This Data Processing Addendum (DPA) forms part of the agreement between Customer and Ampthilly AB, organisationsnummer 559588-0724, with registered office at Bjännberg 121, 905 72 Hörnefors, Sweden (Processor or AMPthilly), where AMPthilly processes Personal Data on behalf of Customer in connection with the AMPthilly Services at https://ampthilly.com, https://app.ampthilly.com, and related subdomains.
Capitalised terms not defined here have the meanings in the Terms of Service or the main agreement between the parties (Agreement). If the Agreement and this DPA conflict on data protection matters, this DPA prevails to the extent of the conflict.
Standard customers: This DPA is incorporated by reference into the Terms; no separate signature is required when you use the Services under the Terms.
Enterprise customers may request a countersigned copy at hello@ampthilly.com.
1. Roles and scope
Customer is the controller (or a processor acting on behalf of another controller) of Personal Data submitted to the Services. AMPthilly processes Personal Data as a processor solely on Customer’s documented instructions, including through the Agreement, this DPA, Customer’s use of product features, and lawful written instructions.
AMPthilly may process limited Personal Data as an independent controller for account administration, billing, security, and compliance, as described in the Privacy Policy.
2. Instructions
AMPthilly will process Personal Data only on Customer’s instructions unless required by EU, EEA, UK, or Swedish law - in which case AMPthilly will inform Customer of that requirement unless prohibited. Customer instructs AMPthilly to process Personal Data to provide, maintain, secure, and support the Services, including hosting, backups, logging, AI Features, and approved subprocessors.
3. AI Features and model training
AMPthilly provides AI Features powered by Google (the Gemini API) engaged as a subprocessor. AMPthilly does not, and contractually requires that Google does not, use Customer Personal Data or AI interactions to train, fine-tune, or improve any AI or machine-learning model. Customer Personal Data is processed by AI Features only to generate and return responses to Customer’s authorised users.
4. Confidentiality
AMPthilly ensures that persons authorised to process Personal Data are bound by confidentiality obligations (contractual or statutory).
5. Security measures
AMPthilly implements appropriate technical and organisational measures, considering the state of the art, costs, and risks, including:
| Area | Measures (summary) |
|---|---|
| Access control | Role-based access, least privilege, authentication for production systems |
| Encryption | Encryption in transit (TLS); encryption at rest for production databases where supported by infrastructure |
| Logging and monitoring | Audit logs for administrative access; monitoring for availability and security events |
| Development | Secure development practices, dependency review, separation of environments |
| Vendor management | Subprocessors bound by written data protection terms |
| Business continuity | Backups and recovery procedures appropriate to the Services |
| Incident response | Documented process for identifying, containing, and notifying breaches |
Further detail is available on request for enterprise security reviews at hello@ampthilly.com.
6. Subprocessors
Customer authorises AMPthilly to engage subprocessors, which must be bound by written terms imposing data protection obligations substantially similar to this DPA.
Current subprocessors
| Subprocessor | Activity | Location |
|---|---|---|
| Vercel | Application and website hosting, CDN | EU/US with safeguards |
| Supabase | Database, authentication, storage, backups | EU/EEA |
| Cloudflare | CDN, security, edge protection | Global (with SCCs as needed) |
| Stripe | Subscription billing | EU/US with safeguards |
| Google (Gemini API) | Powering AI Features | Global; EU/US with safeguards |
| Resend | Transactional and product email | EU/US with safeguards |
AMPthilly will notify Customer of intended additions or replacements of subprocessors, providing at least 30 days’ notice where practicable. Customer may object on reasonable data-protection grounds within 14 days of notice. If the parties cannot resolve the objection, Customer may terminate the affected Services as its sole remedy.
7. International transfers
Where Personal Data is transferred outside the EEA/UK, AMPthilly implements appropriate safeguards, including:
- EU Standard Contractual Clauses (2021/914) Module Two (controller to processor) or Module Three (processor to processor), incorporated by reference;
- the UK International Data Transfer Addendum where UK GDPR applies; and/or
- transfers to countries with an adequacy decision.
Customer may request copies of applicable transfer mechanisms at hello@ampthilly.com.
8. Assistance to Customer
Taking into account the nature of processing, AMPthilly will assist Customer with responding to data subject requests; the security of processing and personal data breach notifications; and data protection impact assessments and prior consultation with supervisory authorities where required by law. Reasonable fees may apply for assistance beyond standard support if permitted by the Agreement.
9. Personal data breach
AMPthilly will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide reasonably available information to help Customer meet its obligations as controller.
10. Return and deletion
Upon termination of the Services or on Customer’s written request, AMPthilly will delete or return Personal Data within 90 days, except where retention is required by law or where encrypted backups are purged on their normal cycle (typically within 90 days). Customer is responsible for exporting Content before termination where export features are available.
11. Audits and information
AMPthilly will make available information reasonably necessary to demonstrate compliance with this DPA, including security summaries and subprocessor lists. Customer may conduct audits no more than once per year on 30 days’ written notice, during business hours, without unreasonably disrupting operations, subject to confidentiality and safety requirements. Customer bears its own audit costs unless an audit reveals material non-compliance attributable to AMPthilly. AMPthilly may provide third-party certifications or reports in lieu of on-site audits where agreed.
12. Customer obligations
Customer shall:
- Have a lawful basis under applicable data protection law for all Personal Data and instructions;
- Not instruct AMPthilly to process unlawful data or for unlawful purposes;
- Configure roles and access appropriately within the product;
- Inform data subjects and provide privacy notices as required;
- Ensure special-category data is only submitted where lawful and necessary, with appropriate safeguards;
- Respond to data subject requests where Customer is controller.
Customer indemnifies AMPthilly for claims arising from Customer’s unlawful instructions or lack of lawful basis, to the extent permitted by the Agreement.
13. Liability
Liability under this DPA is subject to the limitations and exclusions in the Agreement, except where prohibited by applicable data protection law.
14. Order of precedence
This DPA supplements the Agreement. In case of conflict on data protection matters, this DPA controls.
Annex A - Description of processing
| Field | Details |
|---|---|
| Subject matter | Provision of AMPthilly asset management SaaS |
| Duration | Term of the Agreement plus the deletion period in Section 10 |
| Nature and purpose | Hosting, storage, retrieval, organisation, display, transmission, backup, support, security, and AI-assisted querying of Customer Content containing Personal Data |
| Categories of data subjects | Customer’s employees, contractors, and other authorised users; individuals identified in asset records (assignees, approvers, contacts) |
| Types of Personal Data | Names, work emails, roles, identifiers, assignment and audit metadata, AI queries, support communications, approximate location (city/country) derived from IP at login where enabled, and other fields Customer chooses to store |
| Special categories | Not intended; Customer must not submit special-category data unless agreed in writing |
| Frequency | Continuous during use of the Services |
| Retention | As described in Section 10 and the Privacy Policy |
Annex B - Technical and organisational measures
See Section 5. Customer is responsible for configuring roles, access, and integrations within the product according to its policies.
Annex C - Subprocessors
See Section 6. Updated lists provided on request at hello@ampthilly.com.
Annex D - Standard Contractual Clauses
Where required for transfers from the EEA, the parties agree that the EU Commission Standard Contractual Clauses (2021/914) are incorporated by reference, with:
- Module Two (controller to processor) for transfers from Customer to AMPthilly;
- Module Three (processor to processor) for onward transfers to subprocessors where applicable;
- Customer as data exporter and AMPthilly as data importer;
- optional clauses and appendices completed by the details in Annexes A–C;
- governing law and jurisdiction as specified in the Agreement (Sweden), without limiting data subjects’ rights under the GDPR.
For UK transfers, the UK Addendum to the EU SCCs applies as issued by the ICO.
Contact
DPA questions, subprocessors, or security documentation: hello@ampthilly.com.