This Data Processing Addendum (the "DPA") forms part of, and is incorporated by reference into, the GATA AI Terms of Service published at https://gata.ai/terms-of-service (the "Terms") between Exchester Ltd trading as GATA AI ("GATA", "Processor") and the legal entity identified as the Customer in the Terms (the "Customer", "Controller"). Capitalised terms used but not defined in this DPA have the meanings given in the Terms.
This DPA reflects the parties' agreement on the processing of Customer Personal Data in accordance with Article 28 of the UK General Data Protection Regulation ("UK GDPR") and Article 28 of Regulation (EU) 2016/679 ("EU GDPR"), and incorporates the UK International Data Transfer Agreement ("UK IDTA") and the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Implementing Decision (EU) 2021/914 (the "EU SCCs"), as set out in Section 7 below.
In the event of any conflict or inconsistency between (i) the EU SCCs and the UK IDTA (where applicable), (ii) this DPA, and (iii) the Terms, the order of precedence is (i) → (ii) → (iii), in each case in respect of the processing of Customer Personal Data.
1. Definitions
In this DPA the following definitions apply:
"Applicable Data Protection Laws" means (a) the UK GDPR and the Data Protection Act 2018; (b) the EU GDPR, where applicable; (c) the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") where applicable; and (d) any other data protection or privacy law applicable to either party's performance of this DPA.
"Customer Personal Data" means any Personal Data that GATA Processes on behalf of the Customer in the course of providing the Service under the Terms. Customer Personal Data includes Personal Data contained in Customer Content (Inputs and Outputs).
"Personal Data", "Special Category Data", "Process" / "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Personal Data Breach" have the meanings given in the UK GDPR (and, where applicable, the EU GDPR).
"Restricted Transfer" means a transfer of Personal Data from the United Kingdom or the European Economic Area to a country, territory or recipient that does not benefit from an applicable adequacy regulation or decision and that is not made within an undertaking covered by binding corporate rules.
"Sub-processor" means any third party engaged by GATA to Process Customer Personal Data on the Customer's behalf in connection with the Service, including the Sub-Providers identified in the Terms.
2. Roles and Scope
2.1 Roles. In respect of Customer Personal Data, the Customer is the Controller and GATA is the Processor. Each party shall comply with its respective obligations under Applicable Data Protection Laws.
2.2 GATA-controller processing carved out. Certain processing carried out by GATA is processing for which GATA acts as a controller, including (a) processing of Account-administrator and billing-contact Personal Data for contract administration, billing, security and product improvement, (b) processing necessary to operate the Service securely (including abuse prevention, fraud prevention and audit), and (c) processing required to comply with Applicable Law. That processing is governed by the GATA Privacy Notice published at https://gata.ai/privacy and is outside the scope of this DPA.
2.3 Subject matter, duration, nature and purpose, categories of Data Subject and types of Personal Data. The subject-matter, duration, nature and purpose of the Processing, the categories of Data Subjects and the types of Personal Data are set out in Annex I (Description of Processing).
3. Customer Instructions
3.1 Documented instructions. GATA shall Process Customer Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, except where required to do so by Union or Member State law (or, in the United Kingdom, the law of the United Kingdom or any part of it) to which GATA is subject; in that case, GATA shall inform the Customer of that legal requirement before Processing, unless that law prohibits doing so on important grounds of public interest.
3.2 Documented instructions defined. The Customer's documented instructions are: (a) the Terms (including the operation of the Service as configured by the Customer); (b) this DPA; (c) any executed Order Form; and (d) any further written instruction issued by the Customer in writing to support@gata.ai that is consistent with (a) to (c). The Customer's use of the Service to upload Inputs, generate Outputs, configure retention, manage Authorised Users and so on constitutes ongoing documented instruction to GATA to Process Customer Personal Data accordingly.
3.3 Notice of unlawful instructions. GATA shall immediately inform the Customer if, in its opinion, an instruction from the Customer infringes Applicable Data Protection Laws. GATA may pause Processing until the matter is resolved.
3.4 No use for own purposes. Save in respect of the controller-role processing referred to in clause 2.2, GATA shall not use Customer Personal Data for its own purposes. Without limiting the foregoing and consistent with clause 6.4 of the Terms, GATA shall not use Customer Personal Data (or any other Customer Content) to train, fine-tune or improve the underlying machine-learning models offered as part of the Service, except (a) where the Customer has expressly consented in writing in a separate agreement, or (b) where such use is on data anonymised and aggregated such that no Customer or any individual is identifiable.
4. Confidentiality
GATA shall ensure that persons authorised to Process Customer Personal Data (including its personnel and the personnel of any Sub-processor) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. Security
5.1 Technical and organisational measures. GATA shall implement appropriate technical and organisational measures to ensure a level of security of the Processing of Customer Personal Data appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The measures GATA implements as at the date of this DPA are described in Annex II (Technical and Organisational Measures).
5.2 Updates. GATA may update Annex II from time to time provided that the level of protection is not materially diminished.
5.3 Personnel training and access. GATA shall ensure that personnel with access to Customer Personal Data receive appropriate data-protection training, are subject to confidentiality obligations and have access only on a need-to-know basis.
6. Sub-processors
6.1 General authorisation. The Customer gives GATA general written authorisation, under Article 28(2) UK GDPR / EU GDPR, to engage Sub-processors to Process Customer Personal Data, subject to the conditions set out in this Section 6 and in the change-notification process at https://gata.ai/subprocessors.
6.2 Current Sub-processors. The Sub-processors engaged by GATA as at the date of this DPA are listed in Annex III (List of Sub-Processors), which is the list maintained at https://gata.ai/subprocessors as updated from time to time.
6.3 Notification of changes. GATA shall notify the Customer of any intended addition or replacement of a Sub-processor at least 30 days before the change takes effect (the "Notice Period"). Notice is given by updating the published list at https://gata.ai/subprocessors and by emailing the Account administrator (or, where the Customer has subscribed under clause 6.6, by sending an email to the subscriber address).
6.4 Right to object. The Customer may object, on reasonable data-protection grounds, to a proposed Sub-processor by giving GATA written notice of objection within 15 days of the Change Notice. The notice of objection must set out the data-protection grounds for the objection in reasonable detail.
6.5 Resolution and termination remedy. Where the Customer objects under clause 6.4, GATA and the Customer shall discuss the objection in good faith and consider commercially reasonable alternatives (which may include workarounds or configuration changes where available; GATA does not, however, offer EU / EEA data residency or EU-only Processing as a standard or Enterprise option). If the parties cannot agree within a further 30 days, the Customer's exclusive remedy is to terminate the affected Subscription on written notice with effect at the end of the then-current Subscription Term (clause 14.2 of the Terms). For Enterprise Customers, the remedy in any executed Order Form prevails to the extent inconsistent.
6.6 Subscription to notifications. Customers may subscribe to email notifications of Sub-processor changes by emailing support@gata.ai with the subject line "Subscribe — Sub-Processor Updates".
6.7 Equivalent obligations. GATA shall enter into a written contract with each Sub-processor that imposes data-protection obligations on the Sub-processor that are no less protective of Customer Personal Data than those in this DPA, in accordance with Article 28(4) UK GDPR / EU GDPR.
6.8 Liability for Sub-processors. GATA remains fully liable to the Customer for the performance of each Sub-processor's obligations in respect of Customer Personal Data, in accordance with Article 28(4) UK GDPR / EU GDPR.
6.9 Emergency replacement. Where a Sub-processor must be replaced urgently (for example, where the existing Sub-processor has a material outage, security incident, material breach of its contract with GATA, or where required by Applicable Law), GATA may give shorter notice than the Notice Period, in which case GATA will give as much notice as is reasonably practicable in the circumstances.
7. International Transfers
7.1 Transfers. GATA may make Restricted Transfers of Customer Personal Data to Sub-processors and other recipients outside the United Kingdom and the European Economic Area, in particular to Sub-processors in the United States. The locations of Processing are set out in Annex III.
7.2 Transfer mechanisms. Each Restricted Transfer shall be made subject to an appropriate transfer mechanism. As between the Customer and GATA, and where the Restricted Transfer is from GATA in the United Kingdom or the European Economic Area to GATA's Sub-processor in a third country, the parties agree as follows:
- EU SCCs. The EU SCCs are incorporated by reference into this DPA and are deemed executed between the Customer (as data exporter) and GATA's Sub-processor (as data importer), with GATA acting as data exporter where the data first flows from GATA in the EEA to a Sub-processor outside the EEA. The applicable Module is Module 3 (Processor-to-Sub-processor) where GATA, in the EEA, transfers Customer Personal Data to a Sub-processor outside the EEA, and Module 2 (Controller-to-Processor) where the Customer is the data exporter and the Sub-processor is the data importer. The parties agree that:
- Clause 7 (Docking clause) is not included;
- Clause 9(a) (Use of Sub-processors): Option 2 (general written authorisation) is selected. The Notice Period for sub-processor changes is 30 days, as set out in clause 6.3 of this DPA;
- Clause 11(a) (Redress): the optional language is not included;
- Clause 17 (Governing law): the EU SCCs are governed by the law of the Republic of Ireland;
- Clause 18(b) (Choice of forum and jurisdiction): the courts of the Republic of Ireland are chosen;
- Annex I (Description of transfer): the information set out in Annex I to this DPA applies, supplemented by Annex III to this DPA;
- Annex II (Technical and Organisational Measures): the information set out in Annex II to this DPA applies; and
- Annex III (List of Sub-Processors): the list at https://gata.ai/subprocessors applies.
- UK IDTA / UK Addendum. Where the Restricted Transfer is from the United Kingdom, the parties agree to:
- the UK Addendum to the EU SCCs issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (version B1.0, in force 21 March 2022) ("UK Addendum"), which is incorporated by reference and applied to the EU SCCs in (a) above; or
- at GATA's election (and where preferable having regard to the recipient), the UK International Data Transfer Agreement ("UK IDTA") issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (version A1.0, in force 21 March 2022), with the table information drawn from Annex I and Annex II of this DPA.
- Adequacy and certifications. Where a transfer mechanism in clause 7.2(a) or (b) is not required by reason of an applicable adequacy regulation or decision (including the UK Adequacy Regulations in respect of EEA recipients, and any extension to a successor of the EU–US Data Privacy Framework), or where the recipient is certified under such a framework, GATA may rely on that adequacy or certification as a transfer mechanism.
- Conflict. In the event of any conflict between the EU SCCs (as supplemented by the UK IDTA / UK Addendum) and any other provision of this DPA, the EU SCCs (as so supplemented) prevail.
7.3 Transfer-impact assessment. GATA has carried out, and shall maintain, a transfer-impact assessment in respect of each Sub-processor outside the United Kingdom and the European Economic Area. A summary of the assessment is available on request to support@gata.ai. GATA shall take supplementary measures (technical, organisational and contractual) where the transfer-impact assessment indicates they are required.
8. Data-Subject Requests; Cooperation; Impact Assessments
8.1 Assistance with Data-Subject requests. Taking into account the nature of the Processing, GATA shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Chapter III of the UK GDPR / EU GDPR (including rights of access, rectification, erasure, restriction, portability and objection). Where GATA receives a request from a Data Subject directly, GATA shall promptly forward the request to the Customer (without itself responding, save to acknowledge receipt) unless legally required to respond.
8.2 Cooperation with the Controller. Taking into account the nature of Processing and the information available to GATA, GATA shall assist the Customer in ensuring compliance with the obligations under Articles 32 to 36 UK GDPR / EU GDPR (security, breach notification, breach communication, data-protection impact assessments and prior consultation), including by providing information reasonably required by the Customer.
8.3 Personal Data Breach. GATA shall notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data, providing such information as is necessary to enable the Customer to comply with its obligations under Articles 33 and 34 UK GDPR / EU GDPR. GATA's notification shall include, to the extent then known: the nature of the Personal Data Breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, the measures taken or proposed to address it, and the contact point at GATA. GATA shall continue to provide updates as further information becomes available.
8.4 Customer's responsibility. The Customer is responsible for any notification of a Personal Data Breach to a supervisory authority or to Data Subjects under Articles 33 and 34 UK GDPR / EU GDPR.
9. Audit
9.1 Information. GATA shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in Article 28 UK GDPR / EU GDPR and this DPA. In the first instance, GATA shall do so by providing:
- this DPA, the Privacy Notice and the Sub-Processor List;
- GATA's most recent third-party security attestations, summaries or certifications, where available (e.g. SOC 2 Type II report or ISO 27001 certificate of GATA or its principal Sub-processors), redacted as reasonably necessary; and
- responses to a reasonable security questionnaire, no more than once per calendar year (save where required following a Personal Data Breach or a regulatory request).
9.2 Self-serve Customers. For Customers on a self-serve Subscription tier, the audit right is exercised through the information made available under clause 9.1 above, and on-site audits are not available.
9.3 Enterprise Customers — on-site audits. For Enterprise Customers, the Customer (or a third-party auditor instructed by the Customer who is independent of GATA's competitors and bound by appropriate confidentiality obligations) may, at the Customer's cost and on at least 60 days' prior written notice, conduct an on-site audit at GATA's premises during normal business hours, no more than once per calendar year (save where required by Applicable Data Protection Laws or following a Personal Data Breach), to verify GATA's compliance with this DPA. The audit shall be conducted in a manner that minimises disruption to GATA's business and to other GATA customers, and shall not extend to (a) information of any other GATA customer, (b) GATA's internal commercial information, or (c) any information the disclosure of which would breach Applicable Law or a duty of confidentiality owed to a third party.
9.4 Sub-processor audits. Where the Customer's audit right requires audit of a Sub-processor, GATA shall, on the Customer's reasonable written request, exercise its audit right against the relevant Sub-processor and share the resulting information with the Customer (subject to Sub-processor confidentiality obligations and redactions).
9.5 Audit reports as evidence of compliance. Where a Sub-processor's most recent SOC 2 Type II, ISO 27001, ISO 27018 or equivalent independent third-party audit report is available, that report (subject to redactions and confidentiality) is accepted by the Customer as evidence of the Sub-processor's compliance for the period it covers, and the Customer shall not require additional audit of that Sub-processor in respect of that period save where reasonably necessary.
10. Return or Deletion of Customer Personal Data
10.1 Choice on termination. On termination of the Terms or any earlier cessation of the provision of Processing services, GATA shall, at the choice of the Customer notified in writing within the 30-day Customer Content Export Window in clause 15.2 of the Terms (the "Export Window"), either return all Customer Personal Data to the Customer or delete it. In the absence of a written choice during the Export Window, GATA shall delete Customer Personal Data after the Export Window.
10.2 Backups and legal retention. GATA may retain Customer Personal Data after termination only (a) in encrypted backups, until those backups expire and are overwritten in the ordinary cycle described in Annex II, or (b) where retention is required by Applicable Law, in which case the data shall be retained only for the period required and only for the purpose required. GATA shall not actively Process retained backup data save for ordinary backup-integrity purposes, and shall delete such data when the retention purpose ceases.
10.3 Confirmation. GATA shall, on the Customer's written request, confirm in writing that deletion under clause 10.1 has been completed.
11. Term and Survival
11.1 Term. This DPA takes effect on the Effective Date of the Terms and continues until the Terms are terminated and all Processing of Customer Personal Data by GATA has ceased in accordance with clause 10.1.
11.2 Survival. The provisions of this DPA that by their nature survive termination shall do so, including this Section 11, Section 8.3 (Personal Data Breach reporting in respect of breaches occurring before termination), Section 9 (Audit, in respect of compliance during the term), Section 10 (Return or deletion) and Section 12 (Liability).
12. Liability
12.1 Cap and exclusions. Each party's liability arising out of or in connection with this DPA (including under any indemnity in this DPA) is subject to the limitations and exclusions of liability in Section 12 of the Terms. For the avoidance of doubt, all liability of GATA under this DPA is included within, and not in addition to, the aggregate liability cap in clause 12.3 of the Terms.
12.2 SCC liability. Where Clause 12 of the EU SCCs (or paragraph 12 of the UK Addendum) applies and a Data Subject obtains compensation against either party for damage caused by Processing in breach of the SCCs, that party may seek to recover from the other party that part of the compensation corresponding to that other party's responsibility for the damage, in accordance with the SCCs.
13. Governing Law and Jurisdiction
This DPA is governed by, and construed in accordance with, the laws of England and Wales, save in respect of Clause 17 of the EU SCCs and equivalent provisions of the UK IDTA / UK Addendum, which are governed as set out therein. The courts of England and Wales have exclusive jurisdiction in respect of disputes arising out of or in connection with this DPA, save where Clause 18 of the EU SCCs or the equivalent provision of the UK IDTA / UK Addendum requires otherwise.
14. General
14.1 Order of precedence. In the event of any conflict between this DPA and the Terms in respect of the Processing of Customer Personal Data, this DPA prevails, save as expressly provided in clause 18.8 of the Terms.
14.2 Notices. Notices under this DPA may be sent to support@gata.ai for GATA, and to the email address registered for the Account administrator for the Customer, in each case in accordance with Section 17 of the Terms.
14.3 Updates. GATA may update this DPA from time to time to reflect changes in Applicable Data Protection Laws, regulator guidance, or operational matters. Material changes will be notified in accordance with clause 16.2 of the Terms.
Annex I — Description of Processing
This Annex I describes the Processing of Customer Personal Data carried out by GATA on behalf of the Customer. It serves as the description required by Article 28(3) UK GDPR / EU GDPR and as the Annex I information for the EU SCCs and UK IDTA / UK Addendum.
A. List of parties
- Data exporter: the Customer (Controller). Identity: as identified in the Account at sign-up or in the Order Form. Contact: the Account administrator's email registered with GATA.
- Data importer: Exchester Ltd trading as GATA AI (Processor). Identity: Exchester Ltd, company number 12601661 (England and Wales), 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE, United Kingdom. Contact: support@gata.ai.
B. Description of transfer / Processing
| # | Item | Detail |
|---|---|---|
| 1 | Categories of Data Subjects | (a) the Customer's Authorised Users and Account administrators; (b) individuals whose personal data appears in Customer Inputs (e.g. people depicted in uploaded video, audio, images or scripts, including identifiable likeness or voice); (c) individuals whose personal data appears in Outputs to the extent derived from such Inputs; (d) any other Data Subjects whose personal data the Customer chooses to upload to or process via the Service. |
| 2 | Categories of Personal Data | (a) Identification and contact data — names, business email addresses, organisation, role, country, language; (b) Authentication and account data — hashed passwords, login timestamps, IP addresses, session identifiers, email-verification codes; (c) Usage and product-telemetry data — Generative Operation requests and outcomes, feature usage, error logs, moderation classifications, abuse-prevention signals; (d) Customer Content (Inputs and Outputs) — including images, video, audio, scripts, prompts and reference media, which may contain (i) likeness data of identifiable individuals (face, body, distinctive physical features), (ii) voice samples, (iii) names and other identifying information referenced in scripts; (e) Communications data — content and metadata of support and operational communications; (f) Billing data — billing name, billing address, VAT/tax-registration numbers, invoice and payment-method metadata. |
| 3 | Special-Category and criminal-conviction data | The Service is not designed, supplied or marketed for the Processing of Special Category Data (Article 9 UK GDPR / EU GDPR) or criminal-conviction data (Article 10). The Customer shall not submit such data via the Service unless (i) it has notified GATA in advance and (ii) the Customer has an applicable Article 9 / Article 10 condition. Where such data is nevertheless contained in Customer Content (for example, racial / ethnic information visually inferable from likeness footage, or content related to a person's sex life or sexual orientation), the Customer warrants that an applicable lawful basis and Article 9 / Article 10 condition are in place and that all necessary safeguards have been implemented. |
| 4 | Frequency of transfer | Continuous, for the duration of the Subscription. |
| 5 | Nature of Processing | Storage; transmission to and from Sub-processors (including for foundation-model inference, image / video generation, content moderation and email delivery); generation of Outputs; security and abuse-prevention monitoring; backup; access by GATA personnel on a need-to-know basis to operate, support and secure the Service; deletion at end of retention period. |
| 6 | Purpose of Processing | Provision of the Service to the Customer in accordance with the Terms, including the operation of Generative Operations, the Credit Wallet, the moderation pipeline and customer support. |
| 7 | Retention period | As set out in Section 7 of the Privacy Notice (https://gata.ai/privacy) and replicated below: Account / contractual data — for the duration of the Subscription plus 6 years (Limitation Act 1980 s.5; Companies Act 2006 s.388); billing / transactional data — 6 years from the end of the tax period of the transaction (VATA 1994 Sch.11); Customer Content source media (Inputs) — 30 days after the relevant Generative Operation completes; Outputs — retained while the Subscription is active and for the 30-day Export Window after termination per clause 15.2 of the Terms; service-usage and product-telemetry — 13 months; email-verification codes — 15 minutes or on successful verification (whichever earlier); moderation classifications and abuse-prevention signals — 24 months; communications and support data — 3 years from closure; marketing and prospect data — 2 years from last engagement or until opt-out (whichever earlier); backups — 35 days rolling; AUP / abuse / law-enforcement records — 6 years from closure of the incident. GATA does not currently carry out recruitment activity. Customer-configurable retention may apply on Enterprise tiers under an Order Form. |
| 8 | Transfers to Sub-processors and locations | As listed in Annex III at https://gata.ai/subprocessors. GATA does not offer or guarantee EU / EEA data residency, EU-region storage or EU-only Processing; Customer Personal Data may be Processed and stored globally, including in the United States and other countries, and the locations used may change. Principal locations as at the date of this DPA: United Kingdom (AWS S3 / Bedrock / Transcribe / SES, currently eu-west-2 London); United States and other countries (fal.ai for image / video generation; ElevenLabs for voice synthesis; OpenAI for structured-output text generation; Google Cloud Vertex AI and Google Cloud Storage; Stripe; and onward parent-group transfers for AWS, Google and OpenAI). |
C. Competent supervisory authority
- Where the Customer is established in, or the Processing concerns Data Subjects in, the United Kingdom, the competent supervisory authority is the Information Commissioner's Office (ICO).
- Where the Customer is established in the EEA, the competent supervisory authority is the supervisory authority of the EU Member State of the Customer's main establishment or single establishment.
- Where the Customer is not established in the EEA but the Processing falls within the territorial scope of the EU GDPR by virtue of Article 3(2), the competent supervisory authority is the supervisory authority of the EU Member State in which the Data Subjects are predominantly located.
Annex II — Technical and Organisational Measures
This Annex II describes the technical and organisational measures implemented by GATA to ensure the security of Customer Personal Data, in accordance with Article 32 UK GDPR / EU GDPR. The measures are appropriate to the risk having regard to the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing.
GATA reviews and updates these measures from time to time. Where a measure is updated, the level of protection shall not be materially diminished.
1. Pseudonymisation and encryption
1.1 Encryption in transit. All connections to the Service are made over TLS 1.2 or higher (with TLS 1.3 preferred), with cipher suites configured to current industry guidance.
1.2 Encryption at rest. Customer Content stored in Amazon S3 is encrypted at rest using AWS-managed KMS keys (SSE-KMS) or, where configured, customer-managed KMS keys. Database storage (Amazon RDS PostgreSQL) is encrypted at rest. Backups are encrypted at rest.
1.3 Hashed credentials. Authentication credentials (passwords, email-verification codes) are stored only in hashed form using a memory-hard hash function (Argon2 / bcrypt) with per-credential salts.
1.4 Token security. Refresh tokens issued to Authorised Users are bound to encrypted, HttpOnly cookies. The cross-site-request-forgery defence is implemented as a double-submit cookie ("gata_csrf") whose value is echoed in a request header on state-changing requests; the backend rejects mismatches.
2. Confidentiality, integrity, availability and resilience
2.1 Network and access controls. The Service runs on Amazon Web Services with private VPC networking and a defence-in-depth posture. Administrative access to production systems is gated behind multi-factor authentication, hardware-bound credentials where supported, IP-based access controls and just-in-time access where practical. Production access is granted on a least-privilege, need-to-know basis and is logged.
2.2 Identity and access management. GATA personnel are provisioned access through a centralised identity provider with role-based access control. Joiners, movers and leavers processes ensure timely deprovisioning. Access reviews are carried out periodically.
2.3 Segregation. Production environments are logically segregated from development and test environments; no Customer Personal Data is used in development or test environments save where strictly required and after pseudonymisation or anonymisation.
2.4 Monitoring and logging. Security-relevant events (authentication, configuration changes, Sub-processor API calls, errors) are logged to dedicated log destinations with retention and access controls. Logs are reviewed in response to anomalies and during incident response.
2.5 Resilience. The Service's core application is currently deployed in a multi-AZ configuration in eu-west-2 (London); this describes GATA's own hosting and is not a guarantee of EU / EEA data residency, which GATA does not offer (see Annex I and Section 7 — international transfers). Database backups are taken automatically and retained on a rolling 30-day basis. Recovery objectives and procedures are documented internally.
3. Restoration of availability and access following an incident
3.1 Backup and recovery. Database snapshots and S3 versioning enable point-in-time recovery within the backup retention window. Restoration procedures are tested periodically.
3.2 Incident response. GATA maintains an incident-response procedure covering detection, containment, eradication, recovery, post-incident review and notification. The procedure includes the Personal Data Breach notification timelines in clause 8.3 of this DPA.
4. Process for regularly testing, assessing and evaluating effectiveness
4.1 Vulnerability management. GATA runs automated dependency, container and infrastructure scanning in its CI/CD pipeline and remediates findings according to a documented severity-based SLA.
4.2 Application security. GATA follows secure-development practices including code review, static analysis, automated tests, secrets-scanning, and pre-deployment review of changes that affect Personal Data Processing.
4.3 Sub-processor assurance. GATA reviews the security and privacy posture of its Sub-processors at engagement and periodically thereafter, relying primarily on independent third-party attestations (SOC 2 Type II, ISO 27001 / 27017 / 27018) and on the Sub-processor's published documentation. AWS, fal.ai and Stripe maintain extensive published security and compliance materials.
4.4 Penetration testing. GATA intends to commission independent third-party penetration testing of the Service on a periodic basis once the user base materially scales; in the interim, equivalent assurance is provided by Sub-processor attestations and by the security architecture choices in this Annex II.
5. Personal-data minimisation, quality and retention
5.1 Minimisation. GATA collects only the Customer Personal Data necessary to provide the Service and to comply with Applicable Law.
5.2 Quality. Customers can correct or delete Customer Personal Data through the Service's interfaces. Data-subject rights requests routed to GATA are processed in accordance with Section 8 of this DPA.
5.3 Retention. Customer Personal Data is retained in accordance with the retention schedule in the Privacy Notice and Annex I, and deleted thereafter.
6. User identification and authorisation
6.1 Authentication. Authorised Users authenticate using email and password credentials and a verified email address. GATA may from time to time add multi-factor authentication and single-sign-on options on a tier-by-tier basis.
6.2 Authorisation. Access to Customer Content is scoped to the Account and Authorised Users associated with that Account. Cross-Account access is not possible through the standard Service interfaces.
7. Physical security
7.1 Data-centre security. All Customer Personal Data hosted by GATA is held within AWS facilities. AWS is responsible for the physical security of its facilities; the controls are described in AWS's published compliance materials and certifications.
7.2 GATA facilities. GATA's offices and personnel devices are subject to standard endpoint-management measures (full-disk encryption, screen lock, mobile device management for managed devices).
8. Sub-processor management
The matters described in Section 6 of this DPA (Sub-processors) and Annex III.
9. Personnel reliability
9.1 Vetting. GATA carries out reasonable pre-engagement checks on personnel, proportionate to role.
9.2 Confidentiality. All GATA personnel and contractors are subject to written confidentiality obligations.
9.3 Training. GATA personnel receive data-protection and security awareness training.
10. Special categories of data
The Service is not designed, supplied or marketed for the Processing of Special Category Data or criminal-conviction data, and GATA's measures are not specifically calibrated to such data. Where the Customer wishes to Process such data via the Service, additional safeguards must be agreed in writing under an Order Form.
11. Provenance and AI-specific measures
11.1 No training on Customer Content. As stated in clause 6.4 of the Terms and clause 3.4 of this DPA, Customer Content is not used to train, fine-tune or improve GATA's underlying models, save as expressly permitted there.
11.2 Sub-Provider configuration. GATA configures Sub-Provider services (including Amazon Bedrock and fal.ai) to opt out of training on Customer Content where the Sub-Provider offers such an option, and contracts with Sub-Providers on terms that prohibit such training without GATA's authorisation.
11.3 Provenance signals. GATA preserves provenance signals (such as content credentials or watermarks) where they are produced by the underlying model and where it is technically practicable to do so; the Customer is prohibited from removing or interfering with such signals (see clause 5.6 of the AUP).
Annex III — List of Sub-Processors
Annex III is the list of Sub-Processors maintained at https://gata.ai/subprocessors, which is updated in accordance with the change-notification process in Section 6 of this DPA. The version current as at the "Last updated" date of this DPA is incorporated by reference.
A high-level summary of the categories of Sub-Processor in use as at 9 June 2026 is set out below.
| Sub-Processor | Service / role | Processing location |
|---|---|---|
| Amazon Web Services (Amazon S3) | Object storage | UK (eu-west-2) |
| Amazon Web Services (Amazon Bedrock) | Foundation-model inference; content moderation | UK (eu-west-2) primarily; in-region EEA / US fallbacks for some models |
| Amazon Web Services (Amazon Transcribe) | Speech-to-text transcription for the localisation pipeline | UK (eu-west-2) |
| Amazon Web Services (Amazon SES) | Transactional email | UK (eu-west-2) |
| fal.ai, Inc. | Image / video generation; lip-sync | United States |
| ElevenLabs, Inc. | Text-to-speech and dialogue voice synthesis | United States |
| OpenAI Ireland Limited | Structured-output text generation (script parsing, shot extraction) | United States and other countries (no EU data-residency guarantee) |
| Google Cloud EMEA Limited (Vertex AI and Google Cloud Storage) | Gemini foundation-model inference and video analysis; object storage of localisation video uploads | United States and other countries; some operations currently in the EEA (europe-west4, Netherlands), but no EU data-residency guarantee |
| Stripe Payments Europe, Limited / Stripe Payments UK, Limited | Subscription billing and payment processing | EEA (Ireland) and onward to United States under Stripe's intra-group transfer mechanisms |
Refer to the live list at https://gata.ai/subprocessors for the up-to-date description of Processing, the personal-data categories Processed, the location of Processing and the transfer mechanism applied to each Sub-Processor.