Data Processing Addendum

Effective 2026-06-13. Forms part of the Simple Council Terms of Service when GDPR, UK GDPR, or comparable data-protection law applies to your processing.

1. Roles

You (the customer) are the data controller for personal data uploaded to or generated within your workspace. Simple Intelligence Group, Inc. is the data processor acting on documented instructions in these Terms and the in-product UI.

2. Scope of processing

  • Subject matter: AI agent governance, compliance evidence collection, policy enforcement, and auditor export.
  • Duration: the term of your subscription plus the retention window in the Privacy Policy.
  • Categories of data subjects: your employees, contractors, and authorized end users.
  • Categories of personal data: identification (name, email, Entra tid), workspace activity, and the metadata you choose to include in evidence and audit rows.

3. Sub-processors

Sub-processorPurposeLocation
Microsoft AzureHosting, Postgres, Front Door, Key VaultUS
Anthropic, PBCBlueprint mapping + report summarizationUS
Stripe, Inc.Subscription billing (direct plans)US
Twilio SendGridTransactional email (when configured)US

We notify you at least 30 days before adding a new sub-processor by updating this page and emailing workspace admins. You may object in writing; if we cannot accommodate the objection you may terminate the affected subscription for the remainder of the term and receive a prorated refund.

4. International transfers

Where personal data is transferred out of the European Economic Area or the United Kingdom we rely first on the EU-US Data Privacy Framework and the UK Extension where applicable, and on the Standard Contractual Clauses (Module Two) approved by the European Commission as a fallback. The UK International Data Transfer Addendum supplements the Clauses for UK transfers.

5. Security measures

Technical and organizational measures are summarized at /security. They are reviewed at least annually and updated as the threat landscape evolves.

6. Audit rights

Once per twelve months you may audit Simple Intelligence's compliance with this DPA. Audits are conducted on at least 30 days' written notice during business hours and may be satisfied by current SOC 2 Type 2 or ISO 27001 attestations published on the Trust center.

7. Sub-processor notification

To subscribe to sub-processor change notifications write to dpa@simpleintelligence.io.