Skip to main content
Free 30-day beta
5 mins to set upNo card neededStart now

Procurement summary

Data Protection at August AI

This is the one-page document we send first when your procurement or legal team asks “are you GDPR-compliant?”. The full Article 28 GDPR Data Processing Agreement is at augusttech.io/legal/dpa.

Last updated: 18 May 2026

Need a PDF? Email dpa@augusttech.io and we'll send a signed PDF copy within 5 business days.

Request PDF

1. Who August AI is

August AI is a multi-tenant B2B Software-as-a-Service operated by August Tech Ltd (Companies House 16843633, incorporated 10 November 2025, registered office 112 Trent Gardens, London, England, N14 4QN, SIC 62090, England and Wales).

August AI receives WhatsApp Business Cloud messages from a customer's sales representatives, generates structured morning and afternoon CRM briefings for those reps over WhatsApp, processes their replies, and writes back updates to the customer's connected CRM (HubSpot or Zoho).

2. GDPR roles

  • Customer = Controller. The Customer is the controller of the personal data it provides to August AI.
  • August AI = Processor. August AI processes that personal data only on the Customer's documented instructions, in line with GDPR Article 28.

Article 28 GDPR requires a written Data Processing Agreement between Controller and Processor. August AI provides a signable DPA at /legal/dpa.

3. What personal data is processed

CategoryExamples
Customer's reps (platform users)Full name, business email, business mobile / WhatsApp number, CRM owner ID
Customer's reps' contacts and leadsContact name, phone number, email, company, role, deal stage and value, last-activity, free-text notes
Message contentFree-text inbound and outbound WhatsApp Business Cloud messages between August AI and the Customer's reps

No Special Categories of Personal Data (Article 9) are knowingly processed.

4. Data flow

  • Operational data (the August AI database) lives in eu-west-2 (London).
  • Only narrowly-scoped CRM context goes to US AI inference providers, on a zero-retention API basis where supported.
  • Transport: WhatsApp Business Cloud (Meta Ireland) for messaging; Cloudflare Workers (UK + global edge) for the application tier; Neon Postgres for operational data; HubSpot or Zoho via the customer's own OAuth grant.

5. Sub-processors

The live machine-readable list is at /legal/subprocessors. Summary as of the Last Updated date above:

Sub-processorPurposeLocationMechanism
Cloudflare Workers Ltd (UK) / Cloudflare Inc. (US parent)Application hosting, CDN, WAFUK + global edgeUK / EU contracting; SCCs + UK Addendum for any US onward leg
Neon Inc.Operational databaseDB compute + storage: eu-west-2, London. Control plane: USSCCs (Module 3) for US control-plane component
WhatsApp Ireland Limited (Meta)WhatsApp Business Cloud transportIreland + Meta global infrastructureMeta's SCCs + Additional Safeguards Addendum
Anthropic, PBCAI inference (briefing summarisation, reply parsing)USSCCs (Module 3), zero-retention API where supported
OpenAI, OpCo, LLCAI inference (fallback / specific surfaces)USSCCs (Module 3), zero-retention API where supported
HubSpot, Inc.Customer's own CRM (where connected)US (or EU region if Customer selected)Customer's own DPA with HubSpot governs
Zoho CorporationCustomer's own CRM (alternative)India / EU / US per Customer data residencyCustomer's own DPA with Zoho governs
Stripe Payments Europe LtdSubscription billingIrelandSeparate Controller for payment-card data
Resend, Inc.Transactional email (no CRM data)USSCCs (Module 3)

The DPA gives the Customer the right to object to new sub-processors on reasonable data protection grounds within 30 days of notification.

6. Security posture (Article 32 summary)

  • In transit: TLS 1.2 or above end-to-end.
  • At rest: AES-256 in Neon Postgres (eu-west-2, London). OAuth refresh tokens and webhook signing secrets are stored encrypted at the column level.
  • Tenant isolation: per-tenant row-level security policies in Postgres. Cross-tenant queries are blocked by database policy and audit-logged when attempted.
  • Access: least-privilege role-based access, MFA required for all production administrative access, secrets stored in Cloudflare Workers (no plaintext credentials in source or logs).
  • Logging: outbound application logs are run through a secret-redaction filter to strip token / key / password / URL-embedded-credential patterns.
  • Network: Cloudflare WAF and built-in DDoS mitigation.
  • Backups: daily, encrypted, with a 35-day rotation. RTO and RPO target 24 hours.
  • Code: static analysis on every change, weekly dependency vulnerability scanning, annual penetration test including tenant-isolation scope.

7. Breach notification

August AI notifies the Customer of any Personal Data Breach affecting Customer data without undue delay, and in any event within 72 hours of becoming aware. The notification covers nature, scope, likely consequences, mitigation measures, and a contact point. August AI does not notify supervisory authorities or data subjects directly on the Customer's behalf unless explicitly instructed.

8. Retention, return, and deletion

  • Operational data is retained for the term of the contract.
  • On termination, the Customer may instruct August AI to return data (structured machine-readable format) or delete it. Default is deletion within 30 days. Encrypted backups are overwritten in the ordinary 35-day rotation.
  • Application audit logs are retained for 90 days then deleted.
  • AI inference inputs / outputs are not retained by the AI provider where zero-retention API mode is in use.

9. Data Processing Agreement

The full Article 28 GDPR DPA is at /legal/dpa and covers:

  1. Roles (Customer = Controller, August AI = Processor).
  2. Sub-processor authorisation, change-notification, and right to object.
  3. Subject-matter, duration, nature, purpose, types of data, categories of data subjects.
  4. All Article 28(3)(a) to (h) processor obligations.
  5. 72-hour breach notification.
  6. DPIA and prior consultation cooperation (Articles 35, 36).
  7. International transfers (SCCs Module 3 + UK Addendum), with a Transfer Impact Assessment summary.
  8. Article 32 technical and organisational measures.
  9. Audit rights (annual, 60 days' notice, SOC 2 report acceptable in lieu).
  10. Return or deletion at end of contract.
  11. Liability apportionment and mutual indemnity.
  12. Governing law: England and Wales.

10. Contact

  • Data protection enquiries: dpa@augusttech.io
  • DPA request: dpa@augusttech.io (subject: “DPA request, [Customer name]”)
  • Postal: August Tech Ltd, 112 Trent Gardens, London, England, N14 4QN
  • Sub-processor change notifications: email plus the public sub-processors page.

11. What we ask the Customer to confirm

Before signing the DPA, the Customer should confirm:

  1. The Customer has a lawful basis (GDPR Article 6, and where applicable Article 9) to process the personal data it provides to August AI.
  2. The Customer has informed its reps' contacts about the processing, in line with Articles 13 / 14.
  3. The Customer accepts the general written authorisation of sub-processors in Annex III of the DPA, with the right to object on reasonable data protection grounds.
  4. Where the Customer's CRM is hosted in a specific region (HubSpot EU or Zoho EU), the Customer has selected that residency itself.

Ready for the full DPA?

The signable Article 28 GDPR DPA is published at /legal/dpa. Request a countersigned copy by emailing dpa@augusttech.io.

Read the DPA

August Tech Ltd · Companies House 16843633 · Incorporated 10 November 2025 · Registered office: 112 Trent Gardens, London, England, N14 4QN · SIC 62090.