Skip to Content

3Clouds AI - Data Processing Agreement

1.  Background and Purpose2.  Definitions3.  Scope and Nature of Processing4.  Processor Obligations5.  Controller Obligations6.  International Data Transfers7.  Automated Decision-Making8.  EU AI Act Compliance9.  Contact and Data Protection Officer10.  Term, Termination, and Retention11.  Governing LawAnnex I — Description of ProcessingAnnex II — Technical and Organisational Security MeasuresAnnex III — Approved Sub-processors

1.  Background and Purpose

 1.1  The Service Provider provides the 3 Clouds AI platform ("Platform") to the Customer pursuant to the Platform Service Agreement ("Service Agreement"). In providing the Platform, the Service Provider processes personal data on behalf of the Customer.

1.2  This Data Processing Agreement ("DPA") sets out the terms on which the Service Provider processes personal data as a data processor on behalf of the Customer as data controller, in accordance with GDPR Article 28 and Cyprus Data Protection Law 125(I)/2018.

1.3  In the event of conflict between this DPA and the Service Agreement, this DPA prevails in relation to data protection matters.

2.  Definitions

Terms defined in the GDPR and the Service Agreement carry those meanings in this DPA. In addition:

  • "Controller" means the Customer, who determines the purposes and means of processing personal data through the Platform.

  • "Processor" means the Service Provider, ASK Business Solutions Ltd, who processes personal data on behalf of the Controller.

  • "Personal Data" has the meaning in GDPR Article 4(1) and includes the personal data of the Customer's Users, representatives, and any natural persons identifiable in the Customer Data uploaded to the Platform.

  • "Processing" has the meaning in GDPR Article 4(2).

  • "Data Subject" means any identified or identifiable natural person whose personal data is processed through the Platform.

  • "Sub-processor" means any third party engaged by the Processor to process personal data in connection with providing the Platform, as listed in Annex III.

  • "Supervisory Authority" means the Cyprus Commissioner for Personal Data Protection (CPDP), or such other competent authority as applicable.

  • "International Transfer" means any transfer of personal data to a country outside the European Economic Area (EEA).

3.  Scope and Nature of Processing

 The details of the processing activities under this DPA are set out in Annex I (Description of Processing). In summary:

  • Purpose: Delivery of the Platform services, including document processing, AI automation, GL posting to Odoo, Review Queue management, VAT compliance output preparation, and reporting.

  • Nature: Collection, storage, analysis, structuring, AI-assisted extraction, automated decision support, transmission to Odoo ERP, and deletion of personal data contained in or derived from Customer Data.

  • Categories of Data Subjects: Customer's employees, directors, and representatives; End Clients' representatives (for Accounting Firm Customers); natural persons appearing on invoices, payroll records, and other financial documents uploaded to the Platform.

  • Categories of Personal Data: Names, contact details, tax identification numbers, financial transaction data, payroll data, identity documents (for KYC/KYB verification).

  • Duration: As set out in Annex I and subject to clause 10 (Retention and Deletion).

4.  Processor Obligations

 4.1  Processing only on Documented Instructions

The Processor shall process personal data only on documented instructions from the Controller, which are provided through the Controller's use of the Platform and this DPA. The Processor shall immediately inform the Controller if, in its opinion, an instruction violates applicable data protection law.

4.2  Confidentiality

The Processor shall ensure that all persons authorised to process the personal data are subject to binding confidentiality obligations.

4.3  Security

The Processor shall implement and maintain the technical and organisational measures set out in Annex II (Technical and Organisational Measures) to ensure a level of security appropriate to the risk.

4.4  Sub-processors

The Processor shall not engage any new sub-processor without providing the Controller with at least 30 days' prior written notice, giving the Controller the opportunity to object. The current list of approved sub-processors is set out in Annex III. The Processor ensures that sub-processors are bound by data protection obligations equivalent to those in this DPA.

4.5  Data Subject Rights

The Processor shall assist the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). The Processor shall forward any Data Subject request received directly to the Controller within 5 business days.

4.6  Assistance with Controller Obligations

The Processor shall assist the Controller in ensuring compliance with the obligations under GDPR Articles 32–36, including: security of processing; notification of personal data breaches; data protection impact assessments; prior consultation with the Supervisory Authority.

4.7  Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware, of any personal data breach involving personal data processed under this DPA. Notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of Data Subjects and records affected; (c) likely consequences of the breach; (d) measures taken or proposed to address the breach. This timeline enables the Controller to meet its 72-hour notification obligation to the CPDP under GDPR Article 33.

4.8  Deletion and Return

Upon termination of the Service Agreement, the Processor shall, at the Controller's choice: (a) return all personal data to the Controller in a machine-readable format; and/or (b) securely delete all personal data. The Processor shall confirm in writing when deletion is complete. Retention of personal data beyond termination is permitted only where required by applicable law, in which case the Processor shall notify the Controller of the applicable retention obligation and period.

4.9  Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable advance notice (not less than 30 days). Costs of any audit are borne by the Controller unless the audit reveals material non-compliance by the Processor.

5.  Controller Obligations

The Controller warrants that:

  • It has a lawful basis under GDPR Article 6 for each category of personal data it processes through the Platform.

  • It has provided appropriate privacy notices to relevant Data Subjects.

  • It has obtained any necessary consents where consent is the lawful basis.

  • For Accounting Firm Customers: it has appropriate arrangements with its End Clients governing the processing of End Clients' data on the Platform.

  • It will not instruct the Processor to process personal data in a manner that would violate applicable law.

6.  International Data Transfers

 6.1  The Processor shall not transfer personal data outside the EEA without: (a) an adequacy decision under GDPR Article 45; (b) appropriate safeguards under GDPR Article 46 (including Standard Contractual Clauses); or (c) an applicable derogation under GDPR Article 49.

6.2  Where personal data is transferred to sub-processors outside the EEA, the Processor ensures that appropriate transfer safeguards are in place. Details of international transfers are set out in Annex III.

7.  Automated Decision-Making

7.1  The Platform performs automated processing of financial documents, including automated GL posting where AI confidence exceeds the configured threshold. This automated posting constitutes automated processing but does not constitute solely automated decision-making producing legal effects concerning natural persons in the sense of GDPR Article 22, as the output is a business accounting entry, not a decision about an individual.

7.2  The Controller is responsible for assessing whether any specific use case on the Platform triggers GDPR Article 22 obligations in relation to its Data Subjects and for ensuring appropriate safeguards are in place.

8.  EU AI Act Compliance

 8.1  The Service Provider is a provider of AI systems under Regulation (EU) 2024/1689. The Platform is currently assessed as limited-risk under the EU AI Act, subject to transparency obligations under Article 13.

8.2  The Service Provider shall maintain documentation of the AI systems deployed on the Platform and shall notify the Customer of any material change to the risk classification of those systems.

9.  Contact and Data Protection Officer

Data protection enquiries from the Controller should be directed to:

Data Protection Contact: Stelios Kyranides

ASK Business Solutions Ltd, 10 Iasonos Street, Jason Building, CY-1082 Nicosia

Email: dpo@askbusinesssolutions.com

10.  Term, Termination, and Retention

10.1  This DPA is coterminous with the Service Agreement and terminates automatically when the Service Agreement terminates.

10.2  Obligations under this DPA that are necessary to protect personal data survive termination.

10.3  The Processor shall retain personal data for no longer than necessary for the purposes of the processing. Specific retention periods are set out in Annex I.

11.  Governing Law

This DPA is governed by the laws of the Republic of Cyprus and the GDPR as applied in Cyprus. Any disputes shall be subject to the jurisdiction of the courts of the Republic of Cyprus.

Annex I — Description of Processing


Processing Activity

Purpose

Categories of Personal Data

Categories of Data Subjects

Retention Period

User account management

Platform access and authentication

Name, email, phone, role, login logs

Customer employees and representatives

Duration of subscription + 1 year

KYC/KYB verification

Identity verification for onboarding compliance

Government ID, facial image (liveness), business registration, director details

Admin User, Active Users, company representatives

7 years from onboarding (regulatory minimum)

Document processing

AI extraction, classification, GL posting

Names, TINs, VAT numbers, bank details, amounts appearing on uploaded documents

Suppliers, customers, employees named in financial documents

7 years from document date (Cyprus tax law requirement)

Payroll processing

Payroll journal generation and reporting

Employee name, tax code, salary, social insurance number

Employees of the Customer or End Client

7 years

Audit trail

Regulatory compliance and dispute resolution

User ID, action taken, timestamp, document reference, AI confidence score

Platform Users

7 years

Support communications

Technical support

Name, email, and any personal data shared in support request

Customer representatives

3 years


Annex II — Technical and Organisational Security Measures

The following measures are implemented by the Service Provider. A full description is contained in the 3 Clouds AI Security Policy, published on the Platform website.

Measure Category

Implementation

Encryption in transit

TLS 1.2 or higher on all data in transit between the Platform, users, and sub-processors.

Encryption at rest

AES-256 encryption for all data stored on AWS infrastructure.

Access controls

Role-based access control (RBAC). Principle of least privilege. MFA required for all Admin Users.

Infrastructure

AWS cloud infrastructure with EU-region data residency for primary Customer Data.

Logical tenant isolation

Strict multi-tenant data isolation. No data from one Customer tenant is accessible to another.

Vulnerability management

Annual penetration testing by an independent third party. Results reviewed and remediated within defined SLAs.

Incident response

Documented incident response procedure. Designated security contact. 48-hour Processor breach notification to Controller.

Personnel

Background checks on personnel with access to Customer Data. Regular data protection training.

Backup and recovery

Daily automated backups. Recovery time objective (RTO): [TBC by Akash]. Recovery point objective (RPO): [TBC by Akash].

Audit logging

Immutable audit logs of all AI-automated postings, User actions, and system events. Log retention: 7 years.

ISO 27001

Gap analysis commenced May 2026. Certification target: Q1 2027.

Annex III — Approved Sub-processors


Sub-processor
Role
Location
Transfer Mechanism

Amazon Web Services (AWS)

Cloud infrastructure; primary data storage and compute

EU (eu-west-1, Ireland)

Adequacy (EU region — no transfer outside EEA)

Odoo S.A. / Odoo.sh

ERP hosting and GL posting

Belgium (EEA)

EU data residency

SaltEdge (PSD2)

Open banking / bank statement feeds

EU

EU data residency — confirm with SaltEdge DPA

Anthropic, PBC

Large language model inference (AI document processing)

United States

PENDING — SCC or alternative mechanism required; EDPB April 2025 ruling applies

Langfuse

AI pipeline observability and logging

EU (confirm)

To be confirmed — DPA required

Veriff / iDenfy (TBC)

KYC/KYB identity verification

EU (confirm per provider)

EU data residency required — confirm per selected provider DPA

Google Workspace

Transactional email notifications

EU

Adequacy (EU region — no transfer outside EEA)