For customers who process personal data through AICre8 Grow
This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service between Investdex Software Ltd (a company registered in the Republic of the Marshall Islands, operating the AICre8 platform — the "Processor", "we", "us") and the customer using the Services (the "Controller", "you"). It applies whenever you use Grow or other AICre8 features to process personal data of your own contacts, leads and customers ("Customer Personal Data"). It takes effect when you accept the Terms or first use the Services.
For Customer Personal Data, you are the Controller and we are the Processor. You are responsible for having a lawful basis for the processing and for the accuracy and content of the data you upload or collect. Separately, for data about your own account and use of the platform, we act as a controller as described in our Privacy Policy.
We will:
You give general authorisation for us to engage sub-processors to deliver the Services. Our current sub-processors are listed at /legal/subprocessors. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and remain responsible for their performance. We will give notice of any new sub-processor before it starts processing Customer Personal Data, and you may object on reasonable data-protection grounds.
We and several of our sub-processors are located outside the UK (including the USA and the Marshall Islands). Where Customer Personal Data is transferred outside the UK, we rely on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism, together with appropriate supplementary safeguards.
Data is encrypted in transit (TLS). Access is restricted and authenticated; the platform is hosted on Cloudflare and data is stored with Supabase with role-based access controls and row-level security. We take reasonable steps to keep our systems patched and monitored. A summary is available on request.
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide information reasonably available to help you meet your own notification obligations.
On termination of the Services, or on your written request, we will delete or return Customer Personal Data within a reasonable period, except where retention is required by law or for our short-term backup cycle, after which it is deleted.
We will make available information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice, and no more than once a year (unless required by a regulator), we will cooperate with a proportionate audit, subject to confidentiality.
This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction. Liability under this DPA is subject to the limitations in the Terms of Service.
Questions: [email protected]
Last updated: 6 July 2026