Akaro is now in early access. Respond to RFPs in minutes, not days.Claim your spot
Akaro

Legal

Data Processing Agreement

Last updated: 6 April 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Akaro AI, Inc. ("Processor") and the customer ("Controller") and governs the processing of personal data in connection with the Akaro Services, in accordance with GDPR Article 28.

1. Definitions

  • Controller: The customer who determines the purposes and means of processing personal data.
  • Processor: Akaro AI, Inc., which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person as defined in GDPR Article 4.
  • Processing: Any operation performed on personal data, including collection, storage, use, and deletion.

2. Nature and purpose of processing

Akaro processes personal data solely to provide the Services described in the Terms of Service, including:

  • Storing and indexing documents uploaded by the Controller
  • Generating AI-assisted answers from the Controller's knowledge base
  • Managing user accounts and access controls
  • Providing audit trails and analytics

3. Types of personal data processed

  • Account data: names, email addresses, job titles
  • Content data: documents, files, and their contents as uploaded by the Controller
  • Usage data: access logs, feature usage, query history

4. Processor obligations

Akaro shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorised to process data are bound by confidentiality
  • Implement appropriate technical and organisational security measures (Article 32)
  • Assist the Controller in responding to data subject rights requests
  • Assist the Controller with data breach notifications and DPIAs where required
  • Delete or return all personal data at the end of the service relationship
  • Provide all information necessary to demonstrate compliance with this DPA

5. Security measures

Akaro implements the following technical and organisational measures:

  • AES-256 encryption of data at rest
  • TLS 1.3 encryption of data in transit
  • Role-based access control with principle of least privilege
  • Multi-factor authentication for all staff accessing production systems
  • Annual third-party penetration testing
  • SOC 2 Type II certification
  • Incident response plan with defined notification timelines

6. Sub-processors

Akaro uses the following sub-processors. We will notify customers at least 30 days before engaging any new sub-processor.

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud infrastructure, storage, computeEU-West-1 (Ireland), US-East-1 (Virginia)
OpenAIAI language model processing for answer generationUnited States
MongoDB AtlasDatabase hosting and managementAWS EU-West
ResendTransactional email deliveryUnited States
PostHogProduct analytics (anonymised)European Union

7. International transfers

Where personal data is transferred outside the EEA (e.g., to OpenAI in the United States), Akaro relies on Standard Contractual Clauses (SCCs) approved by the European Commission, or other appropriate transfer mechanisms.

8. Data breach notification

In the event of a personal data breach, Akaro will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, and measures taken or proposed.

9. Requesting a signed DPA

Enterprise customers can request a countersigned DPA by emailing rohan@akaro.ai. We will return a signed copy within 3 business days.