LEGAL

Data Processing Agreement

When you use Elevence AI to process personal data of your customers or end-users, you act as the data controller and NextGen AI Dev Private Limited acts as your processor. This page summarises the standard terms; the executable DPA is available on request.

Last updated 2 May 2026

Applies to web, iOS and Android

This is a working template. Have your legal counsel review and customise the wording before you publish or rely on it in production.

1. Roles

•

Customer (Controller) — the organisation whose account is using Elevence AI.

•

Elevence AI / NextGen AI Dev Pvt Ltd (Processor) — processes personal data only on the customer's documented instructions.

•

Sub-processors — listed in section 4.

2. Subject matter & duration

We process personal data submitted by the customer for as long as the account is active and for 90 days after deletion (backup retention).

3. Nature & purpose of processing

•

Routing prompts and attachments to the AI model the customer selects.

•

Returning, storing, and displaying the AI output.

•

Metering, billing, fraud prevention, abuse moderation.

4. Sub-processors

We use the following categories of sub-processor. A current detailed list is maintained at elevence.ai/subprocessors and we notify customers of additions at least 30 days in advance.

•

Infrastructure — Google Cloud (compute, Cloud Run), Cloudflare (CDN, R2 object storage), Neon (PostgreSQL), MongoDB Atlas, Vercel (web hosting).

•

AI providers — OpenAI, Anthropic, Google, Meta, Mistral, Cohere, Stability, ElevenLabs, Luma, Runway, and others as the customer selects in the model picker.

•

Payments — Stripe, Razorpay, PayPal, Paddle.

•

Email — for transactional sign-in OTPs and receipts.

5. Security

•

TLS 1.2+ in transit.

•

Encryption at rest for all primary data stores.

•

Access controls scoped per organisation; least-privilege staff access.

•

Per-org bcrypt-hashed API keys.

•

See our Security overview at /security for the full controls list.

6. International transfers

Where personal data is transferred outside the EEA / UK we rely on Standard Contractual Clauses. For India-resident data we comply with the Digital Personal Data Protection Act, 2023.

7. Data subject rights

We assist the customer in responding to data-subject requests within 30 days. Customers can self-serve most requests via account settings (export, delete) and the API.

8. Breach notification

We notify affected customers without undue delay — and within 72 hours where required — if we become aware of a personal data breach.

9. Audits

Customers may audit our compliance with this DPA once per 12-month period, on 30 days' written notice, subject to confidentiality and our third-party audit reports being made available where applicable.

10. Request the executable DPA

Email legal@elevence.ai with your organisation name and the contact who will sign. We will return the executable DPA within 5 business days.