Data Processing Agreement — Eleven11

The 80-word version

This Data Processing Agreement (DPA) governs how Eleven11 processes Personal Data on your behalf when you use our products. It supplements the Terms of Service. By using a product that processes Personal Data on your behalf, you accept this DPA on behalf of the Customer entity you represent.

Definitions

These terms are used throughout this DPA with the meanings given below. Where a term also appears in a statute, the statutory definition fills any gap not covered here.

Controller: The person or entity that decides why and how Personal Data is processed. In this DPA, Customer is the Controller (and the Data Fiduciary under the DPDP Act) for data they entrust to Eleven11.
Processor: The person or entity that processes Personal Data on the Controller’s behalf and only on its documented instructions. Eleven11 acts as the Processor (Data Processor under the DPDP Act) when running the Subscription Services.
Personal Data: Any information relating to an identified or identifiable natural person (a “Data Subject”) that is processed in connection with the Subscription Services. This includes name, email address, account identifiers, OAuth tokens, content artifacts tied to an individual, and any other information that can be linked back to a living person.
Data Subject: A natural person whose Personal Data is processed under this DPA — for example, Customer’s authorized users, their prospects reached via Outreach, or their audience reached via Studio.
Subprocessor: Any third party that Eleven11 engages to process Personal Data on Customer’s behalf in connection with the Subscription Services. The current list lives at /subprocessors.
Personal Data Breach: A security incident that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Not every security event is a Personal Data Breach — we investigate to confirm scope before triggering the notification obligations in this DPA.
Standard Contractual Clauses: The EU Commission’s model clauses for international transfers of personal data (Decision (EU) 2021/914), adopted as the legal mechanism for cross-border transfers from the EEA and UK. Abbreviated “SCCs” in this DPA.

Roles

When you use an Eleven11 product to process data about your users, prospects, or any other people, you are the Data Controller — you decide what gets collected, for what purpose, and for how long. Eleven11 is the Processor: we follow your documented instructions and don’t do anything with that data on our own initiative.

A small number of flows run the other way. Aggregated, cross-customer intelligence in Discovery (for example, CVE patterns observed across multiple authorized scan targets) is processed by Eleven11 as an independent Controller — individual customer data is not re-identified in that layer, and that processing is described in the Privacy Policy and the Discovery transparency card.

If you’re accepting this DPA on behalf of a Customer entity, you confirm that you have authority to bind that entity.

Subject matter, duration, nature, purpose

Subject matter. The subject matter of this DPA is the processing of Personal Data that Customer provides to, or causes to flow through, the Eleven11 Subscription Services Customer has subscribed to.

Duration.Processing continues for the term of Customer’s subscription, plus any post-termination period during which Eleven11 retains data under documented retention schedules (see /data-deletion and Annex I below). On termination, the deletion and return obligations in the “Deletion or return on termination” section below apply.

Nature of processing. Eleven11 performs automated processing — storing, retrieving, transmitting, transforming, and where Customer instructs it, publishing or deleting — Personal Data in the course of delivering the Services. We do not carry out manual review of Customer Personal Data except where Customer specifically requests support access or an incident requires investigation.

Purpose.Processing is for the sole purpose of delivering the Subscription Services to Customer in accordance with the Master Agreement or Terms of Service and Customer’s documented instructions.

Categories of data subjects and types of personal data

The data subjects whose Personal Data Eleven11 may process on Customer’s behalf depend on which products Customer uses:

Customer’s authorized users — across all products. Account data (name, email, authentication credentials), session state, usage telemetry, and content artifacts tied to their account.
Customer’s prospects — in Outreach. Names, email addresses, company information, and response signals for prospects Customer has a lawful basis to contact.
Customer’s audience— in Studio. Reach metadata (impressions, engagement signals) returned by connected social platforms. This data comes from Meta’s and Google’s APIs on behalf of the Customer; Eleven11 does not independently profile the audience.
Third-party individuals named in scan targets— in Dhara and Discovery. Names, email addresses, and contact information surfaced by authorized security scans of Customer’s systems (for example, in certificate details or whois records).

The types of Personal Data processed per product are set out in detail in Annex Ibelow. Each product’s full transparency card at /trust includes the per-class breakdown of data, lawful basis, retention window, and deletion path.

Subprocessor authorization

By accepting this DPA, Customer gives Eleven11 general written authorization to engage the Subprocessors listed at /subprocessors. That list includes each Subprocessor’s name, purpose, data categories it touches, the region it processes in, and a link to its own DPA where applicable.

Before we add a new Subprocessor — or replace an existing one with a different entity — we give Customer 30 days prior written notice (by updating the Subprocessors page and emailing account holders). Customer can object to the addition within that window.

If Customer objects and we cannot reasonably accommodate the objection — for example because the new Subprocessor is required to operate a product Customer is using — Customer may terminate the affected Subscription Service without penalty, prorated to the remaining prepaid term.

We require each Subprocessor to be bound by data protection obligations at least as protective as those in this DPA. We remain responsible to Customer for the Subprocessors’ compliance.

Data subject rights

When a Data Subject exercises a right over their personal data — asking for access, requesting deletion, requesting a portable copy, or objecting to processing — and Customer is the Controller responsible for responding, Eleven11 assists Customer in honoring that request.

Practically, that means:

Access.We make Customer’s data available in a human-readable or machine-readable form on Customer’s request, so Customer can provide it to the Data Subject.
Correction.We update or correct Personal Data on Customer’s documented instruction.
Deletion (erasure).We delete Personal Data — or mark it for deletion at the end of the next scheduled purge cycle — on Customer’s instruction, subject to any legal hold Customer itself is required to maintain.
Portability.We export Customer’s Personal Data in a structured, commonly-used format (JSON or CSV) on request.

We acknowledge Customer’s assistance requests within 30 days. If a request is technically complex, we tell Customer before the window closes and give a revised timeline.

Security measures

Eleven11 applies the following technical and organizational security measures to all Personal Data processed under this DPA:

Encryption at rest.OAuth tokens and customer secrets are encrypted at rest with service-managed keys. Keys are rotated on a documented cadence. We don’t store secrets in code or baked into images.
Encryption in transit. All data in transit is protected by TLS. There is no unencrypted path for Personal Data between the browser and the server, or between our services.
HMAC-signed inter-service traffic.Services on our internal network authenticate to each other via HMAC signatures. We don’t treat the internal network as implicitly trusted.
Signed deploys.Production images are built and signed in CI, pushed to a private container registry, and deployed over SSH. There is no manual “copy files up” step in the production path.
Audit-logged admin operations. Administrative actions on customer data are audit-logged with timestamp and actor.
No shared LLM tenancy by default.When Eleven11 products use a large language model, each Customer’s content goes to a separate context window. Cross-customer leakage paths are part of our threat model. BYOK (bring your own key) is available for customers who want their content to transit their own LLM credentials, not ours.

The full security architecture is published at /security. Annex II of this DPA incorporates that page by reference.

Formal clause

Pursuant to GDPR Art. 32, AilyakEleven Experiences LLP implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

(a) pseudonymisation and encryption of Personal Data;
(b) the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
(c) the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring security of processing.

The specific technical and organizational measures implemented by AilyakEleven Experiences LLP are described at /security and in Annex II of this DPA, incorporated by reference.

Personal Data Breach notification

If Eleven11 confirms a Personal Data Breach affecting Customer’s data, we notify Customer within 72 hours of that confirmation — not 72 hours from when we first noticed something anomalous, but 72 hours from when we have confirmed that a breach of Personal Data has occurred.

The notification we send will tell you:

What happened. The nature of the breach — what data was affected, the categories involved, and the approximate number of Data Subjects and records.
Likely consequences. What risks the breach creates for the Data Subjects whose data was affected.
What we’ve done.The steps we’ve taken to contain the breach and reduce its impact.
What you should do. Practical steps Customer may want to take — for example, notifying their own supervisory authority or the affected Data Subjects.

If we don’t have every piece of information within the 72-hour window, we send what we have and follow up as we learn more. We do not hold the initial notification waiting for a complete picture.

Eleven11 also notifies supervisory authorities where law requires it (India: Data Protection Board; EU/UK: relevant DPA within 72 hours; US: applicable state attorneys general).

International transfers

Eleven11’s default infrastructure runs in the EU — Hetzner Germany (eu-de) and Hetzner Finland (eu-fi). For most Customers and most products, Personal Data stays in the EU throughout its lifecycle on Eleven11’s systems.

Some processing flows necessarily involve non-EU endpoints:

Google OAuth ingress— when Customer connects a Google account, the OAuth handshake routes through Google’s endpoints, which may be in any region Google operates.
Meta publish (Studio)— publishing content to Meta’s platforms routes through Meta’s API infrastructure, primarily US-based.
GitHub (source hosting) — source code and CI artifacts are hosted on GitHub (US). This path does not involve Personal Data in production customer records.

For EEA and UK Customers, cross-border transfers in the first two cases above rely on the Standard Contractual Clauses (SCCs), Module 2, incorporated into this DPA. Where Customer is itself a Processor, Module 3 applies.

For Indian Customers, transfers to non-listed countries are governed by DPDP Act §16. We do not transfer Personal Data to countries outside the approved list without Customer’s explicit instruction.

Audit rights

Customer has the right to audit Eleven11’s compliance with this DPA. The rules for how that works:

Frequency. Once per calendar year, unless Customer has reasonable grounds to believe a breach of this DPA has occurred, in which case an additional audit is permitted.
Notice. Customer gives Eleven11 at least 30 days written notice before the audit start date.
Scope.The audit is scoped to Customer’s Personal Data and the Subscription Services Customer uses. It does not extend to other Customers’ data or to systems not involved in processing Customer’s data.
Confidentiality.The auditor is bound by an NDA covering Eleven11’s non-public information and other Customers’ data. Eleven11 may reject an auditor who is a direct competitor.
Cost. Customer bears the cost of the audit. If the audit reveals a material breach of this DPA by Eleven11, we cover the reasonable cost of that specific audit.

In lieu of a full audit, Eleven11 will respond to Customer questionnaires and provide supporting documentation (certifications, penetration test summaries, policy excerpts) where available and not commercially sensitive.

Deletion or return on termination

When a Subscription Service terminates — whether at Customer’s request, at expiry, or on Eleven11’s termination for cause — Customer has a choice: we delete Customer’s Personal Data or we return it. Customer makes the election in writing within the 30-day window following termination.

Deletion. Active records are deleted within 30 days of termination. Backup copies are purged on the next backup rotation, which runs on a 90-day cycle — so backup copies are gone within 90 days. See /data-deletion for the per-flow detail.

Return.We export Customer’s Personal Data in a structured, commonly-used format (JSON or CSV, depending on the product) and make it available for secure download. The export window is 30 days from termination.

Retention exceptions. Some data may be retained beyond these windows where Eleven11 has a documented legal obligation — for example, audit logs under applicable financial or security law, or Dhara engagement records retained for 7 years under contractually or legally required legal-hold periods. We document these exceptions in the relevant transparency cards at /trust.

After the deletion or return is complete, Eleven11 provides written confirmation to Customer.

Liability

Each party’s liability under this DPA — to the other party and, where applicable, to Data Subjects — is governed by and counts toward the aggregate liability cap set out in the Master Agreement or Terms of Service between the parties. If there is no separate written agreement, the liability provisions of the Terms of Service apply.

Where applicable data protection law gives a Data Subject a direct claim against Eleven11 for losses caused by Eleven11’s non-compliance with this DPA, those rights are not limited by the liability cap above to the extent that the law does not permit such limitation. In all other cases — claims between Customer and Eleven11 arising out of this DPA — the cap applies.

Annex I — Processing details (per product)

The table below summarizes the processing details for each Eleven11 product. The Categories column lists the data classes processed; Regions lists the processing regions; the link takes you to the full transparency card, which includes the lawful basis, retention window, OAuth scopes, and deletion path for every data flow in that product.

Studio — Carousel and short-form content creation, with optional one-click publish to connected social channels. Categories: account, content-artifact, oauth-token. Regions: eu-de, eu-fi. Full detail at /trust/studio.
Dhara — Audit engine that scans systems you own or are explicitly authorized to test, producing structured reports and an intelligence knowledge graph. Categories: audit-subject, operational-telemetry. Regions: eu-de, eu-fi, in. Full detail at /trust/dhara.
Cal — Calendar sync hub. Connects Google Calendar (and other calendars on the roadmap) and synthesizes availability across surfaces. Categories: oauth-token, calendar. Regions: eu-de, eu-fi. Full detail at /trust/cal.
Architect — Workspace canvas for sessions, asks, proposals, and matter management. Categories: matter-content, content-artifact. Regions: eu-de, eu-fi. Full detail at /trust/architect.
Manch — Multi-tenant canvas / collaboration surface. Tenants invite collaborators to shared boards. Categories: canvas-content, account. Regions: eu-de, eu-fi. Full detail at /trust/manch.
Discovery — Attack surface management and intelligence knowledge graph aggregating findings across customers and engagements. Categories: audit-subject. Regions: eu-de, eu-fi. Full detail at /trust/discovery.
Outreach — Outreach engine for campaigns, scans, teasers, and email send. Categories: prospect-pii. Regions: eu-de, eu-fi. Full detail at /trust/outreach.
PR — Editorial pipeline producing structured content from a profile and fact-bundle, publishing via signed ingest. Categories: content-artifact. Regions: eu-de, eu-fi. Full detail at /trust/pr.
Harvester — Universal capture substrate for recipe-driven scraping. Operates on URLs you authorize. Categories: scraping-target. Regions: eu-de, eu-fi. Full detail at /trust/harvester.
Phoenix (punah) — WordPress-site rebuilder CLI. Captures legacy sites you control and stages modernized rebuilds. Categories: scraping-target, content-artifact. Regions: eu-de, eu-fi. Full detail at /trust/phoenix.

This Annex is updated when a new product is added to the Eleven11 fleet. The effective date of any material change is noted in the version history at the bottom of this page.

Annex II — Security measures · Annex III — Subprocessors

Annex II — Security measures. The technical and organizational security measures implemented by Eleven11 are described in full at /security. That page is part of this DPA by reference and has the same legal force as if reproduced here in full. Eleven11 updates that page when the security posture changes materially, with changes noted in the version history. Customer may request a point-in-time snapshot of the security measures page by writing to [email protected].

Annex III — Subprocessors.The current list of Subprocessors — including each Subprocessor’s name, the purpose for which it is engaged, the data categories it processes, the region it operates in, and a link to its own DPA — is published at /subprocessors. That page is part of this DPA by reference. Changes to the Subprocessor list are governed by the subprocessor authorization and change-notice mechanism described in the “Subprocessor authorization” section above: 30 daysprior written notice, with Customer’s right to object.

How to engage

Use the channels below for the corresponding request type:

DPA requests, procurement review, counter-sign requests — [email protected]. See also the Request a signed copy card below if you need a counter-signed PDF for your procurement process.
Data subject rights and privacy operational requests — [email protected]. Responses within 30 days.
Everything else — [email protected]. Reaches a person.