Data Processing Agreement

Last updated: February 19, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (“Agreement”) between 42 Consulting LLC(“Processor” or “Company”) and the Customer (“Controller”) that has entered into the Agreement for the use of the Deep Thought platform (the “Service”).

This DPA applies to the extent that Company processes Personal Data on behalf of Customer in the course of providing the Service, and where applicable data protection laws require a data processing agreement to be in place. This DPA supplements the Agreement and, in the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall prevail.

The Deep Thought platform is owned by Deep Thought Technologies Inc., a Delaware corporation (“Licensor”), and licensed to Company. All intellectual property rights in and to the Platform are owned exclusively by Licensor. Company is the Processor and contracting party to Customer under this DPA.

1. Definitions

In this DPA, unless otherwise defined:

  • “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, CCPA/CPRA, GLBA, state insurance data privacy laws, and any other applicable privacy or data protection legislation.
  • “Personal Data”means any information relating to an identified or identifiable natural person that is processed by Company on behalf of Customer through the Service, including data defined as “personal data,” “personal information,” or equivalent terms under Applicable Data Protection Law.
  • “Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
  • “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
  • “Sub-Processor” means any third party engaged by Company to process Personal Data on behalf of Customer.
  • “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • “Standard Contractual Clauses” (“SCCs”) means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission, as may be amended or replaced from time to time.

2. Scope of Processing and Roles

2.1 Roles

For the purposes of this DPA, Customer is the Controller and Company is the Processor with respect to Personal Data processed through the Service. Where Company processes Personal Data for its own purposes (e.g., billing, account management), Company is an independent Controller for such processing as described in the Privacy Policy.

2.2 Subject Matter and Duration

Company processes Personal Data for the purpose of providing the Service as described in the Agreement. Processing continues for the duration of the Agreement, plus any retention period specified in this DPA or the Agreement.

2.3 Nature and Purpose of Processing

Personal Data is processed for the following purposes in connection with the Service:

  • Authenticating and authorizing Authorized Users;
  • Processing conversation content through AI models to generate AI Output;
  • Processing documents (PDFs, spreadsheets) submitted by Authorized Users;
  • Executing Skills, Automations, and scheduled tasks as configured by Customer;
  • Proxying API requests to Customer-configured Connections;
  • Processing email content and attachments through email intelligence features;
  • Maintaining audit logs of actions performed by Authorized Users;
  • Providing customer support and resolving technical issues.

2.4 Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

  • Customer’s employees and Authorized Users;
  • Policyholders and insureds;
  • Claimants and beneficiaries;
  • Insurance agents, brokers, and producers;
  • Third-party contacts referenced in Customer’s insurance operations;
  • Individuals whose data appears in documents processed through the Service.

2.5 Types of Personal Data

The types of Personal Data processed may include:

  • Contact information (name, email, phone, address);
  • Professional information (job title, employer, license numbers);
  • Insurance policy information (policy numbers, coverage details, premiums);
  • Claims information (claim numbers, loss descriptions, settlement amounts);
  • Financial information (payment history, billing records);
  • Identity verification data (date of birth, identification numbers);
  • Communications content (emails, messages, conversation transcripts);
  • Document content (information contained in PDFs and spreadsheets);
  • Authentication data (user IDs, SSO tokens, session data).

3. Processor Obligations

3.1 Lawful Processing

Company shall:

  1. Process Personal Data only on documented instructions from Customer, including the instructions set forth in the Agreement and this DPA, unless required to process Personal Data by applicable law, in which case Company shall (to the extent permitted by law) inform Customer of that legal requirement before processing;
  2. Not process Personal Data for any purpose other than providing the Service as described in the Agreement;
  3. Not sell, rent, or trade Personal Data, or use Personal Data for advertising or marketing purposes unrelated to the Service;
  4. Not use Personal Data to train, fine-tune, or improve AI or machine learning models.

3.2 Confidentiality

Company shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.

3.3 Security Measures

Company shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, including:

  • Encryption: AES-256-GCM encryption for stored credentials and sensitive data; TLS 1.2+ for data in transit;
  • Access Controls: Default-deny permission engine with role-based access control; multi-factor authentication support via identity provider;
  • Audit Logging: Comprehensive logging of all data access and processing activities with 92 distinct action types;
  • Tenant Isolation: Logical separation of Customer data through application-level access controls and database constraints;
  • Credential Protection: API keys and tokens encrypted at rest and never exposed to AI models or included in logs;
  • Infrastructure Security: Regular security updates, network segmentation, and monitoring;
  • Personnel Security: Background checks and security training for personnel with access to production systems;
  • Backup and Recovery: Regular encrypted backups with tested recovery procedures.

3.4 Security Incident Notification

Company shall notify Customer of any confirmed Security Incident without undue delay and in any event within seventy-two (72) hours of confirmation. The notification shall include, to the extent known:

  1. A description of the nature of the Security Incident;
  2. The categories and approximate number of Data Subjects affected;
  3. The categories and approximate number of records affected;
  4. The likely consequences of the Security Incident;
  5. The measures taken or proposed to address the Security Incident and mitigate its effects;
  6. The name and contact details of a point of contact for further information.

Company shall cooperate with Customer and take commercially reasonable steps to assist Customer in investigating, mitigating, and remediating the Security Incident. Company shall not notify any regulatory authority or Data Subject on behalf of Customer unless instructed by Customer or required by applicable law.

4. Sub-Processors

4.1 Authorization

Customer provides general authorization for Company to engage Sub-Processors to process Personal Data, subject to the requirements of this Section 4.

4.2 Current Sub-Processors

The following Sub-Processors are authorized as of the effective date of this DPA:

Sub-ProcessorPurposeLocation
Anthropic, PBCAI model provider (Claude)United States
OpenAI, LLCAI model providerUnited States
Amazon Web Services, Inc.Cloud infrastructure, AI model provider (Bedrock)United States (configurable region)
Microsoft CorporationIdentity provider (Entra ID), Graph APIUnited States
FormSubmit.co (MillionVerifier LLC)Contact form processing (website only)United States
Render Services, Inc.Cloud hosting (if applicable)United States

4.3 New Sub-Processors

Company shall notify Customer at least thirty (30) days in advance of engaging a new Sub-Processor or replacing an existing Sub-Processor. Notification will be provided via email to the Customer’s designated contact.

Customer may object to the engagement of a new Sub-Processor by providing written notice to Company within fifteen (15) days of receiving notification. If Customer objects on reasonable grounds related to data protection, the parties shall discuss the matter in good faith. If the parties are unable to resolve the objection within thirty (30) days, Customer may terminate the affected portion of the Service without penalty.

4.4 Sub-Processor Obligations

Company shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set forth in this DPA, including obligations regarding confidentiality, security measures, and restrictions on data use. Company remains fully liable to Customer for the acts and omissions of its Sub-Processors.

5. Data Subject Rights

5.1 Assistance with Data Subject Requests

Company shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

5.2 Direct Requests

If Company receives a request directly from a Data Subject regarding Personal Data processed on behalf of Customer, Company shall promptly redirect the Data Subject to Customer and notify Customer of the request, unless prohibited by applicable law. Company shall not respond to the Data Subject directly unless instructed by Customer or required by applicable law.

6. Data Protection Impact Assessments and Consultations

Company shall provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Law and taking into account the nature of the processing and the information available to Company.

7. International Data Transfers

7.1 Transfer Mechanisms

To the extent that Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, Company shall ensure that appropriate safeguards are in place, including:

  1. Standard Contractual Clauses: The parties agree that the SCCs approved by the European Commission (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference. For transfers where Customer is the data exporter and Company is the data importer: Module Two (Controller to Processor) applies. The governing law shall be the law of the EU Member State in which the data exporter is established, or where no EU establishment exists, the law of Ireland. The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs.
  2. UK International Data Transfer Addendum: For transfers subject to UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under S119A(1) of the Data Protection Act 2018) shall apply.
  3. Swiss Data Transfers: For transfers subject to the Swiss Federal Act on Data Protection, the SCCs apply with the modifications required by Swiss law.

7.2 On-Premises Deployment

Where Customer deploys the Service on-premises, Customer Data may remain within Customer’s infrastructure. However, Personal Data may still be transmitted to Third-Party AI Providers and other Sub-Processors as necessary to provide AI capabilities. The transfer safeguards in this Section 7 apply to such transmissions.

8. Audit Rights

8.1 Audit

Company shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by Customer or a qualified third-party auditor mandated by Customer, subject to the following conditions:

  1. Customer shall provide at least thirty (30) days’ prior written notice of any audit request;
  2. Audits shall be conducted during normal business hours and shall not unreasonably disrupt Company’s operations;
  3. Customer shall bear its own costs of the audit, except where the audit reveals a material breach of this DPA by Company;
  4. Third-party auditors must enter into appropriate confidentiality agreements;
  5. Audits shall be limited to once per twelve (12) month period unless a Security Incident or material breach has occurred;
  6. Company may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2), or other evidence of compliance, where available.

8.2 Regulatory Audits

Company shall cooperate with audits or inspections required by regulatory authorities (including state departments of insurance) with jurisdiction over Customer’s data processing activities, to the extent such cooperation is required and relates to Company’s processing of Personal Data under this DPA.

9. Data Return and Deletion

9.1 Upon Termination

Upon termination or expiration of the Agreement, Company shall:

  1. Make Personal Data available for export by Customer for a period of thirty (30) days in a commonly used, machine-readable format;
  2. Following the export period, delete all Personal Data from Company’s systems and instruct Sub-Processors to do the same, unless retention is required by applicable law;
  3. Upon Customer’s request, provide written confirmation of deletion.

9.2 Backup Retention

Personal Data contained in encrypted backup systems may be retained for up to ninety (90) days following the export period before being permanently deleted through regular backup rotation cycles. Such data remains subject to the confidentiality and security obligations of this DPA.

10. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except that such limitations shall not limit either party’s liability for: (a) violations of Applicable Data Protection Law; (b) either party’s indemnification obligations; or (c) either party’s obligations under mandatory data protection provisions that cannot be contractually limited.

11. Insurance Industry Considerations

11.1 GLBA Compliance

To the extent that Personal Data includes nonpublic personal financial information subject to the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations (including Regulation S-P), Company shall maintain safeguards consistent with the Safeguards Rule (16 CFR Part 314) as applicable to service providers.

11.2 State Insurance Regulations

Company acknowledges that Customer may be subject to state-specific insurance data privacy and cybersecurity regulations, including but not limited to the NAIC Insurance Data Security Model Law and the New York Department of Financial Services Cybersecurity Regulation (23 NYCRR 500). Company shall cooperate with Customer in meeting these requirements, including by providing information about Company’s security practices and incident response procedures upon reasonable request.

11.3 Market Conduct Examinations

Company shall cooperate with Customer in responding to market conduct examinations or regulatory inquiries that relate to Customer’s use of the Service, including by providing access to relevant audit logs and processing records within a reasonable timeframe.

12. General Provisions

12.1 Governing Law

This DPA is governed by the same governing law as the Agreement, except to the extent that Applicable Data Protection Law requires the application of a different governing law for specific provisions.

12.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

12.3 Entire DPA

This DPA, together with the Agreement and any annexes or schedules hereto, constitutes the entire agreement between the parties regarding data processing and supersedes all prior data processing agreements or addenda between the parties.

12.4 Amendments

Company may update this DPA to reflect changes in Applicable Data Protection Law, regulatory guidance, or the Sub-Processor list. Material changes will be communicated to Customer at least thirty (30) days before they take effect.

Contact Information

For questions about this Data Processing Agreement, please contact:

42 Consulting LLC
Data Protection Inquiries
Email: privacy@42ims.com
Website: https://ai.42ims.com