Purpose of this page
This is not a signed data processing agreement. It explains the issues a customer and supplier may need to address when personal data is processed through a website, SaaS platform, implementation project or support relationship.
Governance & Legal
Data Processing Information
This page explains data processing themes that may be relevant when organisations review EUAIC services.
This page is written for website visitors, procurement teams, compliance reviewers and prospective customers. It is intended to make EUAIC’s website terms and policy position clear without pretending to be legal advice.
AIEU
Read policy
Check scope
Review responsibilities
Contact EUAIC
Govern
Govern
Controller and processor roles
The customer may act as controller for personal data it enters into a service, while the supplier may act as processor depending on the agreed service scope. Roles must be confirmed in the relevant agreement.
Documented instructions
Where processor obligations apply, processing should be limited to documented customer instructions, service operation, support, maintenance, security, troubleshooting, legal obligations and any other agreed purposes.
Security measures
Relevant agreements should consider access control, authentication, backups, hosting, logging, support access, incident handling, deletion, return of data and technical measures appropriate to the service.
Sub-processors
Third-party providers may be used for hosting, infrastructure, support, communication, security, analytics or operational tooling. Sub-processor information should reflect the live service and agreed contract.
Deletion and return
Customer data return or deletion should be handled according to the applicable agreement, lawful retention requirements, backup limitations and operational feasibility.
Customer instructions and configuration
Where a customer controls how the platform is configured and what information is entered, the customer remains responsible for ensuring the data is lawful, accurate, necessary and suitable for the intended processing. The supplier’s role should be limited to the agreed service and documented instructions where processor obligations apply.
Support access
Support or technical staff may need limited access to service information to diagnose issues, apply updates, investigate security events or assist with customer requests. Access should be controlled, proportionate and aligned to the service agreement.
Data protection impact assessments
Some AI governance uses may require the customer to complete a data protection impact assessment or other risk assessment. EUAIC can support records and evidence workflows, but the customer remains responsible for assessing its own processing and deployment context.
How this policy should be read
This page is written for website visitors and corporate reviewers. It should be read together with the Legal Notice, Privacy Policy, Cookie Policy and Terms of Use. Where a customer has a signed agreement, order form, statement of work, data processing addendum or service schedule, that document will take priority over this general website wording for the relevant service.
Contact and review
Questions about this policy can be raised through the EUAIC contact route. A useful enquiry should identify the page, the concern, the affected service or communication, and any relevant reference. Policies should be reviewed when the website, service model, supplier stack, cookie configuration, platform features or customer contracting process changes.
Important note
These website policies are written for clear corporate communication. They do not replace a signed agreement, formal legal advice, regulatory advice, security assurance or a customer-specific data processing addendum.
Legal pages
Related EUAIC policies
Use these pages to review privacy, cookies, terms, security, accessibility and responsible AI information in a structured way.
Privacy PolicyUnderstand how EUAIC handles website enquiries, business contact details, communication records, privacy rights and retention.TermsRead EUAIC website terms covering acceptable access, intellectual property, no legal advice, external links and liability boundaries.AccessibilityRead EUAIC accessibility principles for responsive layouts, readable structure, clear navigation and inclusive website improvement.Legal CentreAccess EUAIC legal information including privacy, cookies, terms, legal notice, security, GDPR, accessibility and responsible AI policies.Cookie PolicyRead how the EUAIC website may use essential cookies, analytics cookies, security technologies and visitor preferences.Acceptable UseReview acceptable use expectations for EUAIC website access, enquiry forms, security, communication and responsible conduct.GDPR ComplianceReview EUAIC GDPR principles for website enquiries, data minimisation, retention, rights requests and responsible communication.Security StatementReview EUAIC security principles for website protection, access control, monitoring, maintenance and responsible reporting.Sub-processorsReview how EUAIC may approach third-party providers, hosting, infrastructure, analytics, communication tools and customer review.Service LevelsUnderstand EUAIC service level themes for availability, planned maintenance, support expectations and incident handling.Refunds & CancellationReview EUAIC refund and cancellation principles for subscriptions, implementation, consulting, custom work and agreed contracts.Anti-SpamRead EUAIC anti-spam principles for responsible business emails, communication quality, unsubscribe handling and sender reputation.Intellectual PropertyReview EUAIC intellectual property rules for website content, branding, graphics, software descriptions and design materials.ComplaintsLearn how to raise EUAIC website, enquiry, service, privacy, security, accessibility or billing concerns for professional review and response.Responsible AIReview EUAIC responsible AI principles covering governance, oversight, transparency, evidence, risk review and accountability.AI Governance DisclaimerRead the EUAIC disclaimer explaining that AI compliance information is general and does not replace professional advice.Legal NoticeReview EUAIC legal notice information including company identity, website ownership, intellectual property and professional advice limitations.Responsible DisclosureRead EUAIC responsible disclosure expectations for reporting security issues safely, privately and without unauthorised exploitation.Data RetentionReview EUAIC data retention principles for enquiries, communication records, website logs, service records and deletion requests.Modern SlaveryRead EUAIC’s modern slavery and ethical trading statement for responsible business conduct and supplier awareness.Equality & InclusionRead EUAIC’s equality, diversity and inclusion statement for respectful access, communication and responsible business culture.
Questions
Frequently asked questions
Is this a signed DPA?
No. It is information only.
Who decides controller and processor roles?
Roles depend on the service, data, instructions and contract.
Should customers request a DPA?
Yes, where the service involves processing personal data on behalf of a customer.