or until explicit termination instructions are provided by the Controller. Processing shall not extend beyond what is strictly necessary for the stated purposes.

4.Categories of Data & Data Subjects

The Processing may involve the following categories of Personal Data, depending on Controller configuration:

  • Identity & Contact: Name, email address, institutional affiliation, profile information;
  • Authentication: Username, password hashes, session tokens, MFA configurations;
  • Usage & Behavioral: Search queries, article views, reading history, interaction logs, device/browser metadata;
  • Contribution & Editorial: Drafts, edits, comments, review submissions, contributor badges;
  • Technical & Diagnostic: IP addresses, crash reports, performance telemetry, support ticket logs.

Data subjects may include registered users, institutional subscribers, guest readers, contributors, and support contacts.

5.Processor Obligations

The Processor agrees to:

  1. Process Personal Data only on documented instructions from the Controller, unless required by law;
  2. Ensure personnel authorized to process Personal Data are subject to confidentiality obligations and undergo regular data protection training;
  3. Implement appropriate technical and organizational measures as outlined in Section 7;
  4. Assist the Controller in responding to Data Subject Access Requests (DSARs) within 30 days of receipt, unless extended by law;
  5. Notify the Controller without undue delay (and no later than 24 hours upon confirmation) of any Personal Data Breach affecting the Platform;
  6. Allow for and contribute to independent security audits and compliance assessments at reasonable intervals;
  7. Return or securely erase all Personal Data upon termination, unless retention is required by applicable law.

6.Sub-Processors

The Processor may engage third-party Sub-Processors for infrastructure hosting, CDN delivery, analytics, and AI model inference. A current list of authorized Sub-Processors is maintained at aevumencyclopedia.com/subprocessors.

The Controller receives at least 14 days' advance notice of any new Sub-Processor or material change to existing services. The Controller may object to changes within 14 days; failure to object constitutes deemed consent. The Processor remains fully liable for Sub-Processor compliance with this Agreement.

7.Security Measures

The Processor maintains a comprehensive security program aligned with ISO 27001, SOC 2 Type II, and NIST frameworks. Technical and organizational measures include:

  • End-to-end TLS 1.3 encryption in transit; AES-256 encryption at rest;
  • Role-based access control (RBAC), multi-factor authentication, and just-in-time privileged access;
  • Automated vulnerability scanning, penetration testing, and continuous threat monitoring;
  • Infrastructure isolation, VPC networking, and DDoS mitigation;
  • Secure backup replication, tested disaster recovery procedures, and immutable audit logging;
  • AI/ML pipeline sandboxing, prompt-injection filtering, and output sanitization for knowledge-generation features.

8.Data Subject Rights Assistance

The Processor shall provide technical and organizational support to the Controller to fulfill Data Subject rights under applicable law, including rights to access, rectification, erasure, restriction, portability, and objection. Automated workflows are available via the Aevum Admin Console for bulk DSAR fulfillment. Processing times for assistance shall not exceed 10 business days from request receipt.

9.International Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), United Kingdom, or Switzerland, the Processor shall ensure appropriate safeguards are in place, including but not limited to EU Standard Contractual Clauses (SCCs), UK IDTA, or approved adequacy decisions. Transfer impact assessments are conducted annually and upon material infrastructure changes.

10.Term & Termination

This Agreement remains in effect for the duration of the Platform service engagement. Either party may terminate for material breach upon 30 days' written notice, provided the breach remains uncured. Upon termination, the Processor shall, at the Controller's direction, securely return or permanently delete all Personal Data and certify destruction in writing within 15 days, unless legal retention obligations apply.

11.Governing Law & Dispute Resolution

This Agreement shall be governed by the laws of the jurisdiction specified in the underlying Service Agreement. Any disputes arising from data processing obligations shall be subject to mandatory consultation in good faith before escalation. Where applicable, supervisory authority jurisdiction is preserved per Applicable Data Protection Laws.

12.Privacy & Compliance Contact

For questions regarding this Data Processing Agreement, data processing practices, or to exercise Controller rights:
Privacy Team: privacy@aevumencyclopedia.com
Data Protection Officer: dpo@aevumencyclopedia.com
Mailing Address: Aevum Encyclopedia, Compliance Office, 400 Knowledge Blvd, Suite 200, San Francisco, CA 94107, USA