1. Parties & roles
Controller: the customer entity entering the MSA.
Processor: inscinstech.ai (operated by Inscinstech).
Where required by applicable law, the Processor acts as Data Processor on behalf of the Controller.
2. Subject matter & duration
Subject matter: provision of the inscinstech.ai service per the MSA.
Duration: the term of the MSA plus the data retention periods set out in the Privacy Policy.
Categories of data: customer account data, customer-uploaded data, Agent inputs and outputs, telemetry.
Categories of data subjects: customer employees, contractors, end users.
3. Security measures
Per the technical and organisational measures described at /security — encryption (AES-256 at rest, TLS 1.3 in transit), per-tenant isolation, audit logging, regular penetration testing.
Enterprise customers may add per-tenant KMS keys and private deployment.
4. Sub-processors
Approved sub-processors are listed at /security#subprocessors. Each has a DPA in place with us.
The Controller is notified of any new sub-processor at least 30 days in advance and may object by terminating the relevant service in writing within that period.
5. International data transfers
EU → non-EU: governed by Standard Contractual Clauses (Module 2: Controller to Processor) appended to the signed DPA.
CN → outside CN: governed by PIPL transfer mechanisms (Standard Contract or Certification, per the customer's choice).
6. Data subject rights
We assist the Controller in fulfilling data subject access, correction, deletion, portability, and objection requests within the timelines required by GDPR / PIPL / CCPA.
7. Personal data breach notification
We notify the Controller without undue delay (target: within 72 hours of becoming aware) of any personal-data breach affecting Controller data.
8. Audits & inspections
Enterprise customers may request a SOC 2 report (when available) or a written summary of penetration test outcomes once per year. On-site audits may be conducted on reasonable notice at the customer's expense.
9. Return & deletion
On termination, the Controller may export data within 30 days (Enterprise: 90 days). After that period, Processor deletes Controller data within an additional 30 days unless retention is legally required.