Data Processing Agreement.

This DPA is entered into between:

• You, the Practitioner: the coach, therapist, consultant, educator, or other professional who operates a workspace on Innersights and decides what Client data to collect and why. You act as the Controller of that Client data.
• Innersights (Part of Seamless Agency B.V.) (KVK 90533119, Communicatieweg Oost 12, 1566 PK Assendelft, the Netherlands): “Innersights,” “we,” “us.” We act as your Processor, processing Client data only on your instructions.

This DPA governs only the personal data you collect from your Clients through the Service (assessment answers, twin chats, reports, knowledge you upload about a Client, and related records). For the account data of Practitioners and Clients (names, emails, credentials, billing), Innersights is the controller and our Privacy Policy applies directly.

“GDPR” means Regulation (EU) 2016/679 and, where applicable, the UK GDPR. “Client Data” means personal data relating to your Clients that we process on your behalf through the Service. “Data Subject,” “Controller,” “Processor,” “Subprocessor,” and “processing” have the meanings given in the GDPR. Capitalised terms not defined here have the meaning given in our Terms of Service.

• We will process Client Data only on your documented instructions, including for transfers, unless required to do otherwise by law, in which case we will tell you before processing, unless the law prohibits it.
• Your instructions are made up of this DPA, the Terms of Service, the configuration choices you make in the Service (the assessments you build, the twin instructions and knowledge you upload, the members you invite, and the features you enable), and any further written instructions you give us.
• We will tell you if, in our opinion, an instruction infringes the GDPR or other data-protection law.
• The subject matter, duration, nature, and purpose of the processing, and the types of personal data and categories of Data Subjects, are described in Annex 1.

As your processor, and as required by Article 28(3) GDPR, we commit to the obligations set out in Sections 5 to 13. In summary, we will:

• Process Client Data only on your instructions (Section 3).
• Keep Client Data confidential and ensure our personnel do the same (Section 5).
• Apply appropriate technical and organisational security measures (Section 6, Annex 3).
• Engage subprocessors only under the conditions in Section 7.
• Help you respond to Data Subjects exercising their rights (Section 9).
• Help you meet your breach, security, DPIA, and prior-consultation duties (Sections 10 and 11).
• Return or delete Client Data at the end of the relationship (Section 12).
• Make available the information you need to demonstrate compliance and allow for audits (Section 13).

We ensure that persons authorised to process Client Data are bound by an appropriate duty of confidentiality, and that access is limited to personnel who need it to provide or support the Service.

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to Data Subjects, we implement appropriate technical and organisational measures under Article 32 GDPR. A summary is set out in Annex 3. Because Client Data can include sensitive personal and reflective content, we treat it with a correspondingly high level of care.

• You give us general authorisation to engage the subprocessors listed in Annex 2 to help deliver the Service.
• Each subprocessor is bound by a written contract imposing data-protection obligations that are, in substance, no less protective than those in this DPA, and is permitted to process Client Data only as instructed by us.
• We remain fully responsible to you for the performance of each subprocessor's obligations.
• If we intend to add or replace a subprocessor, we will give you reasonable prior notice (by updating Annex 2 and/or notifying account holders) so you can object on reasonable data-protection grounds. If we cannot resolve a reasonable objection, you may terminate the affected part of the Service.

Some subprocessors are located outside the EU/EEA, including in the United States (see Annex 2). Where we transfer Client Data internationally, we rely on a lawful transfer mechanism:

• The EU-US Data Privacy Framework (DPF) where the recipient is certified.
• EU Standard Contractual Clauses (SCCs), and the UK International Data Transfer Addendum where relevant, for transfers to countries without an adequacy decision.
• Supplementary measures, including encryption in transit and at rest, and contractual prohibitions on AI training and onward transfers.

You can request a copy of the relevant transfer mechanism from privacy@innersights.io.

Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to fulfil your obligation to respond to requests from Data Subjects exercising their rights (access, rectification, erasure, restriction, portability, and objection).

• If a Client contacts us directly about data held in your workspace, we will not respond on your behalf beyond confirming receipt; we will promptly route the request to you, since you are the controller.
• The Service gives you tools to act on many requests yourself: for example, viewing and exporting submissions, and deleting individual submissions and chats. Where a request cannot be completed with in-product tools, contact us and we will help.

We will notify you without undue delay after becoming aware of a personal-data breach affecting Client Data, and will provide the information reasonably available to us to help you meet your own notification obligations to a supervisory authority and, where required, to affected Data Subjects.

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance with data protection impact assessments and any prior consultation with a supervisory authority that you are required to carry out. Given that the Service can involve sensitive reflective content and AI-assisted analysis, we encourage you to assess whether a DPIA is required for your particular use.

• You can delete individual submissions and chats from within the Service at any time.
• On termination of your account or on your written request, we will, at your choice, delete or return Client Data, and delete existing copies, unless we are required by law to retain it. Confirmed deletions are completed within 30 days, subject to backups cycling out on their normal schedule.
• Where we are legally required to keep certain records, we will isolate and protect that data and process it only as the law requires.

We will make available to you the information necessary to demonstrate compliance with Article 28 GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To protect the security and confidentiality of other customers, audits are conducted on reasonable prior notice, no more than once a year (unless required by a supervisory authority or following a breach), and may be satisfied by our providing relevant documentation, certifications, or summaries of our subprocessors' measures.

As the controller of your Client Data, you remain responsible for:

• Establishing a lawful basis for collecting, holding, and using Client Data, and obtaining any consents required, including explicit consent where you collect special-category data such as health or mental-health information.
• Giving your Clients clear notice of how their data is used (including that it is processed by AI and stored in your workspace), and providing your own privacy notice where required.
• Only collecting categories of personal data you are entitled to collect, and not presenting AI output as licensed medical, psychological, legal, or financial advice unless you are qualified to do so.
• Configuring the Service, managing member access, and keeping credentials secure.

• This DPA forms part of, and is subject to, the Terms of Service. In the event of a conflict between this DPA and the Terms on the subject of processing Client Data, this DPA prevails.
• This DPA takes effect when you start using the Service and continues for as long as we process Client Data on your behalf. Sections that by their nature should survive termination (including return and deletion) continue to apply.
• Liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

For most Practitioners, no signature is needed: this DPA applies automatically when you use the Service. If your organisation requires a counter-signed DPA for its records, email privacy@innersights.io with your legal entity name and we will arrange one.

Subject matter

Provision of the Innersights platform: AI assessments, twin chat, report generation, knowledge-base storage, and related communications.

Duration

For as long as the Practitioner uses the Service, plus the deletion period in Section 12.

Nature and purpose

Hosting, storage, retrieval, AI inference, transcription, embedding for retrieval, email delivery, and analytics of engagement, all to deliver the assessments and twins the Practitioner configures.

Types of personal data

Client first name and email; written and transcribed-voice assessment answers; AI-generated reports; twin chat messages; durable twin memory derived from chats; feedback and consent records; email-engagement metadata.

Special categories

Client Data may include sensitive reflective content (for example about emotional state, beliefs, or wellbeing) where the Practitioner chooses to collect it. The Practitioner is responsible for the lawful basis and any explicit consent required.

Categories of Data Subjects

The Practitioner's Clients: the individuals who complete assessments, receive reports, or chat with a twin in the workspace.

The following subprocessors help us deliver the Service. Each is bound by a data-processing agreement and processes Client Data only as instructed by us.

Where you connect your own advertising tools (for example a Meta Pixel) to your assessment funnel, those tools are engaged by you, on your ad account, and you are the controller for that processing. We transmit funnel events to them on your behalf only when you enable the connection.

• Encryption of Client Data in transit (TLS) and at rest.
• Tenant isolation enforced at the database level through row-level security, so each workspace can only reach its own data.
• Role-based access within a workspace (owner and member roles), and least-privilege internal access to production systems.
• Authentication via hashed credentials and OAuth, with session management handled by our auth provider.
• Contractual prohibitions on AI training and onward transfer, and zero-data-retention settings with AI providers.
• Subprocessor due diligence and written data-processing terms with each subprocessor.
• Logging and monitoring to detect and respond to incidents, and a breach-notification process.
• Backups with a defined rotation, and a deletion process aligned to Section 12.

See also our Privacy Policy and Terms of Service.