PAI Data Processing Agreement
Version: 0.1. Effective: 6 July 2026.
This Data Processing Agreement ("DPA") forms part of the PAI Terms of Service (the "Terms") between Techzoom Ltd, company number 15539411, of 71-75 Shelton Street, Covent Garden, London WC2H 9JQ ("we", "us") and the customer accepting the Terms ("you").
It applies whenever you or your users put personal data about your clients or other people into PAI, for example in uploaded documents, queries or conversations ("Customer Data"). For that data, you are the controller and we are your processor. For personal data about you and your users as PAI account holders, we are the controller and our Privacy Notice applies instead of this DPA.
1. Scope and instructions
We process Customer Data only to provide PAI to you, as described in Annex A, and only on your documented instructions. Your instructions are: this DPA, the Terms, and your and your users' use of the service (uploading, querying, sharing and deleting content are instructions). If UK law requires us to process Customer Data otherwise, we will tell you before we do, unless the law prevents that. We will tell you if we believe an instruction of yours breaks UK data protection law.
2. Our commitments
We will:
- make sure everyone we authorise to access Customer Data is bound by confidentiality obligations;
- protect Customer Data with the technical and organisational measures in Annex B, which we may improve but not materially weaken;
- help you, taking into account the nature of the processing, to respond to data subject rights requests (access, erasure, rectification and the others) that relate to Customer Data;
- help you meet your own security, breach notification and data protection impact assessment obligations, so far as we reasonably can;
- tell you without undue delay if we become aware of a personal data breach affecting Customer Data, and give you the information you reasonably need for your own records and notifications;
- keep our own record of processing as Article 30(2) requires;
- not sell Customer Data, and not use it to train AI models (ours or anyone else's).
3. Sub-processors
You give general written authorisation for the sub-processors on our published sub-processor list. We will update that list before adding or replacing a sub-processor. If you object to a change on reasonable data protection grounds within 14 days of the update, we will work with you in good faith to resolve the concern; if we cannot, you may close your account, we will refund any prepaid fees for the unused period, and this DPA's deletion terms apply.
We put data protection obligations equivalent to this DPA on every sub-processor and remain responsible to you for their performance. Our AI sub-processors are accessed through their business APIs, under which Customer Data is not used to train their models.
4. International transfers
Customer Data is hosted on our own dedicated servers in the UK, with backups held in Western Europe. Where a sub-processor processes data outside the UK, we rely on the safeguards shown on the sub-processor list: the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, or the UK-US Data Bridge where the provider is certified, supported by a transfer risk assessment.
5. Retention, deletion and return
Customer Data remains available in the service while your account is open, including after a free trial or paid subscription ends. You can delete content at any time through the service or by instructing us at privacy@pai.archi; we action deletion instructions within one month.
"End of services" means the closure of your account or termination of the Terms, not the lapse of a trial or subscription. Within 30 days of end of services we will delete Customer Data, first giving you, on request, a reasonable opportunity to export it. Two exceptions: (a) copies in backups are deleted as those backups expire on our normal rolling cycle of 30 days, and are not used except for disaster recovery, with this DPA continuing to apply to them until deletion; and (b) we may retain what the law requires us to keep, for as long as it requires.
6. Information and audit
We will answer reasonable written requests for information needed to demonstrate compliance with this DPA. Where that is genuinely insufficient, you (or an independent auditor who is not our competitor) may audit our relevant records and systems: remotely by default, no more than once in any 12-month period, on at least 30 days' notice, during business hours, at your cost, and without access to other customers' data. Current certifications, audit reports or documentation we provide count towards satisfying an audit request where they cover the point.
7. Liability, term, precedence and law
This DPA applies for as long as we process Customer Data. The exclusions and cap on liability in the Terms apply to this DPA as they apply to the Terms. If this DPA and the Terms conflict on a data protection matter, this DPA prevails. This DPA is governed by the law of England and Wales.
Annex A: details of processing
- Subject matter and nature: hosting, storage, retrieval, indexing and search (including creating search embeddings), AI-assisted analysis, display and transmission of content you and your users put into PAI.
- Purpose: providing the PAI service to you and, unless you opt out (email privacy@pai.archi), improving the service as described in the Privacy Notice.
- Duration: while your account is open, plus the deletion windows in section 5.
- Data subjects: your clients and personnel; individuals named in documents, correspondence and queries you upload or create; individuals named in public planning records.
- Categories of personal data: names, contact details, property and planning information, professional correspondence, and any other personal data contained in content you choose to put into the service. PAI is not designed for special category data; if content you upload contains any (for example personal circumstances raised in an appeal), you are responsible for ensuring an appropriate condition for processing it.
Annex B: technical and organisational measures
- All traffic encrypted in transit (TLS).
- Authentication through a dedicated identity provider (Clerk); we do not store passwords.
- Customer file uploads held in access-controlled object storage, encrypted at rest, and served only through short-lived signed URLs.
- Backend and database on single-tenant dedicated servers in the UK; access limited to authorised personnel on a least-privilege basis.
- Encrypted-at-rest backups on a rolling 30-day cycle, stored in Western Europe.
- Error monitoring and logging (EU region), retained 90 days; application logs retained 30 days.
- Documented personal data breach response procedure.
- Sub-processors bound by data protection agreements (see section 3).
