Legal
Data Processing Agreement
Last updated · 29 April 2026This Data Processing Agreement ("DPA") forms part of the agreement between MLtitude (operated by Edoth Electronics, the "Processor") and the customer using the Service (the "Customer", "Controller"). It applies whenever MLtitude processes personal data on behalf of the Customer in connection with the Service, and is designed to comply with Article 28 of the EU General Data Protection Regulation (GDPR) and the UK GDPR.
How to execute this DPA
If your organisation requires a counter-signed copy, email info@edothsoft.com with your company name and the email of the signatory. We typically return signed copies within two business days. If you don't need a signed copy, this published version is incorporated by reference into our Terms of Service and applies as written.
1. Definitions
Capitalised terms used but not defined in this DPA have the meanings given to them in the GDPR. "Customer Personal Data" means personal data that the Customer (or its end users) submits to or processes through the Service.
2. Subject-matter and duration
MLtitude processes Customer Personal Data only as a processor on the Customer's behalf, for the purpose of providing the Service under the Terms of Service. Processing continues for the duration of the Customer's subscription and any retention period set out in our Privacy Policy.
3. Nature, purpose, and categories
| Item | Detail |
|---|---|
| Nature of processing | Hosting, storing, transmitting, generating, and rendering presentation and learning content. |
| Purpose | Delivering the MLtitude Service to the Customer. |
| Categories of data subjects | The Customer's authorised users, and any individuals identified in content the Customer submits. |
| Categories of personal data | Names, business email addresses, account credentials, content of briefs, and any personal data the Customer chooses to include in submitted content. |
| Special-category data | MLtitude does not require, and the Customer should not submit, special categories of personal data (Art. 9 GDPR) unless explicitly agreed in writing. |
4. Our obligations as processor
- Process Customer Personal Data only on the Customer's documented instructions, including those expressed by configuration of the Service.
- Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (see Annex II below).
- Assist the Customer in responding to data subject requests and in meeting its obligations under Articles 32–36 GDPR, taking into account the nature of processing.
- Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR.
- Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
5. Sub-processors
The Customer authorises MLtitude to engage the sub-processors listed at /subprocessors. MLtitude will give the Customer at least 30 days' notice before adding or replacing a sub-processor by updating that page; the Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to find a resolution. Each sub-processor is bound by a written agreement that imposes substantially the same data-protection obligations as this DPA.
6. International transfers
Customer Personal Data is processed in the European Union (Hetzner data centres in Germany). Where personal data is transferred from the EU/EEA, UK, or Switzerland to a country without an adequacy decision (including transfers from EU servers to authorised personnel in India for support purposes), the parties rely on the European Commission's Standard Contractual Clauses (SCCs) issued under Decision 2021/914, which are incorporated into this DPA by reference. The UK Addendum and the Swiss equivalent apply for transfers from the UK and Switzerland respectively.
7. Audits
MLtitude will, on the Customer's reasonable written request and no more than once per year, make available to the Customer a summary of its most recent independent security review and respond in writing to a reasonable security questionnaire. On-site audits are available to enterprise customers under a separate confidentiality agreement and with at least 30 days' notice.
8. Return or deletion of data
On termination of the Service, MLtitude will, at the Customer's choice, delete or return Customer Personal Data within 30 days, unless retention is required by applicable law. Backups containing Customer Personal Data are overwritten on a 30-day rolling cycle.
9. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
Annex I — Parties
Processor: MLtitude — operated by Edoth Electronics, Hyderabad, Telangana, India.
Controller: the Customer named in the corresponding subscription or order form.
Annex II — Technical and organisational measures
- Encryption. TLS 1.3 in transit; AES-256 at rest for databases and backups.
- Access control. Role-based access to production systems, MFA enforced for all staff with production access, principle of least privilege.
- Network security. Private networking between application, database, and cache layers; firewalls; DDoS protection at the edge.
- Logging and monitoring. Audit logs of administrative access, error and performance monitoring, alerting on anomalous activity.
- Backups. Encrypted, EU-resident, retained for 30 rolling days.
- Incident response. Documented plan, on-call rotation, breach notification within 72 hours.
- Personnel. Background checks for employees with production access, mandatory security training, written confidentiality obligations.
- Vendor management. Sub-processors are reviewed before onboarding and re-reviewed annually.
Contact
DPA queries: info@edothsoft.com. Data-subject requests: info@edothsoft.com.