This Data Processing Agreement ("DPA") supplements the EULA and governs the processing of personal data by Imperial Eminence Cyberguard Corporation ("Processor", "IECC") on behalf of the User ("Controller") where the User is subject to data protection law that requires a DPA with software processors.
Architecture Note. The Ivory Index operates on a local-first architecture. To the extent the Company processes Personal Data on behalf of the Customer, that processing is limited to the narrow circumstances described in Article II. The Processor cannot undertake to "return" or "delete" data it has never received; obligations in this DPA are scoped accordingly.
Article II — Scope of Processing
The Processor processes Personal Data on behalf of the Controller only to the extent:
Required to deliver a user-initiated feature that involves network communication (e.g., institution database queries)
Required by applicable law, court order, or regulatory authority
Required for security incident response upon User request
Expressly authorised in writing by the Controller
Profile data stored at ~/.theivorry/profiles/{"{id}"}/ resides entirely on the Controller's device; the Processor does not have access to, process, or store such data. Data categories listed in Schedule 1 are listed for transparency and compliance with DPA formality requirements; their inclusion is not an admission that the Processor processes them.
Article III — Processor Obligations
To the extent processing occurs under Article II, the Processor shall:
Process Personal Data only on documented instructions of the Controller
Ensure persons authorised to process data are bound by appropriate confidentiality obligations
Implement appropriate technical and organisational measures as set out in Schedule 2
Assist the Controller in responding to data subject rights requests to the extent technically possible
Notify the Controller without undue delay upon becoming aware of a personal data breach affecting data actually processed by the Processor
Not engage sub-processors without prior written authorisation of the Controller
Article IV — Controller Obligations
The Controller warrants that it has a valid legal basis for any personal data provided to the Processor, has provided all required notices to data subjects, and has authority to enter into this DPA.
Article V — Data Transfers
To the extent the Processor transfers Personal Data outside the EEA in connection with Article II processing, such transfers shall be covered by Standard Contractual Clauses (EU Commission Decision 2021/914) or another appropriate transfer mechanism under applicable data protection law.
Article VI — Term & Deletion
This DPA remains in effect for the duration of the EULA. Upon termination, the Processor shall delete or return any Personal Data it has actually received and processed within 30 days, subject to legal retention obligations. The Processor has no obligation to delete data it has never received or processed.
Schedule 1 — Data Categories (listed for transparency, not admission of processing):
Name and contact details; academic history and qualifications; target institution preferences; AI interaction logs (local only); device identifiers (where relevant to security).
Schedule 2 — Technical & Organisational Measures:
Local-first architecture (data remains on User device); access controls; encrypted local storage recommendations; security review processes; incident response procedures.
Drafted with the assistance of
Voidlex
Imperial Legal Intelligence · IECC Suite · v2.6
This document was prepared with the assistance of Voidlex, a legal document
drafting tool developed by Imperial Eminence Cyberguard Corporation (IECC).
Voidlex is a drafting aid only. It does not constitute legal advice, does not
practice law, and does not guarantee the legal enforceability of this document in any
jurisdiction. Users are strongly encouraged to seek independent legal counsel before
relying on this document for commercial, regulatory, or enforcement purposes.
Governing Law — All DisputesCayman Islands · Grand Court of the Cayman Islands
