Last Updated: Jan 6, 2026
Last Updated: Jan 6, 2026
PVAI Consulting, Inc.
“Auggie” Data Processing Addendum
PVAI Consulting, Inc. “Auggie”
Data Processing
Addendum
1. Definitions
“Data Protection Laws” means all applicable privacy laws, including GDPR, UK GDPR, CPRA/CCPA, and other relevant regulations governing the processing of Personal Data.
“Personal Data” means any information relating to an identified or identifiable individual processed by PVAI on behalf of Customer.
“Processing,” “Processor,” “Controller,” and “Subprocessor” have the meanings given in GDPR and other applicable laws.
2. Scope and Roles
This DPA applies to PVAI’s processing of Personal Data as a Processor on behalf of the Customer, who acts as the Controller (or Business under CCPA).
The processing relates to Customer’s use of the Auggie platform to simulate personas, conduct focus group sessions, and analyze interaction data.
3. Nature and Purpose of Processing
PVAI will process Personal Data for the following purposes:
Delivering the Services (including persona simulation, insights generation, and analytics)
Maintaining system security, reliability, and performance
Improving persona quality and emotional realism (subject to anonymization and customer isolation policies)
Complying with legal obligations
4. Types of Personal Data and Data Subjects
Data Subjects: End users authorized by Customer, including Customer’s employees, partners, or representatives.
Personal Data: May include:
User names, email addresses, roles
Session metadata (timestamps, persona IDs, session IDs)
User-entered prompts and conversation content
Usage behavior and feedback (e.g., thumbs-up ratings)
Sensitive data is neither required nor intentionally collected.
5. Customer Responsibilities
Customer shall:
Ensure its instructions to PVAI comply with Data Protection Laws
Have a lawful basis for the processing of Personal Data
Not upload prohibited data types (e.g., health records, payment card info, or sensitive categories) without prior agreement
6. PVAI Responsibilities
PVAI will:
PVAI will process Personal Data only as necessary to provide the Services and in accordance with the Customer’s documented instructions, as defined in this DPA, the Terms of Service, the Privacy Policy, and Customer-initiated actions within the platform.
Maintain confidentiality and ensure employees and contractors are bound by appropriate obligations
Implement appropriate technical and organizational security measures (aligned with SOC 2 readiness)
Cooperate with Customer for data subject rights requests
7. Subprocessors
PVAI uses authorized subprocessors to provide infrastructure and platform functionality. Current subprocessors include:
Amazon Web Services (AWS)
Cloud infrastructure
USA
MongoDB Atlas
Operational database
USA
Pinecone
Vector database
USA
OpenAI
AI model inference (inference-only, no training)
USA
Updates to this list will be posted at auggietalk.ai/subprocessors with 30 days’ notice where feasible.
8. Data Transfers
PVAI may transfer Personal Data outside the EEA/UK/Switzerland. Where it does so:
It relies on Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum
Appropriate safeguards are applied, including encryption and access controls
9. Security Measures
PVAI implements safeguards including:
Encryption in transit and at rest
Role-based access control
Monitoring and logging
Data retention and deletion practices consistent with Customer instructions
10. Data Subject Rights
PVAI will assist Customer in responding to:
Requests for access, correction, deletion, restriction, portability, or objection
CPRA “Do Not Sell or Share” opt-outs or Global Privacy Control (GPC) signals
11. Data Retention and Deletion
PVAI retains session and user data for no longer than necessary. Upon termination of the Services or upon request, PVAI will:
Delete or return all Personal Data, unless retention is required by law
Provide certification of deletion upon written request
12. Breach Notification
PVAI will promptly notify Customer of any Personal Data Breach without undue delay, and in any case within 72 hours of becoming aware. The notice will include:
Nature of the breach
Impacted data categories
Remediation actions taken or planned
Contact information for follow-up
13. Audit and Certification
Upon reasonable notice, PVAI will:
Provide information to demonstrate compliance with this DPA
Cooperate with audits or inspections initiated by Customer (no more than once per year)
14. General Terms
This DPA is governed by the same law and jurisdiction as the underlying Terms of Service.
In the event of conflict between this DPA and the Terms, this DPA controls with respect to data protection matters.
Annex I: Data Processing Details (per GDPR Art. 28)
1. Definitions
“Data Protection Laws” means all applicable privacy laws, including GDPR, UK GDPR, CPRA/CCPA, and other relevant regulations governing the processing of Personal Data.
“Personal Data” means any information relating to an identified or identifiable individual processed by PVAI on behalf of Customer.
“Processing,” “Processor,” “Controller,” and “Subprocessor” have the meanings given in GDPR and other applicable laws.
2. Scope and Roles
This DPA applies to PVAI’s processing of Personal Data as a Processor on behalf of the Customer, who acts as the Controller (or Business under CCPA).
The processing relates to Customer’s use of the Auggie platform to simulate personas, conduct focus group sessions, and analyze interaction data.
3. Nature and Purpose of Processing
PVAI will process Personal Data for the following purposes:
Delivering the Services (including persona simulation, insights generation, and analytics)
Maintaining system security, reliability, and performance
Improving persona quality and emotional realism (subject to anonymization and customer isolation policies)
Complying with legal obligations
4. Types of Personal Data and Data Subjects
Data Subjects: End users authorized by Customer, including Customer’s employees, partners, or representatives.
Personal Data: May include:
User names, email addresses, roles
Session metadata (timestamps, persona IDs, session IDs)
User-entered prompts and conversation content
Usage behavior and feedback (e.g., thumbs-up ratings)
Sensitive data is neither required nor intentionally collected.
5. Customer Responsibilities
Customer shall:
Ensure its instructions to PVAI comply with Data Protection Laws
Have a lawful basis for the processing of Personal Data
Not upload prohibited data types (e.g., health records, payment card info, or sensitive categories) without prior agreement
6. PVAI Responsibilities
PVAI will:
PVAI will process Personal Data only as necessary to provide the Services and in accordance with the Customer’s documented instructions, as defined in this DPA, the Terms of Service, the Privacy Policy, and Customer-initiated actions within the platform.
Maintain confidentiality and ensure employees and contractors are bound by appropriate obligations
Implement appropriate technical and organizational security measures (aligned with SOC 2 readiness)
Cooperate with Customer for data subject rights requests
7. Subprocessors
PVAI uses authorized subprocessors to provide infrastructure and platform functionality. Current subprocessors include:
Amazon Web Services (AWS)
Cloud infrastructure
USA
MongoDB Atlas
Operational database
USA
Pinecone
Vector database
USA
OpenAI
AI model inference (inference-only, no training)
USA
Updates to this list will be posted at auggietalk.ai/subprocessors with 30 days’ notice where feasible.
8. Data Transfers
PVAI may transfer Personal Data outside the EEA/UK/Switzerland. Where it does so:
It relies on Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum
Appropriate safeguards are applied, including encryption and access controls
9. Security Measures
PVAI implements safeguards including:
Encryption in transit and at rest
Role-based access control
Monitoring and logging
Data retention and deletion practices consistent with Customer instructions
10. Data Subject Rights
PVAI will assist Customer in responding to:
Requests for access, correction, deletion, restriction, portability, or objection
CPRA “Do Not Sell or Share” opt-outs or Global Privacy Control (GPC) signals
11. Data Retention and Deletion
PVAI retains session and user data for no longer than necessary. Upon termination of the Services or upon request, PVAI will:
Delete or return all Personal Data, unless retention is required by law
Provide certification of deletion upon written request
12. Breach Notification
PVAI will promptly notify Customer of any Personal Data Breach without undue delay, and in any case within 72 hours of becoming aware. The notice will include:
Nature of the breach
Impacted data categories
Remediation actions taken or planned
Contact information for follow-up
13. Audit and Certification
Upon reasonable notice, PVAI will:
Provide information to demonstrate compliance with this DPA
Cooperate with audits or inspections initiated by Customer (no more than once per year)
14. General Terms
This DPA is governed by the same law and jurisdiction as the underlying Terms of Service.
In the event of conflict between this DPA and the Terms, this DPA controls with respect to data protection matters.
Annex I: Data Processing Details (per GDPR Art. 28)
1. Definitions
“Data Protection Laws” means all applicable privacy laws, including GDPR, UK GDPR, CPRA/CCPA, and other relevant regulations governing the processing of Personal Data.
“Personal Data” means any information relating to an identified or identifiable individual processed by PVAI on behalf of Customer.
“Processing,” “Processor,” “Controller,” and “Subprocessor” have the meanings given in GDPR and other applicable laws.
2. Scope and Roles
This DPA applies to PVAI’s processing of Personal Data as a Processor on behalf of the Customer, who acts as the Controller (or Business under CCPA).
The processing relates to Customer’s use of the Auggie platform to simulate personas, conduct focus group sessions, and analyze interaction data.
3. Nature and Purpose of Processing
PVAI will process Personal Data for the following purposes:
Delivering the Services (including persona simulation, insights generation, and analytics)
Maintaining system security, reliability, and performance
Improving persona quality and emotional realism (subject to anonymization and customer isolation policies)
Complying with legal obligations
4. Types of Personal Data and Data Subjects
Data Subjects: End users authorized by Customer, including Customer’s employees, partners, or representatives.
Personal Data: May include:
User names, email addresses, roles
Session metadata (timestamps, persona IDs, session IDs)
User-entered prompts and conversation content
Usage behavior and feedback (e.g., thumbs-up ratings)
Sensitive data is neither required nor intentionally collected.
5. Customer Responsibilities
Customer shall:
Ensure its instructions to PVAI comply with Data Protection Laws
Have a lawful basis for the processing of Personal Data
Not upload prohibited data types (e.g., health records, payment card info, or sensitive categories) without prior agreement
6. PVAI Responsibilities
PVAI will:
PVAI will process Personal Data only as necessary to provide the Services and in accordance with the Customer’s documented instructions, as defined in this DPA, the Terms of Service, the Privacy Policy, and Customer-initiated actions within the platform.
Maintain confidentiality and ensure employees and contractors are bound by appropriate obligations
Implement appropriate technical and organizational security measures (aligned with SOC 2 readiness)
Cooperate with Customer for data subject rights requests
7. Subprocessors
PVAI uses authorized subprocessors to provide infrastructure and platform functionality. Current subprocessors include:
Amazon Web Services (AWS)
Cloud infrastructure
USA
MongoDB Atlas
Operational database
USA
Pinecone
Vector database
USA
OpenAI
AI model inference (inference-only, no training)
USA
Updates to this list will be posted at auggietalk.ai/subprocessors with 30 days’ notice where feasible.
8. Data Transfers
PVAI may transfer Personal Data outside the EEA/UK/Switzerland. Where it does so:
It relies on Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum
Appropriate safeguards are applied, including encryption and access controls
9. Security Measures
PVAI implements safeguards including:
Encryption in transit and at rest
Role-based access control
Monitoring and logging
Data retention and deletion practices consistent with Customer instructions
10. Data Subject Rights
PVAI will assist Customer in responding to:
Requests for access, correction, deletion, restriction, portability, or objection
CPRA “Do Not Sell or Share” opt-outs or Global Privacy Control (GPC) signals
11. Data Retention and Deletion
PVAI retains session and user data for no longer than necessary. Upon termination of the Services or upon request, PVAI will:
Delete or return all Personal Data, unless retention is required by law
Provide certification of deletion upon written request
12. Breach Notification
PVAI will promptly notify Customer of any Personal Data Breach without undue delay, and in any case within 72 hours of becoming aware. The notice will include:
Nature of the breach
Impacted data categories
Remediation actions taken or planned
Contact information for follow-up
13. Audit and Certification
Upon reasonable notice, PVAI will:
Provide information to demonstrate compliance with this DPA
Cooperate with audits or inspections initiated by Customer (no more than once per year)
14. General Terms
This DPA is governed by the same law and jurisdiction as the underlying Terms of Service.
In the event of conflict between this DPA and the Terms, this DPA controls with respect to data protection matters.
Annex I: Data Processing Details (per GDPR Art. 28)
