Data Processing Agreement

Where AIBA processes personal data of the client, the client's employees or third parties in connection with a programme or service, AIBA acts as processor within the meaning of Article 4(8) GDPR, and the client is the controller.

The subject matter of the processing covers any personal data shared with AIBA during in-company programmes, cohort sessions or strategy days. The duration matches the underlying programme; data is deleted within ninety days of programme completion unless a longer retention is required by law or has been explicitly agreed.

AIBA processes personal data only on documented instructions from the controller. The agreed programme scope (including this DPA) counts as such an instruction. Any deviation requires written confirmation.

AIBA applies appropriate technical and organisational measures, including: encryption in transit (TLS 1.3), access control with named users, audit logging for security events, EU-only hosting, daily-rotating salts for any analytics IP hashing, and segregated environments per client.

AIBA may engage sub-processors only where they are bound by contractual obligations equivalent to this DPA. A current list of sub-processors is available on request. The controller is informed of changes in good time and may object on reasonable grounds.

AIBA assists the controller, where reasonably possible, in responding to data subjects' requests under Articles 15-22 GDPR. Requests received by AIBA directly are forwarded to the controller without delay.

AIBA notifies the controller of a personal data breach without undue delay and at the latest within 48 hours of discovery. The notification contains all information reasonably required for the controller's own notification obligation under Article 33 GDPR.

The controller may, at most once per twelve months and with thirty days' notice, audit AIBA's compliance with this DPA. The audit may be carried out by an independent expert agreed by both parties. Costs are borne by the controller unless material non-compliance is identified.

AIBA does not transfer personal data outside the European Economic Area. Should that be required under exceptional circumstances, the transfer takes place only on the basis of an adequacy decision or Standard Contractual Clauses approved by the European Commission.

At the end of the programme or on the controller's written request, AIBA returns or deletes all personal data and existing copies, unless retention is required by EU or member state law.