The terms behind every brokerage’s data.

This Data Processing Agreement (“DPA”) is entered into between the brokerage identified in the Order Form or signature block (the “Controller” or “Customer”) and SUD TECH LIMITED, a company registered in the Republic of Ireland and trading as “AI Broker”, registered office Waterford, Ireland (the “Processor”, “AI Broker”, “we”). It forms part of, and is governed by, the agreement between the parties for the use of the AI Broker platform and the Aoibhe agent (the “Principal Agreement”).

“GDPR” means Regulation (EU) 2016/679. “Applicable Data Protection Law” means the GDPR and the Irish Data Protection Act 2018, together with any successor or implementing legislation. “Personal Data”, “processing”, “controller”, “processor”, “sub-processor”, “data subject”, and “personal data breach” have the meanings given in the GDPR. “SCCs” means the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914.

Where this DPA conflicts with the Principal Agreement on the subject of personal data processing, this DPA prevails.

The Customer is the controller of the personal data it submits to, or processes through, the AI Broker platform — including its own clients’ conversation content, documents, and contact details. AI Broker is the processor and processes that personal data only to provide the service.

For AI Broker’s own account-administration, billing, marketing, and website analytics, AI Broker acts as an independent controller; that processing is described in our Privacy Policy and is outside the scope of this DPA.

The subject matter, duration, nature, purpose, types of personal data, and categories of data subjects are set out in Annex 1.

AI Broker processes personal data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU or Member State law — in which case AI Broker informs the Customer before processing, unless that law prohibits such notice on important grounds of public interest.

The Principal Agreement, this DPA, and the configuration choices the Customer makes in the platform constitute the Customer’s complete and final documented instructions. Additional instructions require written agreement and may be charged where they fall outside the service.

AI Broker informs the Customer without delay if, in its opinion, an instruction infringes Applicable Data Protection Law.

AI Broker ensures that persons authorised to process the personal data are subject to a binding duty of confidentiality and process the data only on instruction.

Access to Customer personal data is limited to personnel who need it to provide or support the service, and is logged.

AI Broker implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as set out in Annex 2. These include encryption of personal data at rest and in transit, tenant isolation, scoped authentication, and an end-to-end audit trail of agent actions.

AI Broker regularly tests and reviews the effectiveness of these measures and may update Annex 2 provided the changes do not materially reduce the overall level of security.

The Customer grants AI Broker general written authorisation to engage sub-processors. The current sub-processors are published and kept current at aibroker.ie/subprocessors and reproduced in Annex 3.

AI Broker imposes on each sub-processor, by written contract, data protection obligations no less protective than those in this DPA, and remains fully liable to the Customer for each sub-processor’s performance.

AI Broker gives the Customer at least 30 days’ notice before engaging a new sub-processor or replacing an existing one. The Customer may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the service.

Customer personal data is stored in the European Union (database) and all application and workflow compute runs in an EU region (Vercel dub1, Dublin). Transactional email is delivered from within the EU.

Large language model inference and text embeddings are routed through the Vercel AI Gateway to AI providers (Anthropic and OpenAI) and are processed in the United States. These constitute transfers to a third country under Chapter V GDPR. Each transfer is governed by the SCCs within the processor chain and, where the recipient is certified, by the EU-US Data Privacy Framework. The Vercel AI Gateway operates Zero Data Retention: prompts and responses are deleted after each request and are not retained by the gateway or used to train any model.

No Customer personal data is used to train AI models. Where any transfer relies on the SCCs, they are incorporated by reference and completed by the details in Annexes 1 and 3.

On request, AI Broker provides the information a Customer needs to complete its own transfer impact assessment.

Taking into account the nature of the processing, AI Broker assists the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests to exercise data subject rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection).

Where a data subject contacts AI Broker directly about Customer data, AI Broker promptly forwards the request to the Customer and does not respond substantively itself, unless instructed by the Customer.

The platform provides Customer-initiated export and deletion functions to support these requests.

AI Broker notifies the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer personal data.

The notification describes, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it. AI Broker provides further information as it becomes available.

AI Broker does not notify a supervisory authority or data subjects on the Customer’s behalf unless instructed; the obligation to notify under Articles 33 and 34 rests with the Customer as controller.

Taking into account the nature of the processing and the information available to it, AI Broker assists the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR — including security of processing, data protection impact assessments, and prior consultation with a supervisory authority.

AI Broker maintains a model DPIA and data-flow documentation that Customers may use as an input to their own assessment.

On termination or expiry of the service, AI Broker, at the Customer’s choice, returns or deletes all Customer personal data, and deletes existing copies, unless EU or Member State law requires storage.

Customer-initiated deletion is completed within 14 calendar days of request. Residual copies in rolling operational backups are purged within 30 days.

AI Broker makes available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates.

Audits take place on reasonable prior notice, no more than once per 12-month period except following a personal data breach or at the requirement of a competent authority, during business hours, and without unreasonable disruption to AI Broker’s operations. The Central Bank of Ireland’s information-access rights as a competent authority are preserved.

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

This DPA takes effect on the effective date of the Principal Agreement and continues for as long as AI Broker processes Customer personal data. Clauses that by their nature should survive termination do so.

This DPA is governed by the laws of Ireland, and the parties submit to the exclusive jurisdiction of the courts of Ireland.

Subject matter: provision of the AI Broker platform and the Aoibhe agent — multi-channel conversation triage, summarisation, knowledge-base retrieval, and human-approved draft responses for the Customer’s brokerage.

Duration: for the term of the Principal Agreement and any agreed retention period thereafter.

Nature and purpose: collection, consultation, organisation, storage, retrieval, analysis, classification, summarisation, draft generation, sharing within the controller-processor chain, and deletion or export.

Types of personal data: client identity and contact data (name, email, phone, address, eircode, date of birth); policy and quote data; the content of conversations, enquiries, and uploaded documents; and channel and audit metadata. Special category data is not solicited but may appear incidentally in claims or incident content; such cases are escalated to a human broker.

Categories of data subjects: the Customer’s clients and prospective clients, related third parties referenced in communications, and the Customer’s own staff who use the platform.

Encryption: personal data encrypted at rest with AES-256-GCM and application-managed keys; field-level encryption of client PII, conversation messages, notifications, OAuth refresh tokens, and channel credentials; TLS in transit.

Isolation: tenant separation enforced at the database (row-level security) and the application layer (per-request business identifier).

Access control: scoped authentication tokens per surface; least-privilege personnel access; access logging.

Integrity: inbound webhooks are signature-verified before processing.

Auditability: every agent action writes an audit row (agent run, classifier, verifier, citation grounding, AI disclosure, human override, data request), reconstructable end-to-end.

Residency: EU data storage; EU-region application and workflow compute; US processing limited to model inference and embeddings under SCCs / DPF with Zero Data Retention.

Resilience: rolling operational backups with a 30-day retention window.

The authoritative, dated list of sub-processors — with the service each provides, its processing region, and the applicable transfer mechanism — is published at aibroker.ie/subprocessors and is incorporated into this DPA by reference. AI Broker notifies Customers of changes as set out in clause 06.