AMBIC legal centre
Data Processing Addendum
Baseline processor obligations when Ambic handles personal data for a customer business.
Roles and instructions
Where a customer determines the purpose and means of processing personal data in an Ambic deployment, the customer is the Data Fiduciary/controller and Ambic is its processor/service provider. Ambic will process that data only on documented instructions in the order, this addendum and necessary support communications, unless law requires otherwise.
Customer obligations
- Provide lawful instructions, notices and consents and identify the permitted users and purposes.
- Avoid submitting data that is unnecessary for the service.
- Determine retention, access and disclosure requirements and respond to individuals unless Ambic is expressly asked to assist.
- Assess whether the service is suitable for regulated or sensitive workflows before use.
Ambic obligations
- Limit access to authorised persons under confidentiality duties.
- Apply safeguards proportionate to the deployment and current product status.
- Assist reasonably with verified access, correction, deletion, grievance and incident requests.
- Notify the customer of a confirmed relevant breach without undue delay after obtaining enough reliable information.
- Delete or return customer personal data at the end of service, subject to agreed backup cycles and legal retention.
Subprocessors
Ambic may use hosting, storage, communications, monitoring, payment and AI providers needed for the service. Ambic remains responsible for selecting providers on suitable terms and will make a current subprocessor description available for a paid production deployment. A customer must raise a documented material objection before the provider is activated; the parties will seek a reasonable alternative, which may change cost or functionality.
Security and audits
Ambic will provide available security and compliance information reasonably needed for the customer’s assessment. Audits must protect other customers, security details and confidential information and should first use existing documents and remote evidence. Bespoke or onsite audits may require a separate fee. A product marked controlled pilot must not be treated as satisfying production controls that its schedule says are incomplete.
International processing and deletion
Processing locations follow the selected providers and deployment. The customer must identify localisation restrictions before configuration. On termination, Ambic will follow the documented export/deletion instruction and may retain isolated copies required for law, security, payment or disputes until the applicable period ends.
Read this document with the Terms of Service, Privacy Policy and any signed order or product schedule.