Data Processing Addendum
1. Definitions
Capitalised terms used here have the meanings given in the GDPR, the UK GDPR, or applicable US state privacy laws. "Customer" means the entity that has subscribed to Perceptive's service; "Customer Data" means personal data the Customer transmits to or processes through the service.
2. Processing of personal data
Perceptive acts as a data processor on behalf of the Customer, who is the controller. Perceptive will process Customer Data only on the documented instructions of the Customer, including with regard to transfers to a third country, unless required to do so by law.
Each Perceptive employee with access to Customer Data is bound by appropriate confidentiality obligations, including post-employment.
3. Security measures
Perceptive maintains technical and organisational measures appropriate to the risk, including:
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls, principle of least privilege, mandatory MFA
- Tenant isolation with logical and, where applicable, physical separation
- Continuous vulnerability scanning and annual third-party penetration testing
- SIEM-based monitoring with 24×7 on-call response
- SOC 2 Type II and ISO 27001 certified information security programme
- Documented business continuity and disaster recovery plans, tested annually
4. Sub-processors
The Customer authorises Perceptive to engage the sub-processors listed in Section 10 of this DPA, and any future sub-processors notified to the Customer with at least 30 days' prior notice. The Customer may object on reasonable grounds; if the objection cannot be resolved within 30 days, the Customer may terminate the relevant order form on a pro-rata refund.
5. Data subject rights
Where a data subject contacts Perceptive directly with a request relating to Customer Data, Perceptive will forward the request to the Customer without undue delay. Perceptive will provide reasonable assistance to enable the Customer to respond to data-subject requests, including access, rectification, erasure, restriction, portability and objection.
6. Personal data breach notification
Perceptive will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data. Notification will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to mitigate harm.
7. International transfers
For transfers of personal data from the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties incorporate the relevant Standard Contractual Clauses by reference, with Perceptive as the data importer and the Customer as the data exporter. The UK Addendum and the Swiss FDPIC amendments apply where relevant.
8. Audit and assurance
Perceptive will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including SOC 2 Type II reports, ISO 27001 certificates, and penetration test summaries, under reasonable confidentiality terms. The Customer may, on 30 days' written notice and no more than once a year, conduct an audit through an independent auditor, at the Customer's expense.
9. Return and deletion of data
On termination of the service, Perceptive will, at the Customer's choice, return or delete all Customer Data within 90 days, unless retention is required by law. Backup copies are deleted on the standard 35-day rolling cycle.
10. Current sub-processors
As of 22 May 2026, Perceptive uses the following sub-processors:
- Amazon Web Services, Inc. — cloud infrastructure (US, EU, UK)
- Google Cloud LLC — cloud infrastructure (US, EU)
- OpenAI, OpCo, LLC — frontier LLM API (US; zero-data-retention enabled)
- Anthropic, PBC — frontier LLM API (US; zero-data-retention enabled)
- Datadog, Inc. — operational monitoring (US, EU)
- Twilio Inc. — telephony and SMS (US, EU)
- Stripe, Inc. — payments (Customer billing only)
To subscribe to sub-processor change notifications, email dpa@perceptive.ai.