For business customers whose compliance programme requires a DPA. Version 1.0 — 11 June 2026.
This Data Processing Addendum ("DPA") forms part of the Terms of Service between ResultsAIx (operated by Kevin Fahey through Results With Kevin, Portugal — the "Processor") and the business customer accepting the Terms (the "Controller"), and applies whenever the Processor processes personal data on behalf of the Controller in connection with the products. It is accepted by using the products as a business customer; a countersigned copy is available on request to info@onlineimsupport.com.
"GDPR", "personal data", "processing", "data subject", "supervisory authority" have the meanings given in Regulation (EU) 2016/679. "Customer Data" means personal data the Controller submits to the Processor for processing on the Controller's behalf.
| Item | Description |
|---|---|
| Subject matter | Support-related processing of Customer Data (e.g. diagnostic exports, staging copies) and, where used, hosted AI features processing end-user content the Controller submits |
| Duration | The term of the underlying license/subscription, plus the deletion period in clause 10 |
| Nature & purpose | Storage, analysis, and transformation strictly to provide support and product functionality |
| Categories of data subjects | The Controller's customers, prospects, subscribers, and site visitors |
| Categories of personal data | Contact details (names, emails), transaction metadata, IP addresses, behavioural data the Controller's site collected. No special-category data is to be submitted. |
The Processor processes Customer Data only on documented instructions from the Controller — the Terms, this DPA, and instructions given through support channels — including with regard to international transfers, unless required otherwise by EU or member-state law (in which case the Processor informs the Controller before processing, unless the law prohibits it). The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR.
Persons authorised to process Customer Data are bound by contractual or statutory confidentiality obligations.
The Processor implements appropriate technical and organisational measures, including: TLS encryption in transit; access on a least-privilege basis; environment separation; rate limiting and abuse detection; audit logging of administrative actions; and prompt application of security updates. Measures are reviewed as technology and risk evolve.
The Controller grants general authorisation to the sub-processors listed in the Privacy Policy (hosting/CDN, support desk, email delivery, AI providers where the feature is used). The Processor will update that list before adding or replacing sub-processors; the Controller may object on reasonable data-protection grounds within 14 days, in which case the parties will seek a solution and, failing that, the Controller may terminate the affected service with a pro-rata refund of prepaid fees. Sub-processors are bound by data-protection obligations no less protective than this DPA.
Taking into account the nature of processing, the Processor assists the Controller with appropriate technical and organisational measures in fulfilling data-subject rights requests (Arts. 12–23), and assists with security, breach notification, DPIAs, and prior consultation obligations (Arts. 32–36), at no charge for reasonable requests.
The Processor notifies the Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal-data breach affecting Customer Data, providing the information reasonably required for the Controller's own notification obligations.
At the end of the engagement — or earlier on request — the Processor deletes or returns all Customer Data, at the Controller's choice, and deletes existing copies within 30 days unless EU or member-state law requires longer storage. Support-related data copies are deleted as soon as the ticket is resolved by default.
The Processor makes available the information necessary to demonstrate compliance with Art. 28 and allows audits — normally satisfied by written responses and documentation; on-site or remote technical audits no more than once per year, on 30 days' notice, at the Controller's expense, without access to other customers' data.
Transfers outside the EU/EEA occur only to recipients covered by an adequacy decision (including the EU–US Data Privacy Framework) or subject to Standard Contractual Clauses, which are incorporated by reference where required. The Processor's own establishment is in Portugal (EU).
Liability under this DPA is subject to the limitations in the Terms, except where GDPR mandates otherwise (Art. 82). In case of conflict between this DPA and the Terms regarding processing of personal data, this DPA prevails.
To request a countersigned DPA, the current sub-processor list, or transfer-safeguard documentation: info@onlineimsupport.com.