SingleBase Data Processing Agreement (DPA)

Effective Date: Oct 1 2025
Last Updated: Oct 1 2025

This Data Processing Agreement ("DPA") forms part of the SingleBase Terms of Service between SingleBase ("Processor") and the customer ("Controller") for the processing of Personal Data in connection with SingleBase services, including AI-powered features.

1. Definitions

1.1 General Definitions

"Personal Data": Information relating to an identified or identifiable natural person
"Processing": Any operation performed on Personal Data, including AI processing
"Data Subject": An identified or identifiable natural person whose Personal Data is processed
"Supervisory Authority": An independent public authority responsible for monitoring GDPR compliance
"Data Protection Laws": GDPR, CCPA, and other applicable privacy regulations

1.2 AI-Specific Definitions

"AI Processing": Use of artificial intelligence, machine learning, or automated systems to analyze, generate, or transform data
"Training Data": Data used to develop, train, or improve AI models
"Inference Data": Data processed by AI models to generate outputs or predictions
"Model Outputs": Results, predictions, or content generated by AI systems
"Biometric Data": Personal data resulting from technical processing relating to physical, physiological, or behavioral characteristics

2. Scope and Application

2.1 Services Covered

This DPA applies to all SingleBase services including:

Document database storage and management
User authentication and authorization
File storage and processing
AI Services:
- Vector database operations and similarity search
- Large Language Model (LLM) processing and content generation
- Image processing, enhancement, and computer vision
- Generative AI content creation
- Document intelligence and automated analysis

2.2 Data Categories

Personal Data processed may include:

Identity Data: Names, usernames, email addresses
Contact Data: Phone numbers, addresses, communication preferences
Technical Data: IP addresses, device identifiers, usage logs
Content Data: Files, documents, images, text submitted for processing
Biometric Data: Facial features, voice patterns (when explicitly provided)
Behavioral Data: Usage patterns, preferences, interaction history

3. Processing Activities and Purposes

3.1 Standard Processing Activities

SingleBase processes Personal Data for:

Service provision and account management
Technical support and system maintenance
Security monitoring and fraud prevention
Legal compliance and regulatory requirements

3.2 AI Processing Activities

LLM Processing: Analyzing text input to generate responses, summaries, or translations
Vector Operations: Converting content to mathematical representations for similarity search
Image AI: Detecting objects, enhancing images, generating visual content
Document AI: Extracting information, answering questions about documents
Predictive Analytics: Generating insights and recommendations based on data patterns

3.3 Model Training and Improvement

Aggregate Analysis: Using anonymized data patterns to improve AI models
Performance Optimization: Enhancing accuracy and speed of AI processing
Safety Enhancement: Developing better content filtering and harm detection
Bias Mitigation: Improving fairness and reducing discriminatory outcomes

4. Controller and Processor Obligations

4.1 Controller Responsibilities

The Controller warrants that:

It has lawful basis for processing under applicable Data Protection Laws
It has obtained necessary consents for AI processing where required
It will not process special categories of Personal Data without explicit consent
It will provide clear privacy notices to Data Subjects about AI processing
It has authority to share Personal Data with SingleBase for specified purposes

4.2 Processor Responsibilities

SingleBase will:

Process Personal Data only as instructed by the Controller
Implement appropriate technical and organizational security measures
Assist with Data Subject rights requests and impact assessments
Notify the Controller of Personal Data breaches without undue delay
Delete or return Personal Data upon termination of services

4.3 AI-Specific Obligations

Transparency: Provide information about AI processing capabilities and limitations
Fairness: Implement measures to detect and mitigate algorithmic bias
Accuracy: Maintain reasonable accuracy standards for AI outputs
Human Oversight: Enable human review of automated decisions where required

5. Data Transfers and International Processing

5.1 International Transfers

Personal Data may be transferred to and processed in multiple jurisdictions
Transfers are protected by appropriate safeguards including Standard Contractual Clauses
We maintain current adequacy decisions and certification mechanisms

5.2 AI Processing Locations

AI processing may occur in different regions for performance optimization
Vector databases may be distributed across multiple data centers
Model inference may be performed in the region closest to the user

5.3 Transfer Mechanisms

Standard Contractual Clauses (SCCs): For transfers outside adequate jurisdictions
Adequacy Decisions: Where available for destination countries
Binding Corporate Rules: For intra-group transfers
Explicit Consent: Where required by applicable law

6. Security Measures

6.1 Technical Safeguards

Encryption: End-to-end encryption for data in transit and at rest
Access Controls: Multi-factor authentication and role-based access
Network Security: Firewalls, intrusion detection, and monitoring
Secure Development: Security-by-design principles in all systems

6.2 AI Security Measures

Model Isolation: AI models operate in isolated environments
Input Validation: Screening inputs for malicious or harmful content
Output Filtering: Post-processing to remove inappropriate generated content
Differential Privacy: Techniques to protect individual privacy in training data

6.3 Organizational Measures

Regular security training for personnel with data access
Background checks for employees handling Personal Data
Incident response procedures and breach notification protocols
Regular security audits and vulnerability assessments

7. Data Subject Rights

7.1 Standard Rights

SingleBase will assist the Controller in fulfilling Data Subject requests for:

Access: Providing information about processing activities
Rectification: Correcting inaccurate or incomplete Personal Data
Erasure: Deleting Personal Data where legally required
Restriction: Limiting processing under certain circumstances
Portability: Providing data in machine-readable formats

7.2 AI-Specific Rights

Automated Decision-Making: Information about AI systems affecting individuals
Human Review: Access to human oversight of automated decisions
Explanation: Meaningful information about AI decision logic where feasible
Bias Reporting: Mechanisms to report suspected discriminatory outcomes

7.3 Response Procedures

SingleBase will respond to Data Subject requests within 30 days
Complex requests may require additional time with appropriate notification
Some AI processing limitations may prevent complete data retrieval
Anonymized data used for model training cannot be reversed or deleted

8. Data Retention and Deletion

8.1 Retention Periods

Active Data: Retained while necessary for service provision
Log Data: Retained for up to 12 months for security and debugging
Backup Data: Retained according to backup and disaster recovery policies
AI Training Data: Anonymized insights may be retained indefinitely

8.2 AI Data Lifecycle

Processing Data: Deleted immediately after AI processing completion
Vector Embeddings: Retained to maintain search functionality
Model Parameters: Aggregated learnings retained for model improvement
Safety Examples: Harmful content samples retained for safety system enhancement

8.3 Deletion Procedures

Secure deletion using industry-standard methods
Verification of deletion completion where technically feasible
Some AI model improvements cannot be reversed once integrated
Legal holds may prevent deletion in specific circumstances

9. Subprocessors and Third Parties

9.1 Authorized Subprocessors

Current subprocessors are listed at [URL] and include:

Cloud infrastructure providers
AI model providers for specialized processing
Security and monitoring service providers
Payment processing and billing services

9.2 Subprocessor Requirements

All subprocessors must:

Provide adequate data protection guarantees
Process Personal Data only for specified purposes
Implement appropriate security measures
Allow audits and compliance monitoring

9.3 Changes to Subprocessors

Controllers will be notified of new subprocessors with 30 days' notice
Controllers may object to new subprocessors on reasonable grounds
Alternative arrangements will be made for objected subprocessors where possible

10. Data Protection Impact Assessments

10.1 DPIA Requirements

SingleBase will assist with DPIAs when:

AI processing is likely to result in high risk to Data Subjects
Large-scale processing of special categories of Personal Data occurs
Systematic monitoring or automated decision-making is involved
Biometric data is processed for identification purposes

10.2 AI Risk Assessment

Special consideration for:

Algorithmic Bias: Risk of discriminatory outcomes
Automated Decisions: Impact on individual rights and freedoms
Data Inference: Potential to derive sensitive information
Model Transparency: Ability to explain AI decisions

11. Personal Data Breaches

11.1 Notification Procedures

SingleBase will notify the Controller within 72 hours of becoming aware of a breach
Notifications will include nature of breach, categories and numbers of Data Subjects affected
Likely consequences and mitigation measures will be described
Contact information for further inquiries will be provided

11.2 AI-Specific Breach Scenarios

Model Compromise: Unauthorized access to AI models or training data
Output Contamination: AI systems generating harmful or biased content
Data Leakage: Personal Data inadvertently included in AI outputs
Adversarial Attacks: Malicious manipulation of AI systems

12. Audits and Compliance

12.1 Audit Rights

Controllers may audit SingleBase compliance with this DPA
Audits may be conducted by qualified third-party assessors
Reasonable notice and coordination required for audit activities
Audit costs borne by requesting party unless violations are found

12.2 Compliance Certifications

SingleBase maintains relevant certifications including:

SOC 2 Type II compliance
ISO 27001 information security management
Additional AI-specific certifications as they become available

13. Liability and Indemnification

13.1 Limitation of Liability

SingleBase liability is limited to direct damages arising from DPA violations
Total liability shall not exceed the fees paid for services in the preceding 12 months
Force majeure events and third-party actions are excluded

13.2 AI-Specific Limitations

No guarantee of AI output accuracy or fitness for specific purposes
Controller responsible for validating AI outputs before use
Liability excluded for AI-generated content that violates third-party rights

14. Term and Termination

14.1 Term

This DPA remains in effect for the duration of the SingleBase Terms of Service.

14.2 Termination Effects

Upon termination:

SingleBase will cease processing Personal Data except as required by law
Personal Data will be deleted or returned as instructed by the Controller
AI model improvements based on Controller data cannot be reversed
Anonymized insights may be retained for legitimate business purposes

15. Governing Law and Disputes

15.1 Governing Law

This DPA is governed by the laws of [Jurisdiction] and applicable Data Protection Laws.

15.2 Dispute Resolution

Disputes will be resolved through good faith negotiation
Supervisory Authority complaints may be filed where applicable
Court proceedings in jurisdiction of Controller's establishment for GDPR matters

16. Contact Information

16.1 Data Protection Officer

Email: dpo@singlebase.com
Address: [DPO Address]

16.2 Legal Department

Email: legal@singlebase.com
Address: [Legal Department Address]

17. Amendments

This DPA may be amended to reflect changes in Data Protection Laws or service capabilities. Material changes will be communicated with 30 days' notice, and continued use of services constitutes acceptance of amendments.

Appendix A: Technical and Organizational Measures

A.1 Data Center Security

Physical access controls and 24/7 monitoring
Environmental controls and backup power systems
Secure disposal of hardware containing Personal Data
Geographic distribution for disaster recovery

A.2 AI Infrastructure Security

Model Isolation: AI models run in containerized environments
Secure Training: Training data encrypted and access-controlled
Output Validation: Generated content screened for safety and privacy
Version Control: AI model versions tracked and secured

A.3 Access Management

Role-based access control with principle of least privilege
Multi-factor authentication for all administrative access
Regular access reviews and automated deprovisioning
Privileged access monitoring and logging

A.4 Data Lifecycle Management

Automated data classification and labeling
Retention policy enforcement through automated systems
Secure deletion procedures with verification
Data minimization practices in AI processing

Appendix B: AI Processing Details

B.1 Large Language Model Processing

Input Handling: Text sanitized and validated before processing
Context Management: Conversation context managed with privacy controls
Output Generation: Responses generated without storing personal context
Safety Filtering: Content automatically screened for harmful material

B.2 Vector Database Operations

Embedding Generation: Text converted to numerical vectors using privacy-preserving techniques
Similarity Search: Vector comparisons performed without exposing source content
Index Management: Vector indexes optimized while maintaining data isolation
Query Processing: Search queries processed without storing query history

B.3 Image AI Processing

Upload Security: Images scanned for malware and inappropriate content
Feature Extraction: Visual features processed without storing original images
Enhancement Processing: AI improvements applied while preserving privacy
Synthetic Generation: New images created without retaining training examples

B.4 Document Intelligence

Text Extraction: Document parsing with content type validation
Semantic Analysis: Content understanding without long-term storage
Question Answering: Responses generated from temporary document analysis
Summarization: Key points extracted without retaining full document content

Appendix C: Incident Response Procedures

C.1 Incident Classification

Level 1: Minor incidents with no Personal Data impact
Level 2: Moderate incidents with potential privacy implications
Level 3: Major incidents requiring regulatory notification
Level 4: Critical incidents with significant Data Subject impact

C.2 Response Timeline

Detection: Automated monitoring with 24/7 alert systems
Assessment: Initial impact evaluation within 2 hours
Containment: Immediate measures to prevent further exposure
Notification: Controller notification within 72 hours as required

C.3 AI-Specific Incidents

Model Compromise: Unauthorized access to AI models or parameters
Training Data Exposure: Accidental inclusion of Personal Data in model outputs
Bias Detection: Identification of discriminatory AI behavior
Safety Failures: AI systems generating harmful or inappropriate content

Appendix D: Data Subject Rights Implementation

D.1 Rights Request Procedures

Request Verification: Identity confirmation using secure methods
Scope Assessment: Determination of data locations and processing activities
AI Processing Review: Evaluation of automated decision-making involvement
Response Preparation: Compilation of requested information or actions
Delivery: Secure transmission of response to verified Data Subject

D.2 AI-Specific Rights Handling

Automated Decision Information: Details about AI systems affecting the individual
Logic Explanation: Meaningful information about AI decision-making where possible
Bias Investigation: Review of potential discriminatory impacts
Human Review Access: Provision of human oversight where legally required

D.3 Technical Limitations

Anonymized Data: Cannot identify or retrieve anonymized training data
Distributed Processing: Data may be processed across multiple systems
Model Integration: AI improvements cannot be reversed once incorporated
Real-time Processing: Some processing occurs without permanent storage

This Data Processing Agreement is effective as of [Date] and forms an integral part of the SingleBase Terms of Service. By using SingleBase services, both parties acknowledge and agree to the terms set forth in this DPA.

For questions regarding this DPA, contact:

Data Protection Officer: dpo@singlebase.com
Legal Department: legal@singlebase.com
AI Ethics Team: ai-ethics@singlebase.com

SingleBase Data Processing Agreement (DPA)

1. Definitions​

1.1 General Definitions​

1.2 AI-Specific Definitions​

2. Scope and Application​

2.1 Services Covered​

2.2 Data Categories​

3. Processing Activities and Purposes​

3.1 Standard Processing Activities​

3.2 AI Processing Activities​

3.3 Model Training and Improvement​

4. Controller and Processor Obligations​

4.1 Controller Responsibilities​

4.2 Processor Responsibilities​

4.3 AI-Specific Obligations​

5. Data Transfers and International Processing​

5.1 International Transfers​

5.2 AI Processing Locations​

5.3 Transfer Mechanisms​

6. Security Measures​

6.1 Technical Safeguards​

6.2 AI Security Measures​

6.3 Organizational Measures​

7. Data Subject Rights​

7.1 Standard Rights​

7.2 AI-Specific Rights​

7.3 Response Procedures​

8. Data Retention and Deletion​

8.1 Retention Periods​

8.2 AI Data Lifecycle​

8.3 Deletion Procedures​

9. Subprocessors and Third Parties​

9.1 Authorized Subprocessors​

9.2 Subprocessor Requirements​

9.3 Changes to Subprocessors​

10. Data Protection Impact Assessments​

10.1 DPIA Requirements​

10.2 AI Risk Assessment​

11. Personal Data Breaches​

11.1 Notification Procedures​

11.2 AI-Specific Breach Scenarios​

12. Audits and Compliance​

12.1 Audit Rights​

12.2 Compliance Certifications​

13. Liability and Indemnification​

13.1 Limitation of Liability​

13.2 AI-Specific Limitations​

14. Term and Termination​

14.1 Term​

14.2 Termination Effects​

15. Governing Law and Disputes​

15.1 Governing Law​

15.2 Dispute Resolution​

16. Contact Information​

16.1 Data Protection Officer​

16.2 Legal Department​

17. Amendments​

Appendix A: Technical and Organizational Measures​

A.1 Data Center Security​

A.2 AI Infrastructure Security​

A.3 Access Management​

A.4 Data Lifecycle Management​

Appendix B: AI Processing Details​

B.1 Large Language Model Processing​

B.2 Vector Database Operations​

B.3 Image AI Processing​

B.4 Document Intelligence​

Appendix C: Incident Response Procedures​

C.1 Incident Classification​

C.2 Response Timeline​

C.3 AI-Specific Incidents​

Appendix D: Data Subject Rights Implementation​

D.1 Rights Request Procedures​

D.2 AI-Specific Rights Handling​

D.3 Technical Limitations​