Legal

Data Processing Agreement

Last updated: May 7, 2026

Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service or applicable project agreement between the customer and AI360Layer.

AI360Layer legal entity: ROIG CERRUDO ANA 000950091R SL

Registered address: MAO 22 B2, 08022 Barcelona, Spain

Privacy contact: contact@ai360layer.com

1. Roles

Customer is the Controller of Personal Data. AI360Layer processes Personal Data as Processor only on Customer's documented instructions and solely to provide the Services.

2. Scope of processing

Categories of data subjects: customer personnel, business contacts, users, leads, customers, suppliers or other individuals whose data appears in business systems connected or provided by the customer.

Categories of personal data may include:

Account owner and authorized user details such as business email and name.
CRM, support or sales records provided or authorized by the customer.
E-commerce, accounting, ERP, operations, inventory, marketing and advertising records where they contain personal data.
CSV/manual upload data, connector metadata and operational logs.

AI360Layer applies data minimization and prefers aggregated or business-level data where personal data is not required for the service.

3. Purpose limitation

AI360Layer uses Personal Data only to provide data integration, reporting, AI-assisted analysis, daily briefs, alerts, client portal functionality and related consulting services for the Customer.

4. Security

AI360Layer implements appropriate technical and organizational measures, including:

Encryption in transit via HTTPS/TLS.
Access controls and least-privilege access.
Tenant-level data separation where the portal or database is used.
Restricted handling of credentials, API tokens and service-role keys.
Monitoring and incident response procedures appropriate to the service.

5. Subprocessors

AI360Layer may use subprocessors to provide the Services, including hosting, database, authentication, email delivery, CRM, monitoring, AI processing and related operations. A current list of subprocessors is available upon request at contact@ai360layer.com.

6. Data retention and deletion

Personal Data is retained only for as long as necessary to provide the Services or comply with legal obligations. Upon account termination or valid deletion request, AI360Layer will delete or return Customer data within a reasonable period unless retention is required by law or agreed otherwise.

7. Data subject requests

AI360Layer will provide reasonable assistance to Customer in responding to data subject requests, including access, correction, deletion or restriction requests, as required by applicable law.

8. Audit and compliance

AI360Layer will provide reasonable information needed to demonstrate compliance upon written request, subject to confidentiality, security and operational requirements.

9. International transfers

Where Personal Data is transferred outside the EEA, UK or Switzerland, AI360Layer will ensure appropriate safeguards are in place, such as standard contractual clauses or equivalent legal mechanisms.

10. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service or applicable project agreement.