Aquin LogoAquin

Data Processing Agreement

Last updated on September 5th, 2025

This Data Processing Agreement governs how Aquin processes personal data when providing Aquin Lucid services to enterprise customers.

Aquin Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the Aquin Terms of Service ("Terms") between the party named as "Customer" in the Terms ("Customer" or "Controller") and Aquin ("Company" or "Processor") and sets out the parties' respective obligations when Customer personal data is processed by Company in relation to the Aquin Lucid services performed by Company on Customer's behalf pursuant to the Terms.

The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the Customer accepts the Terms of Service.

This Data Processing Agreement forms part of the Contract for Services between the Customer and:

Aquin

Email: aquin@aquin.app

Website: aquin.app

(the "Data Processor")

Privacy-First Architecture

Aquin Lucid is designed with privacy at its core. Most data processing occurs locally on your device and never leaves your computer when using local AI models.

WHEREAS

(A) The Company acts as a Data Controller and wishes to engage Aquin for Aquin Lucid services, including local AI processing, cloud AI capabilities, file analysis, voice processing, and custom integrations.

(B) The Company wishes to utilize services that may involve the processing of personal data and confidential business information through both local and cloud-based AI processing.

(C) The Parties seek to implement comprehensive data protection provisions that comply with applicable laws including GDPR, U.S. state privacy laws, and other relevant data protection regulations.

(D) The Parties wish to establish clear data handling practices that leverage Aquin's privacy-first local processing capabilities while enabling optional cloud-based AI features.

1. DEFINITIONS AND INTERPRETATION

1.1 Definitions

"Agreement" means this Data Processing Agreement and all referenced schedules and policies.

"Company Personal Data" means any Personal Data processed by Aquin on behalf of Company pursuant to or in connection with the Terms of Service.

"Company Confidential Information" means all non-public, proprietary, or confidential information disclosed by Company to Aquin, including but not limited to files, documents, screenshots, voice recordings, business processes, and strategic information.

"Data Protection Laws" means EU Data Protection Laws, U.S. Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country.

"Services" means the Aquin Lucid software and related services that Aquin provides, including:

  • Local AI model processing and analysis
  • Cloud-based AI processing (when selected by user)
  • File upload and analysis capabilities
  • Screenshot capture and processing
  • Voice input and text-to-speech output
  • Browser tab content integration
  • Custom commands and app integrations
  • Chart and mindmap generation

"Local Processing" means data processing that occurs entirely on the Customer's device without transmission to external servers or third parties.

"Cloud Processing" means data processing that involves transmission of data to Aquin's servers or third-party AI service providers.

"Subprocessor" means any third party appointed by Aquin to process Personal Data on behalf of the Customer in connection with cloud-based AI services.

1.2 GDPR Terms

The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. DATA PROCESSING AND PRIVACY ARCHITECTURE

2.1 Local and Cloud Processing

Local Processing

When Customer uses local AI models:

  • All data remains on Customer's device
  • No transmission to Aquin or third parties
  • Complete privacy and offline functionality
  • Customer maintains full data control
  • This DPA applies minimally to local processing

Cloud Processing

When Customer uses cloud AI models:

  • Data transmitted to AI service providers
  • Enhanced AI capabilities and features
  • Subject to this DPA and third-party policies
  • Encrypted transmission and processing
  • Customer controls when to use cloud features

2.2 Processing Instructions

The Company instructs Aquin to process Company Personal Data for the following purposes:

  • Providing AI-powered responses and analysis through local or cloud models
  • Processing uploaded files, documents, and images
  • Analyzing screenshot content and browser tab information
  • Converting voice input to text and providing audio output
  • Generating charts, mindmaps, and visual content
  • Maintaining chat history and user preferences (when cloud storage is enabled)
  • Providing technical support when requested

2.3 Processing Obligations

Aquin shall:

  • Comply with all applicable Data Protection Laws in the processing of Company Personal Data
  • Process Company Personal Data only on the Company's documented instructions or as required by law
  • Ensure all employees handling Personal Data are bound by confidentiality agreements
  • Clearly distinguish between local and cloud processing capabilities
  • Provide Customer with control over when cloud processing is used
  • Implement appropriate technical and organizational security measures

3. SECURITY MEASURES

3.1 Technical and Organizational Measures

Aquin implements and maintains the following security measures:

Encryption

End-to-end encryption for all cloud data transmission using TLS 1.3. Local processing uses device-level encryption.

Access Controls

Multi-factor authentication and role-based access control for cloud services.

Data Minimization

Processing only necessary data with configurable retention policies.

Infrastructure Security

Regular security assessments, automated updates, and incident response procedures.

3.2 Local Processing Security

For local processing, security is primarily maintained by:

  • Customer's device security measures
  • Operating system-level protections
  • Application-level sandboxing
  • No network transmission of sensitive data

4. SUBPROCESSORS AND THIRD-PARTY SERVICES

4.1 Authorized Subprocessors

For cloud-based AI processing, Aquin may engage authorized subprocessors to provide enhanced AI capabilities and services.

For a current list of authorized subprocessors and their purposes, please visit our Subprocessors page.

4.2 Subprocessor Requirements

Aquin ensures that all subprocessors:

  • Are bound by data protection obligations equivalent to this Agreement
  • Process Personal Data only for authorized purposes
  • Implement appropriate technical and organizational measures
  • Comply with applicable Data Protection Laws

4.3 Subprocessor Changes

Aquin shall inform Customer of any intended changes to subprocessors with at least 30 days' prior written notice. Customer may object to such changes within 14 days if the changes do not meet required data protection standards.

5. DATA SUBJECT RIGHTS

5.1 Assistance to Customer

Aquin shall assist Customer in fulfilling obligations to respond to Data Subject rights requests under applicable Data Protection Laws, including:

  • Right to access personal information
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing

5.2 Local Processing Rights

For locally processed data, Customer maintains direct control over Data Subject rights fulfillment since data remains on Customer's device.

5.3 Request Handling

Aquin shall promptly notify Customer within 5 business days if it receives a request from a Data Subject and shall not respond except on Customer's documented instructions or as required by law.

6. PERSONAL DATA BREACH

6.1 Breach Notification

Aquin shall notify Customer at aquin@aquin.app without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information to allow Customer to meet any reporting obligations under Data Protection Laws.

6.2 Breach Response

Aquin shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

6.3 Local Processing Breaches

For locally processed data, Customer is primarily responsible for breach prevention and response, as data remains under Customer's direct control.

7. DATA RETENTION AND DELETION

7.1 Retention Periods

Local AI Processing: Data never leaves Customer's device; retention controlled by Customer

Cloud AI Processing: Processed in real-time; minimal retention based on Customer settings

Account Information: Retained for duration of service agreement

7.2 Data Deletion

Aquin shall delete Company Personal Data within 30 days of service termination, except for data required to be retained by law or aggregated, anonymized data that cannot identify Customer.

7.3 Deletion Certification

Aquin shall provide written certification to Customer that it has fully complied with data deletion requirements within 30 days of the termination date.

8. INTERNATIONAL TRANSFERS

8.1 Data Transfers

Personal data processed under this Agreement may be transferred internationally when using cloud-based AI services. For local processing, no international transfers occur.

8.2 Transfer Safeguards

For transfers from the EU/EEA, the Parties shall rely on:

  • EU adequacy decisions where available
  • Standard Contractual Clauses as approved by the European Commission
  • Other legally recognized transfer mechanisms

8.3 Government Access

Aquin shall immediately notify Customer of any legally binding request for disclosure of Personal Data by a government authority, unless prohibited by law.

9. AI ETHICS AND NO-TRAINING COMMITMENTS

9.1 No-Training Rights

Aquin shall not use Company Personal Data or Confidential Information for training or developing AI models. For cloud-based AI processing through third-party providers, Aquin relies on the provider's data handling policies and shall not authorize additional use of customer data beyond the immediate processing request.

9.2 AI Ethics

Aquin is committed to responsible AI use and shall select and configure AI services in accordance with ethical AI principles including fairness, transparency, and accountability, within the constraints of available provider options.

9.3 Local Model Independence

Local AI models operate independently of cloud services and do not transmit data for training or improvement purposes.

10. LIABILITY AND INDEMNIFICATION

10.1 Data Protection Liability

Aquin shall be liable for damages caused by non-compliance with applicable Data Protection Laws, processing Personal Data outside the scope of lawful instructions, or failure to implement appropriate security measures for cloud processing.

10.2 Local Processing Liability

For local processing, Customer maintains primary responsibility for data protection compliance as data remains under Customer's direct control.

10.3 Breach Indemnification

Aquin shall indemnify Customer for damages resulting from unauthorized disclosure of Company Confidential Information due to Aquin's negligence or breach of this Agreement.

11. AUDIT RIGHTS

11.1 Audit Access

Customer may request information demonstrating compliance with this Agreement. For cloud processing services, Aquin shall allow for and contribute to audits by Customer or Customer's appointed auditor.

11.2 Compliance Documentation

Aquin shall maintain and provide documentation demonstrating compliance with this Agreement and applicable Data Protection Laws upon reasonable request.

12. TERM AND TERMINATION

12.1 Term

This Agreement remains in effect for the duration of the Terms of Service between the parties.

12.2 Survival

The following provisions shall survive termination:

  • Confidentiality obligations
  • Data deletion requirements
  • Liability provisions
  • Local data processing acknowledgments

13. GENERAL PROVISIONS

13.1 Governing Law

This Agreement shall be governed by the laws of Delaware, United States, without regard to conflict of law principles.

13.2 Amendments

This Agreement may only be amended in writing or through updated terms posted at aquin.app with appropriate notice to Customer.

13.3 Contact Information

Email: aquin@aquin.app

Secondary Email: aquin.explore@gmail.com

13.4 Severability

If any provision of this Agreement is found unenforceable, the remainder shall remain in full force and effect.