Skip to main content
AiscernAiscern Back to Home

Data Processing Agreement

Version 1.0 · Last updated: May 17, 2026

Request Signed DPA
This DPA is for enterprise and educational customers who require GDPR or CCPA compliance documentation. For a countersigned PDF, email privacy@aiscern.com.

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between Aiscern ("Data Processor" or "we") and the customer organisation using Aiscern services ("Data Controller" or "you").

This DPA supplements the Terms of Service and governs the processing of personal data that the Data Controller submits to Aiscern for AI content detection.

This DPA applies where the processing of personal data is subject to:

  • The EU General Data Protection Regulation (GDPR 2016/679)
  • The UK GDPR and Data Protection Act 2018
  • The California Consumer Privacy Act (CCPA) as amended by CPRA
  • Any other applicable data protection legislation

2. Definitions

  • "Personal Data" — any information relating to an identified or identifiable natural person
  • "Processing" — any operation performed on Personal Data (collection, storage, analysis, deletion)
  • "Data Subject" — the individual whose Personal Data is being processed
  • "Sub-processor" — a third-party processor engaged by Aiscern to process Personal Data
  • "Security Incident" — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to Personal Data

3. Processing Details

3.1 Subject Matter

Aiscern processes personal data contained in content submitted for AI detection analysis (text documents, images, audio, video).

3.2 Duration

Processing continues for the duration of the customer's subscription. Upon termination, personal data is deleted within 30 days unless retention is required by law.

3.3 Nature and Purpose

Processing is performed solely to provide AI content detection results to the Data Controller. No secondary processing for Aiscern's own purposes occurs without explicit consent.

3.4 Types of Personal Data

  • Written content (text documents, emails, essays) that may contain names, identifiers, or personal opinions
  • Images, audio, or video that may contain biometric data (faces, voices)
  • User account identifiers (email, username) for authentication
  • Usage metadata (timestamps, scan counts, IP addresses)

3.5 Categories of Data Subjects

End-users of the Data Controller's organisation; individuals whose content is submitted for analysis.

4. Processor Obligations

Aiscern agrees to:

  • Process Personal Data only on documented instructions from the Data Controller (i.e., providing detection results)
  • Ensure all personnel authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures (see Section 6)
  • Not engage new Sub-processors without informing the Data Controller (see Section 5)
  • Assist the Data Controller in responding to Data Subject rights requests
  • Assist with security impact assessments and breach notifications as required by GDPR Article 32–36
  • Delete or return all Personal Data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance with GDPR Article 28

5. Sub-processors (Annex A)

Aiscern engages the following sub-processors. By accepting this DPA you authorise their use:

Sub-processorPurposeData LocationTransfer Mechanism
Clerk (clerk.com)Authentication & identityUS (AWS)SCC
Supabase (supabase.com)Database & APIEU / US (AWS)SCC
Vercel (vercel.com)Application hosting & serverlessUS / EdgeSCC
Cloudflare (cloudflare.com)CDN, R2 storage, D1 databaseGlobal edgeSCC
Google Gemini APIAI inference (text/image detection)US (Google)SCC
Hugging Face (huggingface.co)AI model inference (text/audio)US (AWS)SCC
Upstash (upstash.com)Rate limiting (hashed IPs only)US / EUSCC

SCC = Standard Contractual Clauses (EU Commission Decision 2021/914). Copies available on request. We will notify you 30 days before adding new sub-processors.

6. Security Measures (Annex B)

Aiscern implements the following technical and organisational measures:

6.1 Access Control

  • Row-level security (RLS) on all database tables — users can only access their own data
  • Service role keys stored only in server environment variables, never exposed to browsers
  • Multi-factor authentication required for all Aiscern team members
  • Principle of least privilege enforced across all infrastructure

6.2 Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest (Supabase, Cloudflare R2)
  • API keys stored as SHA-256 hashes — plaintext never persisted
  • HSTS with preload enforced for all web traffic

6.3 Availability & Resilience

  • Deployed on Vercel Edge Network with global redundancy
  • Database backups performed daily by Supabase
  • File storage on Cloudflare R2 with automatic redundancy

6.4 Incident Response

  • Security incidents logged and triaged within 24 hours
  • Data breaches reported to affected customers within 72 hours (GDPR Article 33)
  • Vulnerability disclosure: security.txt

7. International Data Transfers

Personal data may be transferred to and processed in the United States and other countries outside the EEA. Where such transfers occur, Aiscern relies on Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914) as the legal transfer mechanism.

Copies of applicable SCCs are available upon written request to privacy@aiscern.com.

8. Data Subject Rights Assistance

Aiscern will assist the Data Controller in fulfilling Data Subject rights requests within 5 business days of receiving a written request. This includes access, rectification, erasure, portability, restriction, and objection requests.

Submit requests to: privacy@aiscern.com

9. Audit Rights

The Data Controller may, with 30 days written notice, conduct (or commission a qualified third-party auditor to conduct) an audit of Aiscern's processing activities to verify compliance with this DPA. Audits are limited to once per year and must not unreasonably disrupt Aiscern's operations.

10. Liability and Indemnification

Each party shall be liable for damages caused by processing that infringes applicable data protection law. Aiscern's total liability under this DPA shall not exceed the amounts paid by the Data Controller in the 12 months preceding the claim, except in cases of gross negligence, wilful misconduct, or a personal data breach caused by Aiscern's failure to comply with this DPA.

11. Execution

This DPA becomes effective when the Data Controller accepts Aiscern's Terms of Service or, for enterprise customers, upon execution of a signed DPA addendum. To request a countersigned PDF version of this DPA, contact:

Aiscern
Email: privacy@aiscern.com
Subject: "DPA Request — [Your Organisation Name]"