# AIErudit Data Processing Addendum Template Last updated: June 11, 2026 This template is the starting package for Business and Enterprise procurement review. A countersigned version can be prepared for a specific customer after the parties confirm the controller, processor, workspace scope, subprocessors, transfer safeguards, and commercial agreement. ## 1. Parties and roles - Customer: the organization purchasing or administering an AIErudit workspace. - AIErudit operator: Vitali Bibikov, Polish sole proprietorship, operating AIErudit. - Customer role: controller, unless the signed order form says otherwise. - AIErudit role: processor for customer-controlled learner, workspace, and procurement data. ## 2. Processing scope AIErudit processes personal data to provide access to learning content, accounts, team workspaces, certificates, payments, support, security monitoring, and optional AI-assisted features selected by the customer or end user. ## 3. Data categories - Account and profile data: name, email address, role, company, language, and profile settings. - Authentication and security data: password hash, OAuth identifiers, MFA state, session metadata, device or login-risk signals. - Learning and certification data: enrollments, progress, quiz answers, scores, achievements, and certificates. - Payment and billing data: purchase type, amount, currency, Stripe identifiers, invoice metadata, and refund status. - Support and communications: contact forms, support messages, creator or sales inquiries, and attachments provided by the requester. - Usage and preference data: browser, IP-derived region, consent state, logs, and UI preferences. - Optional AI feature data: prompts, selected context, generated outputs, and model-lane metadata when AI features are used. ## 4. Security measures AIErudit maintains administrative, technical, and organizational measures appropriate to the service scope, including: - TLS transport protection and HSTS on production delivery paths. - One-way Argon2id password hashing. - MFA and passkey account-protection options. - Least-privilege production access and secrets management. - AWS eu-central-1 primary application and data region. - Database backup and restore-readiness controls. - Monitoring and vulnerability reporting through the published security.txt path. ## 5. Subprocessors The current public subprocessor list is published at: https://aierudit.com/security#subprocessors Material changes can be requested by email through the subprocessor update link on that page. ## 6. International transfers Where a subprocessor processes personal data outside the EEA, the parties will rely on appropriate transfer safeguards, including Standard Contractual Clauses where applicable. ## 7. Assistance and deletion AIErudit will provide reasonable assistance for data-subject rights, deletion, export, and anonymization requests in line with the product capabilities, signed customer agreement, and applicable law. ## 8. Incidents AIErudit will notify the customer without undue delay after confirming a personal-data breach affecting the customer workspace, using the contact path agreed in the order form or procurement correspondence. ## 9. Audit and questionnaires Before formal third-party certifications are available, AIErudit can provide security questionnaires, control summaries, subprocessor notes, and implementation evidence for reasonable B2B diligence. ## 10. Execution This template is not self-executing. The final DPA should reference the customer order form or master agreement, confirmed customer legal entity, workspace scope, governing law, and any customer-specific instructions.