For US companies/Trust pack

Trust pack · DPA

Data Processing Agreement

GDPR + CCPA-compliant DPA executed alongside every MSA.

Quick facts (for procurement)

Entity (sales)
AI-Native Agency LLC (Delaware) or SAS (France)
Insurance
$2M PI + $1M cyber via Lloyd's-backed carrier
NDA turnaround
24 hours from request
SOW turnaround
5 business days from Discovery call
Net terms
Net-30 standard, Net-15 on request
Data residency
US-region storage available; default EU
Sub-processors
Disclosed at /subprocessors; 30-day change notice
DPA
GDPR + CCPA, SCCs included

DPA highlights

The points below summarise the substantive sections of our standard DPA. The full text is delivered alongside the MSA. We can also sign yours.

Roles

Client acts as data controller. AI-Native Agency acts as data processor. Roles are documented per processing activity in Schedule A of the DPA.

Lawful basis

Client warrants lawful basis for the data shared with AI-Native Agency. Our processing activities are limited to those instructed by client and documented in the SoW.

Sub-processing

We engage sub-processors (model providers, hosting, transactional email) only with client awareness via the /subprocessors page. Material changes are notified 30 days in advance with client right to object.

EU–US data transfer

Standard Contractual Clauses (SCCs, Module 2 controller-to-processor) included for any data leaving the EEA. Schrems II Transfer Impact Assessment available on request.

Data subject rights

We assist client in responding to data subject access, deletion, and rectification requests within applicable statutory windows (GDPR 1 month, CCPA 45 days).

Security measures

Technical and organisational measures detailed in Schedule B of the DPA: encryption in transit and at rest, access control, audit logging, incident response, sub-processor due diligence.

Audit rights

Client may audit our processing activities once per year with 30 days notice, at client cost. Penetration test results and security questionnaire (SIG-Lite) available on request.

Breach notification

Personal data breaches notified to client within 24 hours of confirmation, with preliminary impact assessment within 72 hours.

Termination

On engagement end, all client personal data is returned to client or deleted within 30 days, at client's election. Deletion confirmed in writing.

Schrems II Transfer Impact Assessment

For EU-controlled data transferred to US sub-processors, we maintain a Schrems II Transfer Impact Assessment documenting the legal landscape, supplementary measures (encryption, pseudonymisation, access controls), and risk mitigations. The TIA is available to your privacy officer on request, pre-signature.

Procurement contact

Need this in a different format?

We can fill out your security questionnaire (SIG, CAIQ, custom), share insurance certificates, run through procurement legal calls, or sign your standard MSA. Reach out via the discovery call and we'll route you to the right docs.

Book a procurement-friendly callRequest the full pack