Data Processing Agreement

Last updated: January 23, 2026

How to Execute This DPA: This Data Processing Agreement is incorporated into and governed by our Terms of Service. By signing up for TechManager AI services, you agree to this DPA. For enterprise customers requiring a signed copy, please contact legal@techmanager.ai.

This Data Processing Agreement ("DPA") is entered into between Aiivars LLC, an Arizona limited liability company, doing business as TechManager AI ("Processor," "we," "us," or "Company"), and the entity agreeing to these terms ("Controller," "Customer," or "you").

This DPA applies to the processing of Personal Data by Processor on behalf of Controller in connection with the services provided under the Terms of Service ("Agreement").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Controller.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.
  • "Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
  • "Protected Health Information (PHI)" means individually identifiable health information as defined by HIPAA, if applicable to the services.

2. Scope and Purpose of Processing

2.1 Scope: This DPA applies to all Personal Data that Controller submits to, or that is collected through, the TechManager AI platform.

2.2 Purpose: Processor shall process Personal Data only for the following purposes:

  • Providing the services described in the Agreement
  • Maintaining and improving the security of the services
  • Complying with applicable laws and regulations
  • As otherwise instructed by Controller in writing

2.3 Types of Data: Personal Data processed may include names, email addresses, job titles, IP addresses, device information, support communications, and any other data submitted by Controller or its users.

3. Processor Obligations

Processor agrees to:

  • 3.1 Process Personal Data only on documented instructions from Controller, unless required by law
  • 3.2 Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • 3.3 Implement appropriate technical and organizational security measures as described in Section 5
  • 3.4 Assist Controller in responding to Data Subject requests (access, correction, deletion, portability)
  • 3.5 Notify Controller of Security Incidents as described in Section 6
  • 3.6 Delete or return Personal Data upon termination of services, as directed by Controller
  • 3.7 Make available information necessary to demonstrate compliance with this DPA

4. Controller Obligations

Controller agrees to:

  • 4.1 Ensure that it has all necessary rights and consents to provide Personal Data to Processor
  • 4.2 Provide clear instructions regarding the processing of Personal Data
  • 4.3 Comply with all applicable data protection laws in its use of the services
  • 4.4 Implement appropriate access controls for its users
  • 4.5 Notify Processor promptly of any Data Subject requests or complaints
  • 4.6 Not submit any Personal Data that Processor is not authorized to receive under applicable law

5. Security Measures

Processor implements and maintains the following security measures:

5.1 Technical Measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication for administrative access
  • Regular vulnerability assessments and penetration testing
  • Intrusion detection and prevention systems
  • Automated security monitoring and alerting
  • Regular security patches and updates

5.2 Organizational Measures:

  • Background checks for employees with access to Personal Data
  • Security awareness training for all personnel
  • Access controls based on least-privilege principle
  • Documented security policies and procedures
  • Incident response and business continuity plans

5.3 Physical Measures:

  • Data hosted in SOC 2 certified data centers
  • Physical access controls and monitoring
  • Environmental controls (fire suppression, climate control)

6. Security Incident Notification

6.1 Processor shall notify Controller without undue delay (and in no event later than 72 hours) after becoming aware of a Security Incident affecting Controller's Personal Data.

6.2 Notification shall include, to the extent known:

  • Nature of the Security Incident
  • Categories and approximate number of affected Data Subjects
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident
  • Contact point for further information

6.3 Processor shall cooperate with Controller in investigating and mitigating the Security Incident.

7. Subprocessors

7.1 Authorization: Controller authorizes Processor to engage Subprocessors to process Personal Data, subject to the requirements of this section.

7.2 Requirements: Processor shall:

  • Enter into written agreements with Subprocessors imposing data protection obligations no less protective than this DPA
  • Remain liable for Subprocessor compliance
  • Maintain a list of current Subprocessors available upon request

7.3 Categories of Subprocessors:

  • Cloud infrastructure providers (hosting, storage)
  • Payment processors (billing only, no access to service data)
  • Communication services (email, support)
  • Analytics providers (anonymized data only)

7.4 Changes: Processor will provide reasonable notice before engaging new Subprocessors that process Personal Data. Controller may object to a new Subprocessor by providing written notice within 30 days.

8. Data Subject Rights

8.1 Processor shall assist Controller in fulfilling its obligations to respond to Data Subject requests, including requests for:

  • Access to Personal Data
  • Correction of inaccurate data
  • Deletion of Personal Data
  • Data portability
  • Restriction of processing
  • Objection to processing

8.2 If Processor receives a request directly from a Data Subject, Processor shall promptly notify Controller unless prohibited by law.

9. Data Transfers

9.1 Processing Location: Personal Data is primarily processed in the United States. Processor may also use Subprocessors located in other countries as disclosed in the Subprocessor list.

9.2 EU/EEA Transfers: For transfers of Personal Data from the European Economic Area (EEA) to countries not recognized by the European Commission as providing adequate data protection, Processor offers the European Commission's Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914. The SCCs are incorporated into this DPA by reference and shall apply to such transfers. Upon request, Processor will provide a signed copy of the SCCs.

9.3 UK Transfers: For transfers of Personal Data from the United Kingdom, the UK International Data Transfer Addendum to the EU SCCs (UK Addendum) shall apply. The UK Addendum is incorporated into this DPA by reference.

9.4 Swiss Transfers: For transfers of Personal Data from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

9.5 Data Residency: Enterprise customers may request data residency options (e.g., EU-only processing) as part of a custom agreement. Contact legal@techmanager.ai for data residency requirements.

9.6 Transfer Impact Assessments: Processor maintains documentation of transfer impact assessments and supplementary measures implemented to protect transferred data. This documentation is available to Controllers upon request under NDA.

10. HIPAA Compliance (If Applicable)

10.1 If Controller is a Covered Entity or Business Associate under HIPAA and the services involve Protected Health Information (PHI), a separate Business Associate Agreement (BAA) is required.

10.2 To request a BAA, contact legal@techmanager.ai.

10.3 Controller shall not submit PHI to the services without an executed BAA in place.

11. Audits

11.1 Upon reasonable request and subject to confidentiality obligations, Processor shall make available information necessary to demonstrate compliance with this DPA.

11.2 Processor may satisfy audit requests by providing:

  • Copies of relevant certifications or audit reports (e.g., SOC 2)
  • Responses to reasonable written questionnaires
  • Documentation of security measures

11.3 On-site audits may be conducted with reasonable advance notice (at least 30 days), during normal business hours, and no more than once per year, at Controller's expense.

12. Data Retention and Deletion

12.1 Upon termination of the Agreement, Processor shall, at Controller's election:

  • Return all Personal Data to Controller in a standard format; or
  • Delete all Personal Data within 90 days

12.2 Processor may retain Personal Data as required by applicable law, provided such data remains subject to the confidentiality obligations of this DPA.

12.3 Processor shall provide written certification of deletion upon request.

13. Liability

13.1 Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

13.2 Processor shall be liable for damages caused by processing that violates this DPA or applicable data protection laws.

14. Term and Termination

14.1 This DPA shall remain in effect for the duration of the Agreement.

14.2 Provisions relating to confidentiality, data deletion, and liability shall survive termination.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Arizona, United States, consistent with the Agreement.

16. Contact

For questions about this DPA or to request a signed copy:

Legal: legal@techmanager.ai
Privacy: privacy@techmanager.ai
Company: Aiivars LLC
Website: techmanager.ai

Back to Home