1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between RiroTech LLC ("Processor", "RioAsk", "we") and the entity agreeing to these terms ("Controller", "you", "Customer") for the use of the RioAsk platform (the "Service").
This DPA applies to all processing of personal data by RioAsk on behalf of the Customer and supplements our Terms of Service and Privacy Policy.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1) or equivalent applicable law.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by RioAsk to process Personal Data on behalf of the Customer.
- "Data Subject" means the individual to whom Personal Data relates.
- "Applicable Data Protection Law" means GDPR, CCPA, and any other applicable data protection legislation.
3. Scope of Processing
3.1 Subject Matter
RioAsk processes Personal Data to provide the prompt engineering platform, including domain classification, prompt generation, AI clarification, document grounding, quality scoring, and analytics.
3.2 Categories of Data Subjects
- Customer employees and authorized users
- End users of the Customer's organization
3.3 Types of Personal Data
- Account information (email address, name)
- Usage data (submitted questions, generated prompts, quality scores)
- Uploaded documents and their vector embeddings
- Technical data (IP addresses, request timestamps)
- Payment metadata (Stripe customer ID, subscription status)
3.4 Duration
Processing continues for the duration of the Customer's subscription. Upon termination, data is deleted within 30 days, except where retention is required by law.
4. Obligations of the Processor
RioAsk shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 6
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability)
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach
- Delete or return all Personal Data upon termination of the agreement, at the Controller's election
- Make available all information necessary to demonstrate compliance and allow for audits
5. Sub-processors
The Customer authorizes RioAsk to engage the following sub-processors. We maintain an up-to-date list in our Privacy Policy (Section 4).
| Sub-processor | Purpose | Location |
|---|
| Microsoft Azure | Cloud infrastructure, database hosting, monitoring | United States (East US) |
| Stripe | Payment processing | United States |
| AI Providers (configurable) | AI completions, embeddings (Pro+ features) | United States |
| Azure AI Content Safety | Content moderation | United States |
| Cloudflare | CDN, DDoS protection | Global (edge network) |
| Microsoft Graph API | Transactional email delivery | United States |
RioAsk will notify the Customer at least 30 days before engaging a new sub-processor. If the Customer objects, they may terminate the affected Service within 30 days of the notification.
6. Security Measures
RioAsk implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit — TLS 1.2+ for all data transfers
- Encryption at rest — AES-256 for stored data, database-level encryption via Azure
- Authentication — bcrypt password hashing, JWT-based authentication with token rotation
- Access control — role-based access control (RBAC), principle of least privilege
- Audit logging — comprehensive logging of all authentication events, data access, and administrative actions
- Rate limiting — IP-based and user-based rate limiting to prevent abuse
- Content moderation — automated screening of submitted content
- Infrastructure security — Azure-managed infrastructure with network isolation
7. Data Subject Rights
RioAsk will assist the Controller in fulfilling obligations to respond to Data Subject requests under Applicable Data Protection Law, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
Data Subject requests received directly by RioAsk will be forwarded to the Controller promptly.
8. Data Breach Notification
In the event of a Personal Data breach, RioAsk will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide details including the nature of the breach, categories and volume of data affected, likely consequences, and measures taken
- Cooperate with the Controller in investigating and mitigating the breach
For full details, see our Data Breach Notification Policy.
9. International Transfers
Personal Data is processed and stored in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, RioAsk relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
- Supplementary measures as required by the Schrems II decision
Enterprise customers may request region-specific deployment options.
10. Audit Rights
The Controller may audit RioAsk's compliance with this DPA by:
- Requesting and reviewing relevant compliance documentation, certifications, and audit reports
- Conducting or commissioning an on-site or remote audit with 30 days' prior written notice, at the Controller's expense
RioAsk will cooperate with reasonable audit requests and provide access to relevant systems, records, and personnel.
11. Term and Termination
This DPA remains in effect for the duration of the Customer's subscription to the Service. Upon termination:
- RioAsk will delete all Customer Personal Data within 30 days, unless retention is required by applicable law
- The Controller may request a data export prior to termination
- Backup copies are purged within 90 days of termination
12. Governing Law
This DPA is governed by the laws of the State of Delaware, United States, except where Applicable Data Protection Law requires otherwise.
13. Contact
For DPA-related inquiries or to request an executed copy, contact:
RiroTech LLC — Legal Team
Email: legal@rioask.ai
Enterprise customers may request a custom DPA with additional terms as part of their contract negotiation.