GDPR Compliance

Last updated: April 2026

A2Tech Consult Limited is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR"). This page explains how A2Tech acts as a data controller and, where applicable, a data processor.

1. Our Role Under GDPR

As Data Controller: A2Tech determines the purposes and means of processing personal data collected from platform users (names, email addresses, account information). We are the data controller for this information.

As Data Processor: When you submit client RFP documents or project data to the A²AI platform for analysis, A2Tech processes that data strictly on your instructions to deliver the requested analysis. You are the data controller for any personal data contained in submitted documents; A2Tech acts as your data processor.

2. Lawful Bases for Processing

We rely on the following lawful bases under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing account and billing information necessary to provide the A²AI platform under our subscription agreement
• Legitimate interests (Art. 6(1)(f)): Analytics and platform improvement, security monitoring, and fraud prevention
• Legal obligation (Art. 6(1)(c)): Compliance with applicable tax, accounting, and regulatory requirements
• Consent (Art. 6(1)(a)): Optional analytics cookies and marketing communications (with withdrawal option at any time)

3. Data Subject Rights

Under GDPR, EU/EEA/UK data subjects have the following rights, exercisable by contacting dpo@a2techconsult.com:

• Right of access (Art. 15): Obtain confirmation of whether we process your data and receive a copy of that data
• Right to rectification (Art. 16): Request correction of inaccurate personal data
• Right to erasure (Art. 17): Request deletion of your personal data where no legal basis for retention exists
• Right to restriction (Art. 18): Request restriction of processing in specified circumstances
• Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format
• Right to object (Art. 21): Object to processing based on legitimate interests
• Rights related to automated decision-making (Art. 22): A²AI outputs are decision-support tools reviewed by human professionals — no solely automated decisions with legal effects are made

We will respond to all valid requests within 30 days. In complex cases, we may extend this by a further 60 days with notification.

4. International Data Transfers

Where personal data is transferred outside the EEA or UK, A2Tech ensures appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914)
• UK International Data Transfer Agreements (IDTAs) for UK data transfers
• Adequacy decisions where applicable (e.g., transfers to countries with GDPR-equivalent protection)

Our primary infrastructure is hosted in EU data centres (Frankfurt and Dublin) with no default transfers of EU personal data to non-adequate third countries.

5. Data Processing Agreement (DPA)

Enterprise customers requiring a formal Data Processing Agreement under GDPR Article 28 may request our standard DPA by contacting dpo@a2techconsult.com. The DPA sets out:

• Subject matter, duration, nature, and purpose of processing
• Type of personal data and categories of data subjects
• Technical and organisational security measures
• Sub-processor list and change notification procedure
• Audit rights and cooperation obligations

6. Sub-Processors

A2Tech uses the following key sub-processors for platform operation:

• Amazon Web Services (AWS): Cloud infrastructure — EU data centres; SCCs in place
• Anthropic PBC: Claude API for Tool 06 RFP Chat — data processed under Anthropic's commercial API terms; no training on API data
• Stripe Inc.: Payment processing — SCCs in place; PCI DSS Level 1 certified
• Datadog Inc.: Platform monitoring and logging — EU data residency; SCCs in place

We maintain a full sub-processor register and will notify customers of material changes with 30 days' advance notice.

7. Data Breach Notification

In the event of a personal data breach that poses a risk to data subjects, A2Tech will notify the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33. Affected data subjects will be notified without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

8. Data Protection Officer

A2Tech has appointed a Data Protection Officer (DPO) responsible for overseeing GDPR compliance and acting as the point of contact for supervisory authorities and data subjects.

9. Supervisory Authority

A2Tech Consult Limited is registered with the Information Commissioner's Office (ICO) in the United Kingdom. EU data subjects may also lodge complaints with their local Data Protection Authority.