DPA + joint-controller annex.

A pure-processor DPA assumes the vendor decides nothing about how your data is used. That isn't how OwnOS works. We make architectural decisions about reconciliation logic, autonomous triggers, retention shapes, and cross-primitive intelligence alongside you. Pretending otherwise on paper would misrepresent the relationship to the regulator.

So we sign Article 28 (processor terms) + Article 26 (joint controllership annex) on every install. It's the posture the regulator expects when the vendor co-determines purpose and means of processing.

What that means in practice

• Article 28 processor terms cover the day-to-day: sub-processor list, security standards, audit rights, deletion obligations, breach notification windows.
• Article 26 joint-controller annex covers the decisions OwnOS makes alongside the client: which decisions autonomously trigger, what state is retained for how long, how installs interact with shared primitives like /wrap-up and the librarian.
• Transparency obligations are split: the client handles internal communication with staff; OwnOS Ltd handles external disclosures (sub-processors, residency, model providers). The annex spells out who does what.

Why this matters more for AI than for SaaS

A standard SaaS vendor genuinely is a processor: it stores your data and gives it back when you ask. An AI workspace install is different. The vendor co-designs what counts as a decision, how recall works, which categories are out of scope. That co-design is, by definition, joint control. Hiding it in a pure-processor DPA wouldn't survive an ICO investigation.

Annex III red lines

Under the EU AI Act, certain decisions flip the system to high-risk: recruitment screening, credit decisioning, insurance pricing, benefits eligibility, disciplinary automation. We hold those categories out of scope on every install. They're not a negotiation. If the client needs one of those capabilities, we'll discuss it before scope is signed, and it won't be built into the install at all.

Sub-processors & residency

Your DPA carries a sub-processor annex listing every third party that touches your data, with purpose, region, and transfer mechanism. We give you at least 30 days' notice before adding or replacing any sub-processor that handles your personal data. See also residency options for where the AI layer runs.

Mutual obligations on the client side

Joint control runs both ways. You commit to lawful basis for the data you bring into the install, internal staff transparency, and honest scoping at discovery. We commit to the architectural side and to declining engagements that don't fit either obligation.

Get the document

We share the full DPA + joint-controller annex during the discovery conversation. To request a copy outside of an active engagement, email privacy@ownos.co.uk.