Data Processing Agreement

Last updated: March, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Eliot AI Inc. ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you", "your") for the provision of the Eliot AI platform and related services (the "Services").

This DPA applies when we process personal data on your behalf in connection with the Services. Terms not defined here have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") or the UK GDPR, as applicable.

1. Roles

You are the Controller. You determine the purposes and means of processing personal data. We are the Processor. We process personal data only on your documented instructions in connection with providing the Services.

  1. Scope of Processing

We process personal data as necessary to provide compliance investigation services, including KYB and AML analysis.

Categories of data subjects: Directors, shareholders, beneficial owners, and other individuals referenced in corporate filings and compliance documents provided by or on behalf of the Controller; and authorized users of the Services.

Categories of personal data: Names, job titles, email addresses, corporate roles, ownership interests, identification numbers, and any personal data contained in documents uploaded to the platform by the Controller.

Processing activities: Document parsing and analysis using AI models, entity extraction, ownership mapping, compliance report generation, vector embedding creation for search and retrieval, and secure storage of uploaded documents and derived outputs.

Duration: Processing continues for the term of the agreement between the parties and for 90 days following termination to allow data retrieval, after which all personal data is securely deleted.

We process personal data as necessary to provide compliance investigation services, including KYB and AML analysis.

Categories of data subjects: Directors, shareholders, beneficial owners, and other individuals referenced in corporate filings and compliance documents provided by or on behalf of the Controller; and authorized users of the Services.

Categories of personal data: Names, job titles, email addresses, corporate roles, ownership interests, identification numbers, and any personal data contained in documents uploaded to the platform by the Controller.

Processing activities: Document parsing and analysis using AI models, entity extraction, ownership mapping, compliance report generation, vector embedding creation for search and retrieval, and secure storage of uploaded documents and derived outputs.

Duration: Processing continues for the term of the agreement between the parties and for 90 days following termination to allow data retrieval, after which all personal data is securely deleted.

  1. Controller Instructions

We process personal data only in accordance with your documented instructions, which include the terms of this DPA and your use of the Services. If we believe an instruction infringes applicable data protection law, we will notify you promptly.

  1. Confidentiality

All personnel authorized to process personal data are bound by confidentiality obligations. Access to personal data is restricted to personnel who require it to perform the Services.

  1. Security Measures

We implement appropriate technical and organizational measures to protect personal data, including:

Encryption at rest (AES-256) and in transit (TLS 1.2+). Multi-factor authentication enforced across all systems. Role-based access controls following the principle of least privilege. Web application firewall protection on public-facing endpoints. Continuous threat monitoring via AWS GuardDuty. Comprehensive audit logging via AWS CloudTrail. Automated vulnerability scanning via AWS Inspector.

  1. Subprocessors

We use subprocessors to deliver the Services. A current list of subprocessors, including their categories and purposes, is maintained at trust.delve.co/eliot-ai/subprocessors. We will notify you before engaging any new subprocessor by updating the subprocessors page. If you object to a new subprocessor, you may terminate the affected Services by providing written notice within 30 days of the update. All subprocessors are bound by written agreements imposing data protection obligations no less protective than those in this DPA.

  1. International Data Transfers

Personal data may be transferred to and processed in the United States. Where data is transferred outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum, as applicable. Supplementary measures include encryption in transit and at rest, and contractual commitments requiring zero data retention on third-party AI model providers.

You may request a copy of the applicable transfer safeguards by contacting privacy@meeteliot.com.

  1. Data Subject Rights

We will assist you in responding to requests from data subjects exercising their rights under applicable data protection law, including rights of access, rectification, erasure, restriction, portability, and objection. We will notify you promptly if we receive a request directly from a data subject and will not respond to such requests without your prior authorization unless required by law.

  1. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

  1. Data Protection Impact Assessments

We will provide reasonable assistance to you in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under applicable data protection law and to the extent such assistance relates to our processing of personal data on your behalf.

  1. Audit Rights

Upon reasonable written notice, you may audit our compliance with this DPA. Audits will be conducted no more than once per year, during business hours, and subject to reasonable confidentiality obligations. Where available, we will provide relevant certifications or audit reports (such as SOC 2) as an alternative to on-site audits.

  1. Data Deletion and Return

Upon termination of the Services, or upon your written request, we will delete or return all personal data processed on your behalf within 90 days, unless retention is required by applicable law. We will confirm deletion in writing upon request.

  1. AI-Specific Provisions

AI models used in the Services (via AWS Bedrock and OpenAI API) operate under zero data retention configurations. No personal data processed through the platform is used to train, fine-tune, or improve third-party AI models. AI-generated outputs (compliance reports, entity extractions, ownership maps) are derived works produced for the Controller and are treated as Controller data.

  1. Governing Law

This DPA is governed by the laws of the State of Delaware, United States, except where applicable data protection law requires otherwise. For processing subject to the GDPR, the provisions of the GDPR shall prevail in the event of any conflict.

  1. Contact

For questions about this DPA or to exercise any rights under it:

Eliot AI Inc.

  • Email: privacy@meeteliot.com

  • Data Protection Officer: damian@meeteliot.com

Where analysts
become agents

Eliot Ness (1903-1957) was a federal agent who stood for integrity when corruption ruled the streets. By following the money, he brought down Al Capone and redefined how the world fights organized crime. Eliot AI continues his legacy, empowering analysts to fight financial crime with intelligence that never sleeps.

Where analysts
become agents

Eliot Ness (1903-1957) was a federal agent who stood for integrity when corruption ruled the streets. By following the money, he brought down Al Capone and redefined how the world fights organized crime. Eliot AI continues his legacy, empowering analysts to fight financial crime with intelligence that never sleeps.

Where analysts
become agents

Eliot Ness (1903-1957) was a federal agent who stood for integrity when corruption ruled the streets. By following the money, he brought down Al Capone and redefined how the world fights organized crime. Eliot AI continues his legacy, empowering analysts to fight financial crime with intelligence that never sleeps.