Ensoul

Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Ensoul LLC ("Processor," "Ensoul," "we," or "us") and the entity or individual agreeing to these terms ("Controller," "Customer," "you," or "your").

This DPA applies where Ensoul processes personal data on behalf of the Customer in the course of providing the Service, and where such processing is subject to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, or other applicable data protection legislation.

1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings given in the GDPR or the Terms of Service. For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Ensoul on behalf of the Customer through the Service.
  • "Processing" means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • "Sub-processor" means any third party engaged by Ensoul to process personal data on behalf of the Customer.
  • "Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data approved by the European Commission.

2. Roles and Responsibilities

2.1 Controller and Processor

The Customer is the Data Controller and determines the purposes and means of processing personal data through the Service. Ensoul is the Data Processor and processes personal data solely on behalf of and in accordance with the Customer's documented instructions.

2.2 Customer Obligations

The Customer is responsible for:

  • Ensuring a lawful basis for processing personal data through the Service (e.g., consent, legitimate interest)
  • Providing data subjects with required privacy notices
  • Ensuring that personal data provided to Ensoul is accurate and up to date
  • Complying with data subject rights requests and informing Ensoul when assistance is required
  • Assessing whether the use of synthetic personas based on real personal data requires a Data Protection Impact Assessment (DPIA)

2.3 Ensoul Obligations

Ensoul shall:

  • Process personal data only on documented instructions from the Customer, unless required by applicable law
  • Ensure that persons authorized to process personal data are subject to confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Customer in responding to data subject rights requests
  • Assist the Customer with DPIAs and prior consultations with supervisory authorities where required
  • Notify the Customer of any Data Breach without undue delay
  • Delete or return personal data upon termination of the Service, at the Customer's election
  • Make available information necessary to demonstrate compliance with this DPA

3. Scope of Processing

Subject MatterProvision of the Ensoul personality simulation platform as described in the Terms of Service.
DurationFor the term of the Customer's subscription, plus the data retention period specified in the Terms of Service (30 days post-termination).
Nature and PurposeStorage and processing of Customer-provided data for the purpose of domain configuration, persona creation, chat inference, simulation execution, memory storage, and related platform functionality.
Categories of Data SubjectsCustomer employees and authorized users; end users of Customer's applications (if applicable); individuals whose data may be input by the Customer for persona modeling purposes.
Types of Personal DataAccount data (name, email); usage data (API logs, session data); any personal data the Customer chooses to input into domain configurations, persona definitions, or chat interactions.

Note: Synthetic persona data (personality vectors, AI-generated memories, simulated conversations) is not personal data unless the Customer specifically inputs personal data relating to identifiable individuals. See our Privacy Policy Section 3 for details.

4. Sub-processors

4.1 Authorized Sub-processors

The Customer authorizes Ensoul to engage the following sub-processors for the processing of personal data:

Sub-processorPurposeLocation
Google Cloud Platform (GCP)Cloud infrastructure, database hosting, computeUnited States (us-west1)
Anthropic (default for managed plans)LLM inference for persona response generationUnited States
StripePayment processing and billingUnited States
SentryError monitoring and performance trackingUnited States

4.2 BYOK Sub-processors

When Customer elects to use its own API credentials for third-party AI model providers ("Bring Your Own Key" or "BYOK"), Customer acknowledges that such third-party providers process Customer Data under Customer's direct contractual relationship with such providers. In BYOK mode:

  • Ensoul acts as a processor solely for the purpose of formatting, transmitting, and receiving data from the Customer's chosen provider on Customer's behalf
  • The Customer's AI Model Provider is the Customer's direct service provider or sub-processor, not a sub-processor of Ensoul
  • Ensoul's processing obligations under this DPA apply to its orchestration activities only and do not extend to processing performed by Customer's chosen provider
  • Customer is responsible for reviewing and agreeing to its AI Model Provider's terms of service, privacy policy, data processing practices, and data retention policies
  • Ensoul makes no representations regarding any third-party AI Model Provider's data security, privacy practices, regulatory compliance, or GDPR adequacy

4.3 Sub-processor Changes

Ensoul shall notify the Customer at least 30 days before adding or replacing a sub-processor, providing the Customer an opportunity to object. Notification will be sent to the email address associated with the Customer's account.

If the Customer objects to a new sub-processor on reasonable data protection grounds, Ensoul will make commercially reasonable efforts to provide an alternative or allow the Customer to terminate the affected Service without penalty.

4.4 Sub-processor Obligations

Ensoul shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA. Ensoul remains liable for the acts and omissions of its sub-processors.

5. International Data Transfers

5.1 Transfer Mechanisms

Where personal data is transferred from the EEA, UK, or Switzerland to the United States or other countries outside the EEA, Ensoul relies on:

  • Standard Contractual Clauses (SCCs). The EU Commission-approved SCCs (Module 2: Controller to Processor) are incorporated into this DPA by reference. The Customer acts as the data exporter and Ensoul acts as the data importer.
  • EU-US Data Privacy Framework. Where applicable, reliance on sub-processor certifications under the EU-US Data Privacy Framework.
  • UK Addendum. For UK transfers, the International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner's Office, applies.

5.2 Data Residency

By default, Customer data is stored in the United States (Google Cloud Platform, us-west1 region). Custom plan customers may negotiate alternative data residency arrangements, subject to availability and additional terms.

Regardless of storage location, Ensoul applies the same technical and organizational security measures to all data.

6. Security Measures

Ensoul implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

6.1 Technical Measures

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Secure credential storage with industry-standard hashing algorithms
  • Network segmentation and firewall protections
  • Automated vulnerability scanning and dependency updates
  • Secure API authentication using API keys and JWT tokens
  • CSRF protection on all state-changing operations

6.2 Organizational Measures

  • Role-based access controls with the principle of least privilege
  • Confidentiality agreements for all personnel with access to personal data
  • Security incident response procedures
  • Regular security reviews and updates
  • Infrastructure hosted on Google Cloud Platform (SOC 2 Type II, ISO 27001 certified)

7. Data Breach Notification

7.1 Notification Timeline

Ensoul shall notify the Customer of any Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification will be sent to the email address associated with the Customer's account and, where available, through the Service's notification system.

7.2 Notification Content

The breach notification shall include, to the extent available:

  • The nature of the breach, including categories and approximate number of data subjects and records affected
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects
  • Contact information for the Ensoul point of contact handling the incident

7.3 Cooperation

Ensoul shall cooperate with the Customer and provide reasonable assistance in investigating the breach, fulfilling any notification obligations to supervisory authorities and data subjects, and mitigating the effects of the breach.

8. Data Subject Rights

Ensoul shall assist the Customer in fulfilling its obligations to respond to data subject requests under applicable data protection law, including requests for access, rectification, erasure, restriction, portability, and objection.

If Ensoul receives a data subject request directly, we will promptly redirect the data subject to the Customer and notify the Customer of the request, unless legally prohibited from doing so.

The Customer may use the Service's data export and deletion features to respond to most data subject requests. For requests requiring Ensoul's assistance, contact support@ensoul-ai.com.

9. Data Deletion Upon Termination

Upon termination of the Service or upon the Customer's written request:

  • Export period. The Customer has 30 days following termination to export their data through the Service's export functionality or by requesting an export from Ensoul.
  • Deletion. After the 30-day export period, Ensoul will delete all personal data from active systems within 30 additional days (60 days total from termination).
  • Backup purge. Personal data in backups will be overwritten through the normal backup rotation cycle, not to exceed 90 days from deletion of active data.
  • Legal retention. Ensoul may retain personal data to the extent required by applicable law (e.g., billing records for tax purposes), in which case the data will be isolated and protected until deletion is possible.

Upon request, Ensoul will provide written certification of data deletion.

10. Audits and Compliance

Ensoul shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.

  • Audit requests must be made with at least 30 days' written notice
  • Audits shall be conducted during normal business hours and shall not unreasonably disrupt Ensoul's operations
  • The Customer bears the cost of any audit, unless the audit reveals a material breach by Ensoul
  • Ensoul may satisfy audit obligations by providing relevant certifications, audit reports, or compliance documentation (e.g., SOC 2 reports)

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent that such limitation is not permitted under applicable law.

12. Term and Termination

This DPA takes effect when the Customer agrees to the Terms of Service and continues for the duration of the Customer's use of the Service. It automatically terminates when all personal data has been deleted or returned in accordance with Section 9.

Provisions relating to data deletion, audit rights, liability, and cooperation with supervisory authorities survive termination of this DPA.

13. Contact

For questions about this Data Processing Agreement or to exercise any rights under this DPA, contact us: