This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the C0RTEX Terms of Service between the Customer and Perfect Paradox Ltd. It applies automatically to every Customer of the Service and does not need to be requested separately.
Between:
and
The Customer identified in the applicable C0RTEX subscription ("Controller", "Customer").
Together the "Parties".
(A) The Customer subscribes to C0RTEX, a cloud-hosted AI customer-support chatbot operated by Perfect Paradox on the Customer's behalf.
(B) In delivering the Service, Perfect Paradox processes personal data contained in the Customer's hosted Instance on the Customer's behalf. The Customer is the controller and Perfect Paradox is the processor of that data.
(C) This DPA sets out the terms required by Article 28 of the UK GDPR and applicable data protection law and supplements the Terms of Service and Privacy Policy.
The Customer is the Controller of Instance Data. Perfect Paradox is the Processor of Instance Data and processes it solely on the Customer's documented instructions to provide the Service.
Separately, Perfect Paradox is an independent controller for the limited business/account data it collects directly from the Customer (described in the Privacy Policy); that data is outside the scope of this DPA except where expressly stated.
This DPA governs all Processing of Instance Data by Perfect Paradox as Processor in the course of providing the Service.
Perfect Paradox shall:
(a) process Instance Data only on the Controller's documented instructions. The Controller's complete and final set of documented instructions is constituted by the Terms of Service, this DPA, and the configuration and use of the Service through its features; any processing outside that scope requires the Parties' prior written agreement. This applies including as to international transfers, unless required by law (in which case Perfect Paradox will inform the Controller, where legally permitted);
(b) inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law;
(c) ensure that persons authorised to process Instance Data are bound by appropriate confidentiality obligations;
(d) implement appropriate technical and organisational security measures under Article 32 (see Annex B);
(e) engage Sub-processors only in accordance with Section 5;
(f) not use Instance Data to train, fine-tune, or improve general-purpose AI models, and process Instance Data solely to provide the Service to the Controller;
(g) taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) relating to Instance Data;
(h) assist the Controller in ensuring compliance with its obligations under Articles 32–36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of Processing and information available to Perfect Paradox;
(i) at the Controller's choice, delete or return all Instance Data at the end of the provision of the Service, and delete existing copies unless retention is required by law (see Section 9);
(j) make available to the Controller all information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, in accordance with Section 8.
The Controller shall:
(a) ensure it has a valid lawful basis and, where required, has obtained necessary consents for the Processing of Instance Data, including any End User personal data submitted through the Widget;
(b) provide End Users with appropriate privacy information and disclose that they are interacting with an AI system;
(c) issue only lawful instructions and be responsible for the accuracy and legality of Instance Data;
(d) not submit, and take reasonable steps to prevent End Users from submitting, special category data (Article 9 UK GDPR) unless it has a valid Article 9 condition and has instructed Perfect Paradox accordingly in writing (see Annex A);
(e) be responsible, as Controller, for responding to Data Subjects and to supervisory authorities in respect of Instance Data, with Perfect Paradox's assistance as set out in Section 3.
The Controller grants general authorisation for Perfect Paradox to engage Sub-processors to provide the Service, subject to this Section. The current Sub-processors are listed in Annex C.
Perfect Paradox shall impose on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA, and remains liable to the Controller for the Sub-processor's performance.
Perfect Paradox shall give the Controller at least thirty (30) days' notice of the addition or replacement of a Sub-processor (e.g. by email or dashboard notice). The Controller may object on reasonable data protection grounds within fourteen (14) days. If the objection cannot be reasonably resolved, the Controller may terminate the affected Service on notice as its sole remedy.
Where Perfect Paradox (or a Sub-processor) transfers Instance Data outside the United Kingdom, it shall ensure an appropriate transfer mechanism is in place, namely: a UK adequacy regulation; the UK International Data Transfer Agreement (IDTA); or the UK Addendum to the EU SCCs (and the EU SCCs where the EU GDPR applies), together with a transfer risk assessment where required.
The location of the hosting provider and any LLM/AI provider used for the Service is set out in Annex C. Where any such provider is located outside the UK, the mechanism in Section 6.1 applies. Where all such providers are located within the UK or an adequate jurisdiction, no additional transfer mechanism is required for the relevant data.
Perfect Paradox shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Instance Data, and in any event in time to allow the Controller to meet its own notification obligations (Articles 33–34 UK GDPR).
The notification shall include, to the extent known: the nature of the breach (including, where possible, categories and approximate numbers of Data Subjects and records); the likely consequences; the measures taken or proposed; and a point of contact.
Perfect Paradox shall take reasonable steps to mitigate the breach and cooperate with the Controller's investigation and remediation.
Perfect Paradox shall make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits conducted by the Controller (or an independent auditor mandated by it), on reasonable prior notice (not less than thirty (30) days), during business hours, no more than once per year (unless required following a Personal Data Breach or by a supervisory authority), and subject to confidentiality.
Perfect Paradox may satisfy audit requests by providing relevant up-to-date certifications or third-party audit reports (e.g. ISO 27001 or SOC 2) where available.
On termination or expiry of the Service, Perfect Paradox shall, at the Controller's choice, delete or return all Instance Data and delete existing copies within 30 days, unless retention is required by law. The Controller may export Instance Data through the Service prior to deletion. After the agreed period, Perfect Paradox shall securely delete remaining Instance Data, including from backups in the ordinary backup-rotation cycle.
Liability under this DPA is subject to the limitations and exclusions in the Terms of Service, except for any liability that cannot lawfully be limited under Applicable Data Protection Law. In the event of conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails.
This DPA takes effect when the Customer accepts the Terms of Service and continues for as long as Perfect Paradox processes Instance Data on the Customer's behalf.
This DPA is governed by the laws of Northern Ireland and, where applicable, the United Kingdom, and the courts of Northern Ireland have exclusive jurisdiction, consistent with the Terms of Service.
| Field | Description |
|---|---|
| Subject matter | Hosting and operation of a C0RTEX Instance providing AI customer-support chatbot functionality on the Controller's behalf |
| Duration | The term of the Customer's subscription, plus the deletion/return period in Section 9 |
| Nature of processing | Storage, indexing, retrieval (RAG), generation of text responses, transmission, and deletion of Instance Data |
| Purpose | Providing the C0RTEX Service: answering End User support queries from the Customer's Knowledge Base |
| Categories of Data Subjects | The Customer's End Users (e.g. website visitors); persons referenced in the Customer's Knowledge Base |
| Categories of Personal Data | Identifiers and contact details and any content that End Users choose to include in chat messages; Knowledge Base content; conversation logs; derived embeddings |
| Special category data | Not intended by default. The Customer must not submit special category data (Article 9 UK GDPR) unless it has a valid Article 9 condition and has instructed Perfect Paradox accordingly in writing. If the Customer operates in the health sector (e.g. a dental/orthodontic clinic) and health data may be processed, the Parties must agree additional safeguards (e.g. a reinforced Article 9 clause and, where required, a DPIA) before such processing begins. |
| Frequency | Continuous, for the duration of the subscription |
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all connections |
| Encryption at rest | AES-256-GCM encryption of stored Instance Data (gocryptfs on per-client encrypted volumes) |
| Access control | Role-based access, least privilege, MFA for administrative access |
| Tenant isolation | Logical isolation of each Customer Instance |
| Logging and monitoring | Audit logging and security monitoring |
| Confidentiality | Staff bound by confidentiality obligations |
| Availability/resilience | Backups and disaster-recovery procedures |
| Incident response | Documented incident-response process |
| No AI model training | Instance Data is not used to train or fine-tune general-purpose AI models |
| Sub-processor management | Written contracts with Article 28 flow-down |
| Sub-processor | Purpose | Data processed | Location | Transfer mechanism |
|---|---|---|---|---|
| Hostinger (UAB Hostinger / Hostinger International Ltd) | Hosting of the Service and Instances | Instance Data | European Union (Lithuania) | UK adequacy (EU member state) |
| Anthropic PBC (Claude Haiku API) | Generation of chatbot responses | Query context derived from Instance Data | United States | UK International Data Transfer Agreement (IDTA) |
| Resend (Resend, Inc.) | Transactional email (where Instance-related notifications are sent) | Email address, message content | United States | UK IDTA / UK Addendum to EU SCCs |
Paddle (Paddle.com Market Ltd) acts as Merchant of Record at the controller level for billing data and does not process Instance Data; it is therefore not a Sub-processor under this DPA and is covered in the Privacy Policy for transparency.
Perfect Paradox Ltd (Company Number NI739317)
DPA / privacy enquiries: info@perfectparadox.co.uk
36 Manse Gate, Newtownards, BT23 4DG, Northern Ireland, United Kingdom