Legal · CAO Studio

Data Processing Addendum — overview

Last updated: 2026-05-23

This page is an OVERVIEW. The final Data Processing Addendum (DPA) is agreed contractually and is the document that governs the relationship between your organisation and CAO Studio when CAO Studio processes personal data on your behalf.

Who is controller and who is processor?

For the SaaS deployment, the customer may be controller of the personal data they put into CAO Studio and CAO Studio may be processor on the customer's behalf, depending on the use case. The DPA documents this split, the security measures CAO Studio applies, and the subprocessors that may process data on CAO Studio's behalf.

For the client-server deployment, the responsibility split is different. The customer operates the application in their own environment; CAO Studio processes data only when support, telemetry, managed services, cloud LLM routing, or maintenance access is enabled. The DPA covers those scoped processor activities; the customer remains responsible for hosting, access control, backups, and local configuration.

Subprocessors

The current list of subprocessors and the data each one sees is on the Subprocessors / LLM Providers page. The DPA cross-references this list; new subprocessors are added there first.

How to request a DPA

Request a DPA: email info@creatingagileorganizations.com with your organisation name + which deployment model applies. We will reply with the current DPA template and the steps to sign it.

See also the Privacy Notice and the Deployment Models page for the responsibility split per deployment.