Effective: January 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Comp AI (Bubba AI, Inc.) and Customer for the Comp AI platform, and governs the processing of personal data.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable individual that Customer uploads to or processes through the Services.
"Data Protection Laws" means GDPR, UK GDPR, CCPA, and other applicable privacy laws.
"Sub-processor" means any third party engaged by Comp AI to process Personal Data on behalf of Customer.
"Data Subject" means the individual to whom Personal Data relates.
2. Roles and Responsibilities
2.1 Customer as Controller
Customer determines the purposes and means of processing Personal Data. Customer is responsible for ensuring a lawful basis for processing and for the accuracy of data provided.
2.2 Comp AI as Processor
Comp AI processes Personal Data only on Customer's documented instructions and in accordance with this DPA and applicable Data Protection Laws.
3. Processing Details
| Element | Description |
|---|---|
| Purpose | Providing the Comp AI compliance platform |
| Duration | For the term of the subscription agreement |
| Data Subjects | Customer's employees, contractors, and agents |
| Data Categories | Names, emails, job titles, device identifiers, IP addresses, compliance-related records |
| Sensitive Data | Customer shall not submit sensitive personal data (health, biometric, racial/ethnic origin) unless specifically agreed |
4. Comp AI Obligations
Comp AI shall:
- Process Personal Data only per Customer's documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist Customer in responding to Data Subject requests
- Delete or return Personal Data upon termination (at Customer's choice)
- Make available information necessary to demonstrate compliance
- Notify Customer without undue delay of any Personal Data breach
5. Security Measures
Comp AI maintains security measures appropriate to the risk, including:
- Encryption of data in transit and at rest
- Access controls and authentication
- Regular security assessments
- Incident response procedures
- Employee security training
Details available at: trust.inc/compai
6. Sub-processors
6.1 Authorization
Customer authorizes Comp AI to engage Sub-processors to assist in providing the Services.
6.2 Current Sub-processors
A list of current Sub-processors is available at: Sub-processors
6.3 Changes
Comp AI will notify Customer at least 10 days before engaging a new Sub-processor. Customer may object on reasonable data protection grounds within that period.
6.4 Liability
Comp AI remains liable for Sub-processor compliance with this DPA.
7. Data Subject Rights
Comp AI will assist Customer in fulfilling obligations to respond to Data Subject requests for:
- Access to their Personal Data
- Rectification or erasure
- Restriction of processing
- Data portability
- Objection to processing
Customer is responsible for responding to requests. Comp AI will notify Customer promptly if it receives a request directly.
8. International Transfers
8.1 Transfer Mechanisms
For transfers of Personal Data outside the EEA, UK, or Switzerland, Comp AI relies on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement where applicable
- Other lawful transfer mechanisms as appropriate
8.2 US Processing
Primary data processing occurs in the United States. By using the Services, Customer authorizes this transfer subject to the safeguards in this DPA.
9. Data Breach Notification
Comp AI will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer data. Notification will include:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
10. Audit Rights
Upon reasonable notice, Customer may request information necessary to verify Comp AI's compliance with this DPA. Comp AI will:
- Provide relevant compliance certifications and audit reports (SOC 2, ISO 27001)
- Allow Customer to conduct or commission an audit (no more than annually, during business hours, at Customer's expense)
11. Term and Deletion
This DPA remains in effect for the duration of the subscription agreement. Upon termination:
- Comp AI will delete or return all Personal Data within 30 days (at Customer's written request)
- Comp AI may retain data as required by applicable law
- Comp AI will certify deletion upon request
12. CCPA Provisions
For California residents' Personal Information:
- Comp AI is a "Service Provider" under CCPA
- Comp AI will not sell Personal Information
- Comp AI will not retain, use, or disclose Personal Information except as necessary to perform the Services
- Comp AI will not combine Personal Information with data from other sources except as permitted by CCPA
13. Liability
Each party's liability under this DPA is subject to the limitations set forth in the main subscription agreement.
Contact
For data protection inquiries:
Bubba AI, Inc. 2261 Market Street San Francisco, CA 94114
- Privacy requests: [email protected]
- Security inquiries: [email protected]