DRAFT — under legal review. This DPA is a placeholder pending counsel review and is not yet suitable for signature by enterprise customers. A signed PDF version will be offered at general availability.
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Saltare Machina Corporation, a corporation with its registered address at 1449 S Michigan Ave, STE 13683, Chicago, IL 60605, United States ("Saltare" or "Processor"), and Customer ("Controller") and governs the processing of Customer Personal Data in connection with the Service.
Terms used in this DPA but not defined have the meaning given in the GDPR (Regulation (EU) 2016/679) or the UK GDPR, as applicable. "Customer Personal Data" means personal data contained in Workspace Content that Customer submits to the Service.
Customer is the Controller and Saltare is the Processor of Customer Personal Data. Saltare processes Customer Personal Data solely on documented instructions from Customer, which include these Terms and the configuration Customer selects in the Service.
Subject matter: Provision of the Saltare collaborative workspace, including AI agent features, task management, document editing, databases, and connector integrations.
Duration: For the duration of the Customer's subscription plus the applicable retention and deletion periods.
Nature and purpose: Storing, transmitting, indexing, searching, and generating AI-assisted responses from Customer Personal Data to provide the Service.
Data subjects: Customer's end users, contacts, collaborators, and any individuals described in content Customer uploads.
Categories of data: Identifiers, contact details, content authored by data subjects, and any other personal data Customer chooses to submit.
Saltare will: (a) process Customer Personal Data only on Customer's documented instructions; (b) ensure personnel authorised to process Customer Personal Data are bound by confidentiality; (c) implement appropriate technical and organisational measures (see Annex II); (d) assist Customer with data subject requests; (e) notify Customer without undue delay of any Personal Data Breach.
Customer provides general authorisation for Saltare to engage the subprocessors listed at /legal/subprocessors. Saltare will provide at least 30 days' prior notice of any intended addition or replacement, during which Customer may object for reasonable grounds. Saltare will impose contractual obligations on subprocessors no less protective than this DPA.
Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland, such transfers are governed by the EU Standard Contractual Clauses (2021/914) and, for UK transfers, by the UK International Data Transfer Addendum. The SCCs are incorporated into this DPA by reference, with Module Two (Controller-to-Processor) applying.
Saltare implements the technical and organisational measures described in Annex II below. These include encryption in transit (TLS 1.2+), encryption at rest for sensitive credentials, network isolation, access controls, audit logging, and regular vulnerability review.
Saltare will notify Customer without undue delay, and in any case within 72 hours of becoming aware of a Personal Data Breach involving Customer Personal Data. The notice will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken.
Saltare will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests for exercising data subject rights (access, rectification, erasure, restriction, portability, objection).
On termination of the Service, Saltare will delete Customer Personal Data within 30 days, unless retention is required by law. Customer may export data via the self-serve export flow before termination.
Saltare will make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for audits (including inspections) conducted by Customer or an auditor mandated by Customer, subject to reasonable notice and confidentiality obligations. Third-party certifications (SOC 2, ISO 27001, when available) satisfy this obligation.
Captured in Sections 3 above.
For DPA execution or questions, contact [email protected] or by mail:
Saltare Machina Corporation Attn: Data Protection 1449 S Michigan Ave, STE 13683 Chicago, IL 60605, United States Phone: +1 (888) 804-8426