DPA & Acceptable Use

1. Overview

These documents are designed to be paired with our Terms of Service, Privacy Policy, and Cookie Policy. If you have a signed master agreement with CoreLattice, that agreement and the DPA executed under it govern in case of conflict.

2. Data Processing Addendum (DPA)

2.1 Scope

The DPA applies whenever CoreLattice processes personal data on behalf of a customer in connection with the Service. It implements the requirements of Article 28 of the GDPR (and equivalents under UK GDPR and other applicable laws) and incorporates the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and Swiss SCC adaptations as applicable.

2.2 Roles

Customer is the controller of personal data submitted to the Service. CoreLattice is the processor and processes personal data only on the customer’s documented instructions, including the Service configuration, the master agreement, and the DPA itself.

2.3 Processing instructions

CoreLattice processes personal data to provide and support the Service, comply with reasonable customer instructions consistent with the master agreement, and meet legal obligations. We will tell the customer if we believe an instruction violates applicable data protection law.

2.4 Sub-processors

Customers authorize CoreLattice to engage sub-processors to provide the Service. The current list is available on request by contacting [email protected]. We will give advance notice of new sub-processors and provide a reasonable period for customers to object on legitimate grounds.

2.5 International transfers

Where personal data is transferred out of the EEA, UK, or Switzerland, CoreLattice relies on adequacy decisions, the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and equivalent mechanisms, with supplementary measures where appropriate.

2.6 Security measures

CoreLattice maintains a written information security program with controls including encryption in transit and at rest, access management with least privilege, network segmentation, vulnerability management, secure development lifecycle, logging and monitoring, background checks, security awareness training, and a documented incident response plan. Technical and organizational measures are described in the DPA Annex.

2.7 Incident notification

CoreLattice will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data, and will provide information reasonably necessary for the customer to meet its own notification obligations.

2.8 Data subject requests

CoreLattice will assist the customer, taking into account the nature of the processing, in responding to data subject requests (access, correction, erasure, restriction, portability, objection) relating to personal data processed under the DPA.

2.9 Audit rights

Customers may audit CoreLattice’s compliance with the DPA through (a) third-party audit reports (e.g., SOC 2 Type II, ISO 27001), (b) responses to a reasonable security questionnaire, or (c) on request and at the customer’s expense, an on-site audit scoped to comply with confidentiality and operational requirements.

2.10 Return and deletion

On termination or expiration of the master agreement, CoreLattice will, at the customer’s choice, delete or return all customer personal data, subject to retention required by law.

2.11 Request the signed DPA

Customers can request the full executable DPA, including annexes and the standard contractual clauses, by emailing [email protected] with your legal entity name and signing authority.

3. Acceptable Use Policy (AUP)

This AUP applies to anyone who accesses or uses the Service. It is incorporated into our Terms of Service.

3.1 Prohibited use

You will not, and will not allow any third party to, use the Service to:

• violate any law, regulation, or third-party right (including intellectual property, privacy, and publicity rights);
• process personal data without the lawful basis or consents required by applicable law;
• send unsolicited communications (spam) or otherwise abuse messaging functionality;
• upload, transmit, or distribute content that is unlawful, defamatory, harassing, abusive, hateful, or designed to exploit or harm minors;
• upload malware, ransomware, or other malicious code, or introduce any feature designed to disrupt or harm systems or data;
• use the Service to develop, train, or evaluate a competing product or for competitive benchmarking without our prior written consent;
• use the Service to make automated decisions producing legal or similarly significant effects on individuals without appropriate human oversight and disclosures;
• use the Service to facilitate sanctions evasion, terrorist financing, money laundering, fraud, or other financial crime;
• impersonate another person or misrepresent your affiliation with any person or entity;
• interfere with or disrupt the integrity, performance, or availability of the Service, including via excessive request volumes, scraping, or denial-of-service techniques;
• attempt to access another customer’s data or any non-public area of the Service without authorization.

3.2 Security testing

Penetration testing, vulnerability scanning, and other security testing of the Service requires our prior written authorization. Coordinate testing with [email protected]. We welcome good-faith security research; request details of our coordinated disclosure process at [email protected].

3.3 Enforcement

We may investigate suspected violations and may suspend, restrict, or terminate access to the Service for activity that violates this AUP, creates legal or security risk, or threatens the integrity of the Service or its users. Where reasonable, we will give notice and an opportunity to cure; we may act immediately to address active threats.

3.4 Reporting abuse

Report suspected abuse, security issues, or AUP violations to [email protected].

4. Contact

CoreLattice AI Pvt Ltd
Registered office address available on request
Legal: [email protected]
Security: [email protected]