Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") explains how Aware handles personal data on behalf of our customers in accordance with data protection laws like the GDPR.
If you're a customer using the Aware platform, and you qualify as a "data controller" under applicable laws, this DPA automatically applies as part of our Terms of Service. By continuing to use Aware, you’re agreeing to this DPA.
This DPA is effective from the moment you create an account or begin using the Aware platform.
1. Definitions
- "Personal Data": Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Processing": Any operation or set of operations performed on personal data, as defined in Article 4(2) of the GDPR.
- "Sub-Processor": Any third party engaged by Aware to carry out processing activities on behalf of the customer.
- "Standard Contractual Clauses (SCCs)": EU-approved legal tools for ensuring adequate protection for personal data transferred outside the European Economic Area (EEA).
2. Scope and Roles
- You (the Controller) authorize Aware (the Processor) to process personal data to provide access to and analytics within the Aware platform.
- Aware will only process your data as necessary to deliver our services and follow your instructions.
- You confirm that you have a valid legal basis for sharing personal data with Aware.
3. Nature of Data Processing
- Subject Matter: Access to and use of the Aware platform.
- Duration: Until your contract with Aware ends.
- Purpose: Delivering services and analytics through the Aware platform.
- Categories of Data:
- Name
- Email
- IP addresses
- LinkedIn profile data and content analytics
- LinkedIn messages
- CRM data (if you enable the integrations with Salesforce or Hubspot)
- Profile pictures and imagery
- Usage data, logs, and system activity
- Data Subjects: Your employees, contractors, users, and potentially your customers, depending on usage.
4. Aware's Responsibilities
- Instructions: We only act on your documented instructions unless legally required otherwise.
- Confidentiality: All personnel processing your data are under confidentiality obligations.
- Security Measures:
- Encryption and pseudonymization (when appropriate)
- Access controls
- Regular security audits
- Incident detection and response procedures
5. Sub-Processors
- We use third-party service providers (sub-processors) to help deliver our services. These providers may process personal data on our behalf.
- All sub-processors are contractually required to follow data protection obligations equivalent to those in this DPA.
- You will be informed of any intended additions to our sub-processor list and may object on reasonable grounds.
Current Sub-Processors:
The following sub-processors are used in connection with the Aware platform:
- Render.com – Hosting and infrastructure
- Amazon Web Services (AWS) – Cloud storage and compute
- New Relic – Application performance monitoring
- Intercom – Customer support and messaging
- Hubspot – Internal CRM
- Profitwell – Billing analytics
- Stripe – Billing and payments
- PostHog – Product analytics
- OpenAI – AI model processing
- Anthropic – AI model processing
Other Tools:
- Slack – Internal communications to the extent that internal support tickets sometimes include personal data to identify the user who needs help
6. Your Users' Rights
We will help you respond to data subject requests under GDPR, including:
- Access
- Rectification
- Erasure
- Restriction of processing
- Data portability
7. Data Breach Notification
If we become aware of a personal data breach, we will:
- Notify you without undue delay
- Share details of the breach, affected data, and mitigation actions
8. Data Retention and Deletion
When your contract ends, we will:
- Delete or return all personal data upon your request
- Securely delete residual data unless we are legally required to keep it
9. Audits and Compliance
- You may review our current security documentation or request additional details to support your GDPR compliance
- Physical or on-site audits must be requested in writing with at least 30 days' notice and are limited to once per year, unless required by applicable law
- We will provide reasonable assistance, upon written request, limited to the scope of services provided by Aware and subject to reasonable time and resource constraints
10. International Data Transfers
Personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, in connection with Aware’s services. Aware ensures that any such transfers comply with applicable data protection laws and are safeguarded through one or more of the following mechanisms:
- Standard Contractual Clauses approved by the European Commission
- The EU-U.S. Data Privacy Framework (if applicable)
- Other lawful transfer mechanisms approved under GDPR
11. Liability and Indemnification
- Aware is liable for breaches of this DPA or GDPR to the extent such breach results from Aware’s failure to comply with its obligations under this Agreement
- Aware is not liable for acts or omissions of authorized sub-processors, provided that Aware has complied with its obligations under Section 5 (Use of Sub-Processors), including entering into appropriate contractual safeguards
- Aware will indemnify you for direct damages or regulatory penalties arising solely from Aware’s material breach of this DPA or GDPR, subject to the liability limitations set forth in our Terms of Service
12. Governing Law
- This Agreement is governed by the laws of the European Union (GDPR) and Oregon, United States
- Where there is a conflict, GDPR will apply for data protection matters
If you have any questions, please contact us by email at privacy[at]useaware.co.