Public Data Processing Addendum
This public Data Processing Addendum summary explains how Shiftline AI Ltd approaches customer-controlled personal data. It is designed to help procurement, security, and privacy teams understand our baseline position. It is not a substitute for a signed DPA, order form, statement of work, or master services agreement, each of which may include customer-specific terms.
1. Parties and roles
For customer workflow data, the customer is the controller or processor, and Shiftline is the processor or sub-processor. Shiftline processes customer personal data only on documented instructions, including the agreement, order form, statement of work, approved product configuration, support instructions, and lawful written instructions acknowledged by Shiftline.
2. Subject matter and purpose
The subject matter is the provision of AI automation, agentic workflow, integration, support, monitoring, and related professional services. The purpose is to design, build, operate, support, secure, and improve customer-approved workflows and systems.
| Processing area | Typical data | Purpose |
|---|---|---|
| Workflow automation | Customer-provided records, documents, messages, metadata, and task content | Read, classify, draft, route, reconcile, summarise, escalate, or prepare outputs under customer-approved workflows |
| Agent and model inference | Prompts, context, retrieved documents, outputs, tool results, and logs needed for the workflow | Generate or support workflow outputs using approved model and tool configurations |
| Security and operations | Account, access, event, diagnostic, and audit data | Operate, secure, troubleshoot, monitor, and evidence the service |
| Support and procurement | Business contact details, support tickets, contracting records, and security-review information | Manage the customer relationship and fulfil legal, commercial, and support obligations |
3. AI model processing and Vertex AI
Shiftline uses Google Cloud Platform, including Vertex AI, for managed model inference and related cloud services where appropriate for a customer deployment. Customer content sent to managed model services is processed to provide the requested service output and is subject to the applicable customer agreement, configuration, Google Cloud terms, and any customer-specific security schedule.
Shiftline does not permit customer content submitted through Shiftline-managed Vertex AI model calls to be used to train or fine-tune foundation models unless the customer expressly instructs or agrees to that use in writing. Optional request-and-response logging is not enabled by default for customer deployments unless required by the agreed solution, support, security investigation, legal requirement, or customer-approved configuration.
Some transient processing, abuse-prevention logging, service-performance caching, or feature-specific retention may occur under Google Cloud terms and service configuration. Any specific zero-retention, residency, region-locking, logging, or model-family requirement should be captured in the order form, statement of work, DPA schedule, or security schedule before production use.
4. Security measures
Shiftline maintains technical and organisational measures appropriate to the nature, scope, context, and risk of the processing. These may include least-privilege access, role-based permissions, authentication controls, encryption in transit, environment separation, secrets management, logging, vendor review, confidentiality commitments, incident response, and operational monitoring.
Security controls vary by customer deployment, integration pattern, and agreed scope. Shiftline does not accept responsibility for customer-managed systems, customer user permissions, customer-selected data, unsafe customer instructions, third-party systems outside Shiftline control, or use of outputs without appropriate human review.
5. Sub-processing
Shiftline may appoint sub-processors to provide cloud hosting, model inference, storage, monitoring, support, communications, and operational services. Shiftline remains responsible to the customer for its own obligations under the signed agreement, while sub-processors are bound by appropriate contractual, confidentiality, and data-protection obligations.
Customer-specific notice periods, objection rights, and sub-processor lists should be handled in the signed DPA or order form. Public sub-processor summaries are provided for transparency and may change as services evolve.
6. International transfers
Where personal data is transferred outside the UK or EEA, Shiftline will use appropriate transfer safeguards where required, such as adequacy regulations, Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful mechanism. Transfer commitments are subject to the final signed agreement and the customer’s deployment configuration.
7. Data subject requests and regulatory assistance
Shiftline will provide reasonable assistance to customers responding to data subject requests, DPIAs, transfer assessments, regulator enquiries, and security reviews where required by applicable law and the signed agreement. Assistance may be subject to reasonable scope, notice, technical feasibility, confidentiality, and cost controls.
8. Incidents
If Shiftline becomes aware of a confirmed personal data breach affecting customer personal data processed by Shiftline, we will notify the affected customer without undue delay and provide information reasonably available to help the customer meet its legal obligations. Incident communications do not constitute an admission of fault or liability.
9. Return and deletion
On termination or written instruction, Shiftline will return or delete customer personal data in accordance with the signed agreement, technical feasibility, backup and archival cycles, legal obligations, and legitimate security or dispute-resolution needs. Residual copies may persist for a limited period in backups or logs before secure deletion according to normal retention cycles.
10. Audit and evidence
Shiftline supports reasonable procurement and compliance review. Any audit must be limited to information necessary to verify the relevant obligations, conducted under confidentiality, and structured to protect Shiftline security, trade secrets, internal controls, other customers, and third-party confidential information.
11. Liability and order of precedence
This public DPA page is informational. Binding obligations, liability caps, indemnities, service levels, audit mechanics, bespoke security controls, and customer-specific regulatory requirements must be agreed in a signed contract. If this page conflicts with a signed agreement between Shiftline and a customer, the signed agreement controls.
12. Contact
For a signed DPA, SCCs, transfer schedule, or procurement pack, contact privacy@shiftline.ai or hello@shiftline.ai.