Data Processing Agreement

last updated: August 30, 2025

Effective Date: September 1, 2025
Between:

  • Processor: Explore Interfaces Inc. d/b/a Context, a Delaware corporation with offices at 55 Second Street, San Francisco, CA (“Company,” “Processor,” “we,” “us”).
  • Controller: The customer entity that has entered into the Context Terms of Service or other written agreement (“Customer,” “Controller”).

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (or other written agreement) between Customer and Company (“Agreement”).

1) Definitions

  • Applicable Law: all data protection and privacy laws, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, LGPD, and others as applicable.
  • Personal Data: any information relating to an identified or identifiable natural person processed under the Agreement.
  • Processing / Process: any operation performed on Personal Data, including storage, use, access, transmission, and deletion.
  • Subprocessor: any third party engaged by Company to process Personal Data.
  • Standard Contractual Clauses (SCCs): the EU Commission’s 2021/914 clauses for international transfers, incorporated herein as applicable.

2) Roles of the Parties

  • Customer is the Controller; Company acts as the Processor.
  • Company will process Personal Data only in accordance with Customer’s documented instructions, unless required by law.

3) Scope of Processing

  • Subject Matter: provision of the Context AI workspace and related services.
  • Nature & Purpose: hosting, storage, retrieval, transformation, and generation of Output as part of the Service.
  • Duration: for the term of the Agreement plus 60 days following termination (data retention period).
  • Types of Data: identifiers (name, email, account ID), business content (documents, spreadsheets, presentations, emails), communications metadata, and optional integrations.
  • Categories of Data Subjects: Customer’s employees, contractors, clients, and other end users whose data may be submitted.

4) Processor Obligations
Company will:

  1. Instructions: process Personal Data only under Customer’s lawful instructions.
  2. Confidentiality: ensure staff authorized to process Personal Data are bound by confidentiality obligations.
  3. Security: implement appropriate technical and organizational measures (aligned with ISO/IEC 27001 & 42001, and NIST AI RMF) including:
    • encryption in transit and at rest,
    • access controls with least privilege,
    • audit logging,
    • incident detection and response.
  4. Subprocessors: only use approved Subprocessors listed at https://context.ai/subprocessors. We will notify Customer of changes and allow objections for reasonable grounds.
  5. Assistance: assist Customer in responding to data subject rights requests, impact assessments, and consultations with supervisory authorities.
  6. Breach Notification: notify Customer without undue delay (no later than 48 hours) upon becoming aware of a Personal Data Breach.
  7. Return/Deletion: delete or return Personal Data at Customer’s choice upon termination, subject to legal retention obligations.

5) Customer Obligations
Customer will:

  • Ensure it has lawful grounds for submitting Personal Data.
  • Configure the Service to apply appropriate permissions and retention.
  • Not submit prohibited data categories unless explicitly agreed (PHI, PCI, special categories).

6) Subprocessors

  • Customer authorizes Company to engage Subprocessors for hosting, storage, and operational support.
  • Current Subprocessors: cloud hosting (e.g., AWS, GCP, Azure), logging/monitoring providers, customer support systems.
  • Updates will be posted at https://context.ai/subprocessors with at least 30 days’ notice before new engagement.

7) International Transfers

  • Where Personal Data is transferred outside the EEA/UK to a country lacking adequacy, the SCCs (EU 2021/914 Modules 2 & 3) and UK Addendum apply.
  • U.S. transfers may also rely on the EU-U.S. Data Privacy Framework, if applicable.

8) Data Subject Rights
We will, to the extent legally permissible, assist Customer in responding to requests to exercise rights of access, rectification, erasure, restriction, portability, or objection.

9) Audits

  • Upon reasonable request, Company will provide Customer with SOC 2 Type II, ISO/IEC 27001, and ISO/IEC 42001 reports.
  • If insufficient, Customer may conduct audits or inspections no more than once annually, with 30 days’ notice, at Customer’s expense.

10) Liability
Liability under this DPA is subject to the limitations set forth in the Agreement.

11) Termination
This DPA remains in effect as long as Company processes Personal Data on behalf of Customer. Upon termination, Company will delete or return Personal Data as described in Section 4(7).

12) Order of Precedence
If there is a conflict between this DPA and the Agreement, this DPA will prevail with respect to data protection obligations.

Exhibit A – Technical & Organizational Measures (TOMs)
Company implements the following measures:

  • Information Security Program: aligned to ISO/IEC 27001, 42001, SOC 2.
  • Encryption: TLS 1.2+ in transit, AES-256 at rest.
  • Access Controls: SSO/SAML, MFA, role-based access.
  • Monitoring & Logging: centralized logging, anomaly detection, intrusion prevention.
  • Data Minimization: only process data necessary for service delivery.
  • Resilience: redundancy, backups, disaster recovery.
  • AI System Governance: bias testing, auditability of outputs, human-in-the-loop controls.

Exhibit B – Subprocessors
[Will be maintained at https://trust.delve.co/context]

Contact
Explore Interfaces Inc. d/b/a Context
55 Second Street, San Francisco, CA
legal@context.ai | team@context.ai

Do you have questions?
Reach out to our team and start a discussion.
Contact us
Contact us