Data Processing Agreement
GDPR Article 28 terms.
ECOEMIT SOLUTIONS SARL · Jurisdiction: France / EU
This page explains how to put a Data Processing Agreement (DPA) in place between your organisation and pilot5.ai, in compliance with GDPR Article 28. It is not the DPA itself — the signed document is executed separately with your legal team.
Parties
- Controller: you or your organisation, as the entity determining the purposes and means of processing.
- Processor: ECOEMIT SOLUTIONS SARL (SIREN 987 787 918), 102 Quai Louis Blériot, 75016 Paris, France — operating as pilot5.ai. See Legal Information for full entity details.
Scope of processing
pilot5.ai processes Controller data solely to deliver the deliberation service described in the Terms of Service. Processing categories, data types, retention periods, and data subject rights are documented in the Privacy Policy and form the factual basis of the DPA schedules.
Controller data is not used to train any AI model and is not shared with third parties beyond the sub-processors listed below.
Sub-processors
The Privacy Policy maintains the authoritative list of sub-processors (infrastructure, authentication, AI model providers, web research providers). Summary:
- Infrastructure & platform: Clerk (authentication), Supabase (database, Ireland), Railway (compute), Vercel (frontend), Stripe (payments), Sentry (error tracking, Germany), Resend (transactional email).
- AI model providers (via OpenRouter and direct): OpenAI, Anthropic, Google, Mistral AI, xAI, Meta, Perplexity, DeepSeek, Qwen/Alibaba, Inception.
- Web research providers: Perplexity, Tavily, Brave Search, Exa.
See the Privacy Policy for processor regions, contractual safeguards, and links to each provider's own terms.
International transfers
Where personal data is transferred outside the European Economic Area, transfers rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the EU-US Data Privacy Framework. All transfers are encrypted with TLS 1.2 or higher in transit.
Security & data subject rights
pilot5.ai maintains technical and organisational measures proportionate to the processing risk, including access controls, encryption in transit, audit logging, and incident response. Data subject requests (GDPR Art. 15-22) are handled by the Privacy contact listed below within 30 days.
How to request a signed DPA
Send a request to enterprise@pilot5.ai or legal@pilot5.ai with:
- Your legal entity name and registered address.
- The pilot5.ai account or workspace the DPA should cover.
- Whether you want to sign pilot5.ai's standard DPA or countersign a version you provide.
We respond within five business days. Our standard DPA follows the GDPR Art. 28 clauses plus the Commission's SCC modules where transfers are in scope.
Contact
- Enterprise & commercial DPAs: enterprise@pilot5.ai
- Legal & compliance: legal@pilot5.ai
- Privacy (data subject requests): privacy@pilot5.ai