Data Processing Agreement (DPA)

Data Processing Agreement for business contracts, in compliance with LGPD and GDPR.

1. Preamble

This Data Processing Agreement ("DPA") supplements the UtilizAí Terms of Use and applies to any processing of personal data carried out by UtilizAí on behalf of the Customer in the context of the contracted services.

Customer (Controller): the contracting legal entity.
UtilizAí (Processor): the platform provider.

2. Roles and responsibilities

Under Art. 5, VI and VII of the LGPD, the Customer acts as Controller of the data it enters on the platform on behalf of its own end users, and UtilizAí acts as Processor, processing the data exclusively according to the Customer's documented instructions.

3. Subject and duration

UtilizAí processes personal data to provide the contracted services throughout the term of the commercial contract. Upon termination, data is returned or deleted as per clause 9.

4. Types of data and data subjects

  • Categories: identifiers, contact data, usage data, any data entered by the Customer via API.
  • Data subjects: Customer's employees, Customer's end clients, Customer's product target audience.
  • Sensitive data: if the Customer chooses to process special categories (Art. 11 LGPD), it must notify in advance and provide a specific legal basis.

5. Obligations of UtilizAí (Processor)

  1. Process data exclusively according to Customer's documented instructions.
  2. Ensure that persons authorized to process data are under an obligation of confidentiality.
  3. Adopt reasonable technical and organizational measures (section 7).
  4. Assist the Customer in handling data subject requests and complying with LGPD Art. 46-50 obligations.
  5. Report security incidents within 48 hours of identification.
  6. Allow and contribute to the Customer's documentary audits once a year, with 30 days' prior notice.

6. Sub-processors

UtilizAí uses sub-processors to provide the services. The updated list is available at /lgpd/ripd. Changes will be notified 30 days in advance; the Customer may object within 15 days.

7. Technical and organizational measures

  • TLS 1.2+ on all communications.
  • Encryption at rest in databases (Supabase Postgres).
  • Multi-tenant isolation via Row-Level Security.
  • Role-Based Access Control (RBAC) internally.
  • Immutable logs of sensitive operations for 90 days.
  • Encrypted backups with 7-day retention.
  • Periodic security testing.

8. International data transfer

UtilizAí uses providers with infrastructure in the USA and EU. All transfers follow Standard Contractual Clauses (SCC of the European Commission) and, where applicable, ANPD rules for international transfer (Art. 33 LGPD).

9. Retention and return/deletion

Upon termination of the contract, the Customer may request full export of data in JSON/CSV format for up to 30 days. After this period, all data is deleted (including active backups) within 60 days, except for legal retention obligations.

10. Data subject rights

When UtilizAí receives a direct request from a data subject, it will forward it to the Customer within 5 days. The Customer is responsible for responding to the data subject. UtilizAí assists with technical execution when requested.

11. Incident response

In the event of a security incident involving personal data, UtilizAí will notify the Customer within 48 hours with: nature of the incident, data affected, measures taken and DPO contact. The Customer is responsible for notifying the ANPD and data subjects, under LGPD Art. 48.

12. Contact

To formalize this DPA in an Enterprise contract, write to juridico@utilizai.com.