How accurate are your AI personas compared to real humans?

Artificial Societies measures accuracy on two dimensions. Opinion distribution accuracy — how closely our synthetic audience responses match real human opinion distributions — reaches 95% of the human self-replication level. Persona internal coherence — how consistently a single persona maintains its belief system across hundreds of questions — reaches 90%. Most competitors measure only distribution accuracy. Achieving higher than 95% distribution accuracy would indicate overfitting on noisy human survey data.

Are your simulations backed by research?

Yes. We come from a Behavioural Data Science and Computational Social Science background, having worked with leading research labs at Cambridge, Oxford, Stanford, and NYU. We wrote the first ever large-scale societal simulation research paper, presented at the prestigious International Conference on Computational Social Science (IC2S2 2024), and now published at the British Journal of Psychology.

What audiences can you simulate?

We can simulate any demographic, psychographic, or professional audience. Artificial societies can be constructed from demographic specifications, lists of target organisations and job titles, or your own first-party data including CRM records and existing research. Examples include policymakers, Fortune 500 executives, medical specialists, and representative general populations. Our database includes over 2.5 million real-world persona profiles.

How long does it take to get results?

Most simulations can be completed within 4 hours but it depends on the size of the audience and the complexity of the questions. What traditionally requires lengthy recruitment, scheduling, and fieldwork can now be accomplished in a day, allowing you to iterate and refine your research in real-time.

Can I interview the personas for qualitative insights?

Yes. Beyond quantitative survey responses, every persona provides qualitative answers and is available to participate in follow-up interviews. This gives you both statistical confidence and the rich, human texture of open-ended feedback.

How do you ensure the personas reflect real human diversity?

Each persona is based on a real person and we model not just individual characteristics but also social influence dynamics—how opinions form and spread in real human societies. We compare our results with real world distribution data to ensure representation.

What industries do you work with?

We work with enterprises across market research, brand strategy, policy analysis, and more. From Big Tech companies to consumer brands, we help organizations that need to understand human behavior at scale.

Data Processing Agreement

Artificial Societies Ltd

1. Introduction and Scope

1.1 Parties

This Data Processing Agreement ("DPA") forms part of the agreement between Artificial Societies Ltd, a company incorporated in England and Wales (company number 15963818), with its registered address at 5 New Street Square, London, EC4A 3TW ("Processor", "we", "us"), and the customer entity that has executed a Statement of Work or accepted our Terms of Service ("Controller", "you", "Customer").

1.2 Purpose

This DPA sets out the terms under which we will process Personal Data on your behalf when providing our Platform and services. It supplements our Terms of Service (available at https://societies.io/terms-of-service) and our Privacy Policy (available at https://societies.io/privacy-policy).

1.3 Applicable Law

This DPA is designed to meet the requirements of:

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018;
The EU General Data Protection Regulation (GDPR) 2016/679;
Other applicable data protection laws as specified in a Statement of Work.

2. Definitions

In this DPA, the following terms have the meanings set out below:

Term	Definition
Controller	The entity that determines the purposes and means of Processing Personal Data (the Customer).
Customer Data	Any data, including Personal Data, that the Customer provides to us for Processing through the Platform.
Data Protection Laws	Any Applicable Law relating to the Processing, privacy, and use of Personal Data, as applicable to the Processor, the Controller, and/or the Services, including: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.
Data Subject	An identified or identifiable natural person whose Personal Data is Processed.
Personal Data	Any information relating to an identified or identifiable natural person.
Personal Data Breach	A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
Platform	The Artificial Societies platform and services provided at radiant.societies.io.
Processing	Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
Processor	The entity that Processes Personal Data on behalf of the Controller (Artificial Societies Ltd).
Standard Contractual Clauses (SCCs)	(i) Where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"), available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj; and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs" / "UK Addendum"), available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.
Subprocessor	Any third party engaged by us to Process Personal Data on behalf of the Controller.
Supervisory Authority	Any local, national, or multinational agency, department, official, parliament, public body, or other regulatory authority that is authorised to exercise oversight, enforcement, or rulemaking authority related to Data Protection Laws, including the UK Information Commissioner's Office (ICO).

3. Roles and Responsibilities

3.1 Controller Responsibilities

As the Controller, you shall:

Ensure that you have a lawful basis for Processing Personal Data and for instructing us to Process such data;
Provide all required notices to Data Subjects and obtain any necessary consents;
Ensure that Customer Data provided to us is accurate and up-to-date;
Comply with all applicable Data Protection Laws in your use of the Platform;
Respond to Data Subject requests and regulatory inquiries relating to Customer Data.

3.2 Processor Responsibilities

As the Processor, we shall:

Process Personal Data only on your documented instructions, unless required by law;
Ensure that persons authorised to Process Personal Data are bound by confidentiality obligations;
Implement appropriate technical and organisational security measures;
Assist you in responding to Data Subject requests and regulatory inquiries;
Notify you promptly of any Personal Data Breach;
Delete or return Personal Data at the end of the agreement, unless required by law to retain it;
Make available information necessary to demonstrate compliance with this DPA.

4. Processing Details

4.1 Subject Matter and Duration

We will Process Personal Data for the duration of our agreement with you, for the purpose of providing the Platform and associated services as described in the Terms of Service and any applicable Statement of Work.

4.2 Nature and Purpose of Processing

The nature and purpose of Processing includes:

Operating and maintaining the Platform;
Running Simulations using synthetic audiences based on Customer inputs;
Generating and storing Simulation results;
Providing customer support and troubleshooting;
Maintaining logs for service delivery and security purposes.

4.3 Types of Personal Data

The types of Personal Data Processed may include:

Contact information (names, email addresses, job titles);
Account credentials and authentication data;
Data included in Simulation prompts and configurations;
Usage data and Platform interaction logs;
Any other Personal Data provided by the Customer through the Platform.

4.4 Categories of Data Subjects

The categories of Data Subjects may include:

Customer employees and authorised users of the Platform;
Individuals whose data is included in Customer inputs or Simulation configurations;
Individuals referenced in research or survey data provided by the Customer.

4.5 Special Categories of Data

The Platform is not designed to Process special categories of Personal Data (such as health data, biometric data, or data revealing racial or ethnic origin). If you require Processing of such data, please contact us to discuss appropriate safeguards and ensure you have obtained explicit consent or another lawful basis for such Processing.

5. Security Measures

5.1 Technical Measures

We implement appropriate technical measures to protect Personal Data, including:

Encryption of data in transit using TLS 1.2 or higher;
Encryption of data at rest using industry-standard encryption;
Secure authentication mechanisms including multi-factor authentication options;
Regular security testing and vulnerability assessments;
Network security including firewalls, intrusion detection, and DDoS protection via Cloudflare;
Secure backup and disaster recovery procedures.

5.2 Organisational Measures

We implement appropriate organisational measures, including:

Role-based access controls limiting access to Personal Data;
Confidentiality agreements for all personnel;
Regular data protection training for employees;
Documented security policies and procedures;
Incident response procedures for security events.

6. Subprocessors

6.1 Authorised Subprocessors

You authorise us to engage the Subprocessors listed at https://societies.io/subprocessors. We ensure that each Subprocessor is bound by data protection obligations no less protective than those set out in this DPA.

6.2 Changes to Subprocessors

We will provide you with notice of any intended changes to Subprocessors by updating our Subprocessors list. You may object to a new Subprocessor by notifying us in writing within 14 days of receiving notice. If you have a reasonable objection and we cannot address your concerns, you may terminate the affected services without penalty.

6.3 Subprocessor Liability

We remain fully liable to you for the performance of our Subprocessors' obligations under this DPA.

7. International Data Transfers

7.1 Transfer Mechanisms

When we transfer Personal Data outside the UK or EEA, we ensure appropriate safeguards are in place, including:

Transfers to countries with an adequacy decision from the UK government or European Commission;
Standard Contractual Clauses approved by the UK Information Commissioner and/or European Commission;
Other appropriate safeguards as permitted by Data Protection Laws.

7.2 Standard Contractual Clauses

Where required, the parties agree that the Standard Contractual Clauses shall apply to transfers of Personal Data to third countries. The applicable SCCs are incorporated by reference into this DPA, with:

Module Two (Controller to Processor) applying to transfers of Customer Data;
The Customer acting as data exporter and Artificial Societies Ltd as data importer;
The UK Addendum applying for transfers from the UK.

7.3 Transfer Impact Assessments

We conduct transfer impact assessments for international transfers and implement supplementary measures where necessary to ensure an essentially equivalent level of protection for Personal Data.

8. Data Subject Rights

8.1 Assistance with Requests

We will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

8.2 Notification

If we receive a request directly from a Data Subject relating to Customer Data, we will promptly notify you and will not respond to the request without your instructions, unless required by law.

8.3 Platform Features

The Platform provides features to help you respond to Data Subject requests, including data export and deletion capabilities.

9. Personal Data Breach

9.1 Notification

We will notify you without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include:

A description of the nature of the breach;
The categories and approximate number of Data Subjects affected;
The categories and approximate number of records affected;
The likely consequences of the breach;
Measures taken or proposed to address the breach.

9.2 Cooperation

We will cooperate with you and provide reasonable assistance to help you comply with your breach notification obligations under Data Protection Laws.

10. Audit Rights

10.1 Information and Audit

We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint.

10.2 Audit Conditions

Audits shall be subject to the following conditions:

You shall provide at least 30 days' written notice of any proposed audit;
Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations;
Any third-party auditor must be bound by confidentiality obligations;
You shall bear the costs of any audit, unless the audit reveals a material breach by us.

10.3 Third-Party Certifications

We may provide third-party certifications, attestations, or audit reports to satisfy your audit requirements, where available.

11. Data Retention and Deletion

11.1 During the Agreement

We will retain Customer Data for the duration of our agreement, in accordance with our retention policies and your instructions.

11.2 Upon Termination

Upon termination or expiry of our agreement, we will:

Return Customer Data to you in a commonly used format upon request, made within 30 days of termination;
Delete all Customer Data within 90 days of termination, unless you request data return or we are required by law to retain it;
Provide written confirmation of deletion upon request.

11.3 Deletion of End Customer Data

Where the Controller provides Platform access to its own customers or end users ("End Customers"), the Controller may request deletion of a specific End Customer's data by written notice to the Processor identifying the relevant account. The Processor shall delete all Personal Data associated with that End Customer account within ninety (90) days of receiving the request, unless retention is required by applicable law, and shall confirm deletion in writing upon completion.

11.4 Exceptions

We may retain anonymised or aggregated data that does not constitute Personal Data. We may also retain Personal Data where required by applicable law, subject to appropriate safeguards.

12. AI and Model Training

12.1 No Training on Customer Data

We do not use Customer Data - including simulation prompts, input parameters, and bespoke audience configurations - to train or improve foundational AI models, unless explicitly agreed in writing with you.

12.2 Third-Party AI Providers

Where we use third-party AI providers (such as OpenAI and Google AI) as Subprocessors, we ensure contractual commitments that Customer Data is not used for model training by these providers.

13. Liability

13.1 Liability Cap

Each party's liability under this DPA shall be subject to the limitations of liability set out in the Terms of Service or applicable Statement of Work.

13.2 Indemnification

Each party shall indemnify the other for any losses, damages, or expenses arising from its breach of this DPA or applicable Data Protection Laws.

14. General Provisions

14.1 Precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the Processing of Personal Data.

14.2 Amendments

We may update this DPA from time to time. Material changes will be notified to you, and continued use of the Platform after such notification constitutes acceptance of the updated DPA.

14.3 Governing Law

This DPA shall be governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

15. Contact Us

If you have any questions about this Data Processing Agreement or our data processing practices, please contact us:

Company Name	Artificial Societies Ltd
Address	5 New Street Square, London, EC4A 3TW
Email	support@societies.io
Data Protection Contact	Tom Whittle, CTO

Version 1.1

Last Updated: 18 March 2026