Data Processing Agreement
Note: GreenPilot AI is currently in pre-incorporation pilot stage. This DPA is entered into by Richard Schmitz, trading as GreenPilot AI, based in Lisbon, Portugal. The company details below will be updated upon formal incorporation. The legal obligations set out in this agreement apply in full regardless of incorporation status.
1. Parties
Data Processor
Name: GreenPilot AI (operated by Richard Schmitz, pending formal incorporation)
Address: Lisbon, Portugal
Contact: info@greenpilotai.com
Role: Data Processor — processes personal data on behalf of the Controller in connection with the GreenPilot pilot assessment service.
Data Controller
Name: [Customer company name]
Address: [Customer registered address]
Contact: [Customer data protection contact]
Role: Data Controller — determines the purposes and means of processing personal data within its AWS environment and in connection with the GreenPilot service.
Together referred to as "the Parties." This Data Processing Agreement ("DPA") forms part of the Pilot Agreement between the Parties and governs the processing of personal data by GreenPilot AI on behalf of the Controller.
2. Processing Details
| Element | Detail |
|---|---|
| Subject matter | Processing of personal data in connection with a read-only AWS cloud optimization assessment delivered by GreenPilot AI. |
| Duration | For the duration of the Pilot Agreement, plus the retention period set out in Section 8. |
| Nature of processing | Collection, storage, analysis, and reporting of AWS account metadata, usage data, billing data, and configuration data. Read-only access only. No modification of customer data or cloud resources. |
| Purpose | To deliver an AWS cloud optimization assessment identifying cost savings, estimated carbon-related emissions, and governance observations. To produce a ranked findings report for review by the Controller. |
| Categories of personal data |
— Contact details of the Controller's representative (name, email, company, AWS account ID) submitted via the pilot request form. — AWS resource identifiers, IAM user and role names, and resource tags that may incidentally contain personal data depending on the Controller's naming conventions. — No special category data (Article 9 GDPR) is knowingly processed. |
| Categories of data subjects | The Controller's employees, contractors, or representatives whose identifiers appear in AWS resource names, IAM configurations, or resource tags; and the Controller's designated contact person. |
| Data NOT processed | GreenPilot AI does not access, collect, or process application-level data, database contents, end-user personal data stored within the Controller's AWS workloads, passwords, secrets, or payment card data. |
3. Controller Obligations
The Controller warrants and agrees that:
- It has a lawful basis under GDPR for processing personal data in connection with this service and for engaging GreenPilot AI as a Processor.
- It will provide GreenPilot AI with documented instructions for the processing of personal data. Processing outside those instructions requires prior written agreement.
- It will inform GreenPilot AI promptly of any changes to applicable data protection laws that affect the processing under this DPA.
- It retains administrative control of its AWS account at all times and may revoke GreenPilot AI's access immediately by deleting the IAM role or rotating credentials.
- It is responsible for ensuring that personal data within its AWS environment has been collected lawfully and that data subjects have been informed of processing as required under GDPR.
4. Processor Obligations
4.1 Process only on documented instructions
GreenPilot AI will process personal data only on documented instructions from the Controller, unless required to do so by EU or Portuguese law. GreenPilot AI will inform the Controller before following any such legal requirement unless prohibited from doing so.
4.2 Confidentiality
GreenPilot AI will ensure that persons authorised to process the Controller's data are subject to a duty of confidentiality, whether by contractual obligation or statutory duty.
4.3 Security measures
GreenPilot AI will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current measures include HTTPS/TLS encryption in transit, read-only AWS access scope, and no storage of long-term AWS credentials beyond what is required to deliver the service. Full details are set out in the Security page.
4.4 Sub-processors
GreenPilot AI uses the following sub-processors in the delivery of the service. The Controller hereby grants general authorisation for their use, subject to the conditions in this section.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Website hosting and content delivery | USA (EU adequacy / SCCs apply) |
| Formspree Inc. | Pilot request form submission processing | USA (SCCs apply) |
| Google LLC (Analytics 4) | Optional website analytics — loaded only after visitor consent | USA (SCCs apply) |
GreenPilot AI will notify the Controller of any intended change to sub-processors (addition or replacement) with at least 14 days' notice, giving the Controller the opportunity to object. Any new sub-processor will be subject to the same data protection obligations as set out in this DPA.
4.5 Data subject rights
GreenPilot AI will assist the Controller, by appropriate technical and organisational measures, in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection). Given the nature of the data processed, GreenPilot AI will promptly forward any such request to the Controller where it cannot be resolved without the Controller's involvement.
4.6 Security assistance
GreenPilot AI will assist the Controller in ensuring compliance with its obligations under GDPR Articles 32–36, including security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
4.7 Personal data breach notification
GreenPilot AI will notify the Controller without undue delay, and no later than 48 hours after becoming aware of a personal data breach involving data processed under this DPA. The notification will include: the nature of the breach, categories and approximate number of data subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.
4.8 Audit and compliance demonstration
GreenPilot AI will provide the Controller with all information necessary to demonstrate compliance with GDPR Article 28 obligations and will allow for and contribute to audits conducted by the Controller or a mandated auditor, with reasonable notice and at the Controller's cost.
5. International Data Transfers
Processing under this DPA takes place primarily within the EU/EEA. To the extent that personal data is transferred to sub-processors located outside the EU/EEA (as listed in Section 4.4), such transfers are made subject to appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses (SCCs) as adopted by the European Commission.
6. Data Return and Deletion
Upon termination of the Pilot Agreement, or upon written request from the Controller, GreenPilot AI will, at the Controller's choice, delete or return all personal data processed under this DPA, and delete existing copies, unless EU or Portuguese law requires continued storage. GreenPilot AI will confirm in writing that deletion has been completed within 30 days of the termination date.
Pilot assessment reports generated for the Controller remain the property of the Controller and will be returned in full upon request.
7. Liability and Indemnity
Each party will be liable for damage caused by processing that infringes GDPR to the extent that it is responsible for that infringement. GreenPilot AI's liability under this DPA is limited to the fees paid by the Controller under the Pilot Agreement in the 12 months preceding the event giving rise to the claim, except in cases of wilful misconduct or gross negligence.
GreenPilot AI is not liable for processing carried out by the Controller or for breaches that result from the Controller's instructions.
8. Retention
Personal data processed under this DPA will be retained only for as long as necessary to deliver the service and fulfil obligations under this DPA. Contact data submitted via the pilot request form will be retained for a maximum of 24 months from the date of submission. AWS metadata and assessment data will be deleted within 30 days of service termination, unless the Controller requests earlier deletion.
9. Governing Law and Jurisdiction
This DPA is governed by the laws of Portugal. Any dispute arising from this DPA will be subject to the exclusive jurisdiction of the courts of Lisbon, Portugal, without prejudice to the right of either party to seek interim relief in any competent court.
10. Order of Precedence
In the event of conflict between this DPA and the Pilot Agreement, this DPA takes precedence with respect to the processing of personal data. In all other matters, the Pilot Agreement governs.
11. Signatures
By signing below, the Parties agree to the terms of this Data Processing Agreement.
Data Processor
GreenPilot AI
Lisbon, Portugal
Signature
Name and title
Date
Data Controller
[Customer company name]
[Customer address]
Signature
Name and title
Date
To request a signed copy of this DPA or to discuss its terms before onboarding, contact info@greenpilotai.com.