Data Processing Agreement

This Data Processing Agreement forms part of the Terms of Service between InternalWiki (Processor) and the Customer (Controller). To execute a signed copy of this DPA, contact legal@internalwiki.com.

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between the following parties:

• "Controller": the customer organisation that has entered into a service agreement with InternalWiki for the use of its AI-powered knowledge retrieval platform.
• "Processor": InternalWiki Ltd, the provider of the InternalWiki platform, acting as data processor on behalf of the Controller.

Scope: This DPA applies to the processing of personal data contained in documents and messages connected to InternalWiki via source integrations (including but not limited to Google Drive, Slack, Microsoft 365, and SharePoint). It governs the Processor's obligations with respect to that personal data as required by applicable data protection legislation, including the UK GDPR and the EU General Data Protection Regulation (Regulation (EU) 2016/679).

2. Definitions

The following terms have the meanings set out in GDPR Article 4, and are used throughout this DPA accordingly:

• Personal Data — any information relating to an identified or identifiable natural person ("data subject").
• Data Subject — an identified or identifiable natural person whose personal data is processed.
• Processing — any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• Sub-processor — any third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
• Supervisory Authority — an independent public authority responsible for monitoring the application of data protection legislation in its jurisdiction (e.g., the Information Commissioner's Office in the UK, or the relevant Data Protection Authority in EU Member States).

3. Processing Details

Subject matter

AI-powered knowledge retrieval from the Controller's connected workplace tools, provided via the InternalWiki platform.

Duration

Processing will continue for the term of the service agreement between the Controller and the Processor, unless terminated earlier in accordance with Section 8 of this DPA.

Nature and purpose

The Processor will process personal data for the purposes of indexing, embedding, retrieval, and answer generation — all with permission enforcement. Specifically, this includes:

• Syncing and indexing documents and messages from connected source integrations.
• Chunking and generating vector embeddings of document content for semantic search.
• Retrieving relevant document passages in response to user queries, enforcing source-level permission controls.
• Generating AI-powered answers with claim-level citations to source documents.

Types of personal data

The personal data processed may include names, email addresses, and any other personal data contained in the Controller's connected documents and messages (e.g., phone numbers, addresses, employment details, or any information the Controller has stored in integrated workplace tools).

Categories of data subjects

The Controller's employees and any individuals referenced in the Controller's connected documents and messages.

4. Processor Obligations

The Processor shall:

• Process on instructions only — process personal data solely on the Controller's documented instructions, including with respect to transfers of personal data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing (unless prohibited from doing so by law).
• Confidentiality — ensure that all personnel authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures — implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption of personal data at rest and in transit (AES-256 and TLS 1.2+); permission enforcement at the retrieval layer before data enters LLM context; role-based access controls; regular security assessments; and audit logging of all data access events.
• Data subject requests — taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR.
• Deletion or return — at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage of the personal data.
• Demonstrate compliance — make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and applicable data protection legislation.
• Audits — allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Audit rights are available on the Enterprise plan. The Controller shall provide reasonable advance notice of any audit request.

5. Sub-processors

The Controller authorises the Processor to engage the following sub-processors for the purposes described below. The Processor maintains written agreements with each sub-processor imposing data protection obligations no less protective than those set out in this DPA.

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. If the Controller objects on reasonable grounds relating to data protection, the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution can be reached, the Controller may terminate the affected services without penalty.

6. International Transfers

Where personal data originating from the European Union, the European Economic Area, or the United Kingdom is transferred to sub-processors located in the United States (or any other country not subject to an adequacy decision), such transfers are protected by the European Commission's Standard Contractual Clauses (SCCs), as supplemented by transfer impact assessments where required.

EU-hosted infrastructure will be available on the Enterprise plan from Q4 2026, allowing customers to ensure that all data processing occurs within the European Union.

7. Data Breach Notification

Such notification shall include, to the extent reasonably available:

• The nature of the personal data breach, including the categories and approximate number of data subjects and records concerned.
• The categories and types of personal data affected.
• The likely consequences of the breach.
• The measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall co-operate with the Controller and take such reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation, and remediation of each such personal data breach.

8. Term and Termination

This DPA is effective for the duration of the service agreement between the Controller and the Processor. It shall automatically terminate upon expiry or termination of the service agreement.

Upon termination of this DPA, the Processor shall delete all personal data processed on behalf of the Controller within 30 days, unless applicable law requires continued storage (e.g., audit logs retained for 24 months, billing records retained for 7 years per UK tax requirements). The Controller may request a data export before deletion.

Source disconnection triggers immediate data deletion. When a Controller disconnects a source integration from InternalWiki, all indexed content, embeddings, and cached documents from that source are permanently deleted within 24 hours.