Data Processing Addendum

When this DPA applies

This Data Processing Addendum is a template made available for review. It does not automatically apply to your account or your use of the Integer Demand platform simply because it is published on this page or referenced from our other policies.

This DPA only forms part of the agreement between you and Integer Demand if it is:

• expressly incorporated into a signed written agreement (such as an enterprise order form, master subscription agreement, or signed DPA addendum) between you and Integer Demand;
• required by applicable law to apply to your processing of Personal Data through the Service; or
• expressly accepted in writing by an authorized representative of Integer Demand.

In all other cases, your use of the Service is governed by our Terms of Service and Privacy Policy. To request that this DPA be incorporated into your agreement, contact legal@integerdemand.com.

When this DPA applies per the section above, it supplements the Terms of Service between AITECH INTEGRATION LLC (“Integer Demand,” “we,” “us”) and the customer (“Customer,” “you”) and applies to the processing of Personal Data by Integer Demand on Customer's behalf in connection with the Integer Demand platform (the “Service”).

Plain-English summary: When you upload data through Integer Demand that includes personal data, you are the data controller and we are your data processor. This DPA sets out our obligations under the GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, LGPD and similar laws — including security, confidentiality, subprocessor management, international transfers, and assistance with data-subject requests and breach notification.

1. Definitions

Capitalized terms used but not defined in this DPA have the meaning given in the Terms of Service or in applicable Data Protection Laws. “Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Brazilian Lei Geral de Proteção de Dados (“LGPD”), and other state, federal or international privacy laws applicable to the parties.

2. Roles and Scope

Customer is the “controller” (or “business” under CCPA/CPRA) of Personal Data processed through the Service. Integer Demand acts as the “processor” (or “service provider” under CCPA/CPRA) on Customer's documented instructions, which the parties agree consist of the Terms of Service, this DPA, and Customer's use of the Service's features.

Integer Demand will not (a) sell Personal Data, (b) share Personal Data for cross-context behavioral advertising, (c) retain, use or disclose Personal Data outside of the direct business relationship with Customer, or (d) combine Personal Data with information from other sources, except as permitted by CCPA/CPRA.

3. Subject Matter, Duration, Nature and Purpose

• Subject matter: Provision of the Service to Customer.
• Duration: The term of the Terms of Service plus any post-termination period during which Personal Data is retained per Section 9 below.
• Nature and purpose: Hosting, processing, transmitting, and displaying Customer Data so that Customer can use the demand-planning, forecasting, inventory, purchase-order, logistics and AI-assisted features of the Service.
• Categories of data subjects: Customer's end customers, suppliers, employees and business contacts, to the extent included in Customer Data.
• Categories of Personal Data: Identifiers (e.g., names, IDs, email addresses), commercial information (e.g., transaction history), business contact information, and any other Personal Data Customer chooses to upload.
• Special categories: Customer should not upload special categories of Personal Data (Art. 9 GDPR) to the Service.

4. Customer Instructions

Integer Demand will process Personal Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case Integer Demand will inform Customer of that legal requirement before processing, unless prohibited by law).

5. Confidentiality

Integer Demand will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations and have received appropriate training on their privacy and security responsibilities.

6. Security

Integer Demand will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.

Current measures include, without limitation:

• Encryption in transit (TLS) and at rest where supported by underlying infrastructure
• Strong password hashing (bcrypt) and optional two-factor authentication for end users
• Tenant data isolation: every tenant-scoped request is bound to the authenticated user's session, preventing cross-tenant data access
• Role-based access control and least-privilege production access
• Audit logging of key actions and security-relevant events
• Regular security review of dependencies and infrastructure providers

For an overview of our security approach and how to report a suspected security issue, see our Trust & Security page.

7. Subprocessors

Customer grants Integer Demand a general authorization to engage subprocessors to provide the Service. A current list of subprocessors used to provide the core Service is maintained at /subprocessors.

Integer Demand will (a) impose written data-protection terms on each subprocessor that are no less protective than those in this DPA, (b) remain liable for the acts and omissions of subprocessors as if they were its own, and (c) provide at least 30 days' advance notice of any new subprocessor for the core Service. Customer may object to a new subprocessor on reasonable data-protection grounds during the notice period; if the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service for convenience.

8. International Transfers

Where Integer Demand transfers Personal Data outside of the EEA, the United Kingdom or Switzerland to a country that has not received an adequacy decision, the parties agree that:

• The European Commission's Standard Contractual Clauses (Module Two: controller-to-processor; Module Three: processor-to-processor as applicable), are incorporated into this DPA by reference and apply to such transfers.
• For transfers from the United Kingdom, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the SCCs applies.
• For transfers from Switzerland, the SCCs as adapted under guidance from the Swiss Federal Data Protection and Information Commissioner apply.
• Where a subprocessor holds Data Privacy Framework certification (EU-US, UK Extension, Swiss-US), the parties may also rely on that certification as an alternative transfer mechanism.

SCC Annexes. The Annexes to the SCCs are populated by reference as follows so that the SCCs are self-executing without further signature: Annex I.A (List of Parties) — the parties to the Terms of Service (Integer Demand as data importer / processor; Customer as data exporter / controller, or where applicable as processor on behalf of its own controller); Annex I.B (Description of Transfer) — as set out in Section 3 of this DPA (subject matter, duration, nature and purpose, categories of data subjects, categories of Personal Data, special-categories warning); Annex I.C (Competent Supervisory Authority) — the supervisory authority of the EU member state in which the data exporter is established (or, for transfers from the United Kingdom or Switzerland, the UK ICO or the Swiss FDPIC respectively); Annex II (Technical and Organizational Measures) — as set out in Section 6 of this DPA; Annex III (List of Subprocessors) — the current core-Service subprocessors listed at /subprocessors, as updated from time to time in accordance with Section 7.

9. Data Subject Rights and Assistance

Integer Demand will provide reasonable assistance to Customer (taking into account the nature of the processing and the information available) in responding to data-subject requests under Data Protection Laws (e.g., access, correction, deletion, portability, restriction, objection).

Customer can perform many of these requests directly through the Service's features (e.g., editing data, exporting CSVs, deleting records, deleting an account). Where additional assistance is needed, Customer should contact privacy@integerdemand.com.

10. Personal Data Breach Notification

Integer Demand will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data, and in any event within 72 hours where required by applicable law. The notice will describe, to the extent then known: the nature of the breach, categories and approximate number of data subjects and records affected, the likely consequences, and measures taken or proposed to address the breach and mitigate its effects.

11. Data Protection Impact Assessments

Integer Demand will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available.

12. Return or Deletion of Personal Data

Upon termination of the Service or earlier on Customer's written request, Integer Demand will, at Customer's choice, delete or return Customer Data containing Personal Data, and delete existing copies, except to the extent applicable law requires continued storage. Customer may export Customer Data in CSV form from inside the Service at any time during the term. Standard retention periods for residual data (e.g., billing records, security logs) are described in our Privacy Policy.

13. Audits and Information

Integer Demand will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where Customer can reasonably demonstrate that this information is insufficient, Customer may request an audit no more than once per 12-month period, on at least 30 days' written notice, during normal business hours, in a manner that does not materially disrupt Integer Demand's operations. Audits will be conducted by Customer or a mutually-agreed independent third-party auditor bound by appropriate confidentiality obligations, and at Customer's expense.

14. Liability

Each party's liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA limits a data subject's rights under applicable Data Protection Laws.

15. Conflict; Order of Precedence

In case of conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls. The SCCs (where applicable) take precedence over conflicting provisions of this DPA.

16. How to Execute

Customers who require a counter-signed copy of this DPA may send a request to legal@integerdemand.com from the email address registered with their Integer Demand account. By using the Service after the effective date above, Customer is deemed to have accepted this DPA on behalf of itself and any affiliates whose Personal Data is processed through the Service.