Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") forms part of the Agreement between Customer and Concentrate under which Concentrate provides to Customer the Services described in the Agreement, including but not limited to the Privacy Policy provided at concentrate.ai/privacy ("Privacy Policy"). This DPA applies to the extent that Concentrate Processes Customer Personal Data (as defined herein) in connection with providing the Services under the Agreement. In the event of conflict between the terms of the Agreement and this DPA, the terms of this DPA shall prevail. Unless defined in this DPA, capitalized terms herein shall have the same meanings as stated in the Agreement.
1. Definitions
To the extent any definition here conflicts with the definition provided under Applicable Data Protection Laws, the statutory definition shall prevail solely for purposes of statutory interpretation, and the contractual definitions below shall govern for all commercial and operational purposes.
1.1 "Agreement"
Means the Terms of Service provided at concentrate.ai/msa or other contractual instrument, between Customer and Concentrate governing Customer's access to and use of the Services.
1.2 "Applicable Data Protection Laws"
Means all data protection, privacy, information security, cyber incident, and cross-border transfer laws applicable to the Processing of Personal Data under this DPA, including without limitation:
- Regulation (EU) 2016/679 (GDPR);
- the UK GDPR and UK Data Protection Act 2018;
- the Swiss Federal Act on Data Protection (FADP);
- the California Consumer Privacy Act (CCPA) as amended by the CPRA;
- Colorado Privacy Act (CPA);
- Connecticut Data Privacy Act (CTDPA);
- Utah Consumer Privacy Act (UCPA);
- Virginia Consumer Data Protection Act (VCDPA);
- any comprehensive state privacy law enacted during the term of this DPA;
- regulations promulgated under any foregoing law; and
- any successor, replacement, or equivalently scoped privacy regime.
This definition is intentionally broad and includes all laws applicable to Customer as Controller; nothing herein expands Concentrate's obligations beyond what is expressly stated in this DPA.
1.3 "Affiliate"
Means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party. For clarity, "control" means ownership or power to direct more than fifty percent (50%) of voting interests, membership rights, or management authority.
1.4 "Customer Personal Data"
Means the subset of Customer Data that constitutes Personal Data under Applicable Data Protection Laws and is Processed by Concentrate on behalf of Customer in connection with providing the Services.
1.5 "Data Subject"
Means any identifiable natural person whose Personal Data is included within Customer Personal Data, including Customer's employees, end users, contractors, applicants, or any other individuals whose Personal Data Customer elects to submit.
1.6 "International Transfer"
Means any transfer of Customer Personal Data from the EEA, UK, or Switzerland to a location outside those jurisdictions that is not recognized as providing an adequate level of protection by the European Commission, the UK Secretary of State, or the Swiss Federal Council (as applicable). International Transfers are governed by Customer's chosen transfer mechanism: the SCCs (Module 2), the UK Addendum, and the Swiss Addendum.
Concentrate intends to rely on the EU-US Data Privacy Framework for transfer mechanism. Application is currently in review by the US Department of Commerce. Until such time, it will rely on a combination of SCCs and Transfer Impact Assessments.
1.7 "Personal Data"
Means any information relating to an identified or identifiable natural person as defined by Applicable Data Protection Laws. Personal Data may include identifiers (e.g., name, email, IP address), user-generated content, or prompt content containing Personal Data. Special Categories of Personal Data are not intended for processing unless expressly permitted in writing by the Parties.
1.8 "Personal Data Breach"
Means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed by Concentrate. A breach affecting only Customer's systems or Model Provider systems not controlled by Concentrate does not constitute a breach by Concentrate.
1.9 "Processing" or "Process"
Means any operation performed on Personal Data, automated or otherwise, including collection, recording, storage, retrieval, transmission, structuring, transformation, routing, inference execution, logging, or deletion. Concentrate only Processes Customer Personal Data as necessary to provide Services and in accordance with Customer's documented instructions.
1.10 "Processor"
Means an entity that Processes Personal Data on behalf of a Controller as defined under GDPR or equivalent terms under Applicable Data Protection Laws. Concentrate acts as Processor when Processing Customer Personal Data.
1.11 "Standard Contractual Clauses" (SCCs)
Means the European Commission's Implementing Decision (EU) 2021/914 of June 4, 2021 incorporating the SCCs (Module 2: Controller → Processor), provided that Annex 1 and Annex 2 are provided herein as schedules to this DPA and are incorporated herein by this reference. The SCCs are hereby incorporated into this DPA by reference as Customer's selected transfer mechanism. The UK Addendum and Swiss Addendum apply respectively for transfers from the UK and Switzerland. See Section 1.7 for governing policy.
1.12 "Sub-processor"
Means any third-party Processor engaged by Concentrate to Process Customer Personal Data on Concentrate's behalf. Sub-processors may include hosting providers, analytics tools, Model Providers, and infrastructure vendors.
1.13 "Supervisory Authority"
Means any regulatory, governmental, or independent authority responsible for monitoring, enforcing, or interpreting data protection law, such as the European Data Protection Board, ICO (UK), Swiss FDPIC, or U.S. state privacy authorities.
1.14 "Transfer Mechanism"
Means the combination of:
- EU SCCs Module 2,
- UK Addendum, and
- Swiss Addendum,
- EU-US Privacy Framework
Concentrate intends to rely on the EU-US Data Privacy Framework as a sole means of transfer mechanism. Application is currently in review by the US Department of Commerce. This election governs all transfers initiated by Customer's use of the Services.
1.15 "UK Addendum"
Means the International Data Transfer Addendum issued by the UK Information Commissioner's Office, incorporated into this DPA by reference as applicable.
1.16 "Swiss Addendum"
Means the Swiss-specific supplemental terms required for cross-border transfers under the Swiss FADP.
2. Controller
For the purposes of this DPA and Concentrate providing the Services to Customer, Customer acts as Controller and Concentrate acts as Processor. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under Applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the Processing instructions Customer gives to Concentrate. Customer is solely responsible for determining what Customer Data constitutes Personal Data and ensuring its lawful submission.
Customer represents and warrants that (i) Customer will only submit for Processing by Concentrate Customer Personal Data that is consistent with the terms, scope, and purpose of the Agreement, (ii) Customer has provided all disclosures and obtained all consents required under Applicable Data Protection Laws, and (iii) Customer is authorized and permitted under Applicable Data Protection Laws to submit the Customer Personal Data for Processing by Concentrate. In no event will Customer submit Sensitive Data (as defined in Concentrate's Acceptable Use Policy) for Processing by Concentrate without prior notice to Concentrate and prior authorization from Concentrate.
3. Processing Details
Concentrate will only Process Personal Data to provide Services, including routing LLM traffic, generating Outputs, logging, analytics, security, billing, and support ("Business Purposes"), and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's instructions.
Concentrate will Process the Customer Personal Data for the duration of the Agreement or as otherwise instructed by Customer or agreed in writing by the Parties.
The types of Customer Personal Data Processed by Concentrate under the Agreement are set forth in the Privacy Policy.
4. Customer Instructions
Concentrate processes only under Customer's documented instructions as set forth in the Agreement or other written instructions and as permitted under Applicable Data Protection Laws.
5. Confidentiality
Concentrate will keep the Customer Personal Data confidential and will not disclose it to any third parties without prior notice to and authorization from Customer, except as necessary to provide the Services under the Agreement, as otherwise permitted under this DPA, or as permitted under Applicable Data Protection Laws or other applicable law. Concentrate personnel with access to Customer Personal Data are bound by confidentiality standards at least as restrictive as those set forth herein.
6. Security Measures
Concentrate will implement and maintain appropriate security measures that are designed to provide the level of security for the Processing of Customer Personal Data as contemplated in this DPA. Concentrate is undergoing SOC 2 audits with Sensiba.
7. Sub-processors
Customer provides general authorization for Concentrate to engage any Sub-processors listed in the Agreement, this DPA and/or provided in the Privacy Policy. Concentrate maintains this list of Sub-processors and ensures appropriate safeguards for such Sub-processors that are substantively the same as those required of Concentrate under this DPA.
8. Data Subject Rights
Concentrate assists Customer as required. See concentrate.ai/privacy for a complete list of data rights and policies.
Concentrate shall make available to Customer information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security restrictions.
9. Data Protection Impact Assessments (DPIAs) and Regulatory Consultation
9.1 DPIA Support (Scope and Boundaries)
Taking into account the nature of the Processing and the information available to Concentrate, Concentrate may provide Customer with reasonable assistance in connection with Customer's Data Protection Impact Assessments ("DPIAs"), Legitimate Interest Assessments ("LIAs"), risk assessments, privacy threshold analyses, or similar regulatory or internal governance procedures required under Applicable Data Protection Laws. Such assistance may include providing high-level descriptions of Concentrate's data flows, technical and organizational security measures, routing logic, privacy-by-design controls, and architectural safeguards relevant to Customer's use of the Services.
9.2 Operational Privacy Alignment (Non-Binding)
Concentrate operates a routing architecture designed with modern privacy-by-design and privacy-by-default principles in mind, including:
- data minimization in inference pathways;
- ephemeral processing and optional zero-retention logging modes;
- strict separation of duties between routing logic and model execution;
- infrastructure isolation and compartmentalized access;
- optional non-persistence safeguards and customer-controlled retention settings; and
- alignment with global privacy frameworks, including GDPR Art. 5, Art. 25, and CPRA service-provider requirements.
These architectural characteristics may be described to Customer for purposes of informing Customer's DPIA, but they do not, individually or collectively, create obligations, representations, warranties, or service-level commitments for Concentrate.
9.3 Customer's Exclusive Responsibility for DPIAs
Customer acknowledges and agrees that:
- Customer alone determines whether its use of the Services requires a DPIA;
- Customer alone is responsible for conducting, documenting, approving, updating, and maintaining any DPIA or related assessments;
- Concentrate does not perform, complete, certify, or sign DPIAs on behalf of Customer; and
- Concentrate does not determine the legal basis, purpose, necessity, proportionality, or risk classification of Customer's Processing activities.
9.4 Regulatory Consultation
Where applicable and only if required under Applicable Data Protection Laws, Concentrate may provide reasonable cooperation regarding Customer's consultation with Supervisory Authorities. Such cooperation is limited to (a) providing high-level descriptions of the Services; (b) providing documentation concerning Concentrate's security measures and governance practices (including SOC 2 audit-in-progress with Sensiba); and (c) responding to clarifying questions within reasonable limits. Customer is solely responsible for:
- determining whether a Supervisory Authority consultation is required;
- initiating and maintaining such consultation;
- providing all required representations, evidence, or legal justifications; and
- ensuring accuracy and completeness of any submissions made to regulators.
9.5 No Legal Advice; No Privacy Guarantee
Any information provided by Concentrate in connection with DPIA support is informational only and does not constitute legal advice, privacy guidance, regulatory interpretation, or a determination of compliance. Concentrate assumes no responsibility for:
- Customer's risk scoring or classification;
- Customer's determination of high-risk Processing;
- any approvals Customer seeks internally;
- Customer's overall compliance posture; or
- outcomes of Customer's DPIAs, LIAs, or regulatory consultations.
9.6 Cost Allocation
To the extent permitted by law, Concentrate may charge Customer reasonable fees for extraordinary or customized DPIA support requests, including requests requiring engineering resources, detailed architectural analysis, or bespoke documentation production.
10. Personal Data Breach Notification and Response
10.1 Breach Identification and Validation
Concentrate maintains internal operational procedures designed to detect, triage, and escalate potential security incidents. A "Personal Data Breach" is deemed to occur only after Concentrate completes an internal validation process confirming that Customer Personal Data was actually affected. Alerts, anomalies, or suspicious activity that have not been validated shall not constitute a breach for purposes of this DPA.
10.2 Notification Timing
Following confirmation of a Personal Data Breach affecting Customer Personal Data and once Concentrate determines that Customer is required to be notified under Applicable Data Protection Laws, Concentrate will notify Customer without undue delay, taking into account:
- the legitimate needs of law enforcement or regulatory investigations;
- the need to implement containment, remediation, or mitigation measures;
- the sophistication, severity, and scope of the incident; and
- the operational requirements necessary to provide accurate, non-speculative information.
10.3 Notification Content
To the extent reasonably available at the time of notification, Concentrate may provide Customer with:
- a general description of the confirmed Personal Data Breach;
- the categories of Customer Personal Data reasonably believed to be affected;
- the nature and estimated scope of the incident;
- the likely operational or security implications; and
- the remedial actions Concentrate has taken or proposes to take.
Customer acknowledges that incident investigations evolve over time and information may be incomplete or subject to change.
10.4 Customer Responsibilities Following Notification
Customer is solely responsible for:
- determining whether the Personal Data Breach requires notification to regulators, supervisory authorities, impacted Data Subjects, partners, or other third parties;
- preparing and submitting any required notices;
- evaluating the breach under Customer's legal obligations and regulatory regime; and
- determining whether further mitigations, messaging, or public disclosures are necessary.
Concentrate does not prepare, draft, review, or approve Customer notifications, except as may be required by applicable law.
10.5 Cooperation
Concentrate may provide reasonable cooperation upon Customer's request to support Customer's regulatory obligations, limited to the information actually known and available to Concentrate. Such cooperation will not include legal advice, regulatory analysis, risk scoring, or recommendations regarding Customer's notification requirements.
10.6 Exclusions
A Personal Data Breach does not include:
- incidents affecting Customer systems, networks, or endpoints;
- incidents caused by Customer's misuse, configuration choices, or inadequate security controls;
- incidents occurring within third-party Model Provider systems not operated by Concentrate;
- harmless anomalies or false positives; or
- unsuccessful attempts at unauthorized access that do not compromise confidentiality, integrity, or availability.
10.7 No Additional Liability
Notification of a Personal Data Breach does not constitute an admission of fault, liability, or wrongdoing by Concentrate. Concentrate's obligations under this Section are limited to the express commitments described herein, and all liability remains subject to the limitations set out in the Agreement.
11. Changes
This DPA is subject to change by Concentrate at any time by posting a revised version at www.concentrate.ai and providing written notice of such changes to Customer. Any changes to this DPA will be in effect as of the date Customer receives notice.
EXHIBIT A: AUTHORIZED SUB-PROCESSORS
As of the effective date of this Addendum, Concentrate engages the following Sub-processors to support delivery of the Services. These Sub-processors provide infrastructure hosting, data storage, security, communications, analytics, identity management, incident management, customer support, and model inference capabilities as applicable.
Infrastructure and Hosting. Concentrate currently utilizes Amazon Web Services, Inc. for cloud infrastructure and hosting services; Google LLC, including Google Workspace services such as Gmail and Drive, for internal operations and communications; Cloudflare, Inc. for content delivery, network security, and performance optimization; TigerData, Inc. for database and data infrastructure services; Twilio Inc. for messaging and communications functionality; Slack Technologies, LLC for internal communications; Intercom, Inc. for customer support and messaging; HubSpot, Inc. and HubSpot Analytics for customer relationship management and analytics; Incident IO Ltd. for incident management and response workflows; Descope, Inc. for authentication and identity services.
AI Inference Providers. Concentrate additionally engages various AI model and inference providers, including but not limited to OpenAI, Anthropic, Google Gemini, and other frontier or open-weight model providers, as well as orchestration and developer tooling providers such as Cursor and Granola AI, solely to the extent required to provide model routing, inference execution, and related platform functionality in accordance with Customer instructions.
Third-party artificial intelligence and machine learning model providers engaged solely to perform stateless inference and model execution on Customer Inputs as part of the Services. Such providers: are engaged only for on-demand inference and not for training, fine-tuning, or improving general-purpose models using Customer Personal Data; Process Customer Inputs transiently, except to the extent necessary to provide the requested inference or to comply with legal obligations; are contractually restricted from retaining, disclosing, or re-using Customer Personal Data for independent purposes; are subject to data protection, confidentiality, and security obligations no less protective than those set forth in this DPA; and may Process Personal Data in various jurisdictions depending on Customer configuration and routing preferences.
Customer acknowledges that the specific AI model providers utilized may vary based on availability, Customer selection, or technical requirements, and that Concentrate maintains an up-to-date list of such providers available upon request.
This Schedule may be updated from time to time in accordance with the Sub-processor change process described in this Addendum.