Data Processing Agreement

01Parties and how this agreement applies

This Data Processing Agreement ("DPA") is entered into between the customer using Depaza in the course of business (the "Customer") and Depaza, the provider of the services at depaza.com, contactable at hello@depaza.com ("Depaza"). It forms part of the agreement governing the Customer's use of the services (the "Agreement") and applies whenever Depaza processes personal data on the Customer's behalf under the GDPR.

By using the services in the course of business, the Customer accepts this DPA. A countersigned copy is available on request.

02Roles of the parties

For Customer Content — the prompts, messages, files and other material the Customer or its users submit to the services — the Customer is the controller and Depaza is the processor.

For account, billing, security and usage data that Depaza needs to operate the services (email addresses, plan and payment status, token counts, request logs), Depaza is an independent controller, as described in our Privacy Policy.

Where the Customer has not opted out of model improvement (see the section on model improvement below), Depaza acts as an independent controller for that specific processing, within the limits described there.

03Subject matter, duration, nature and purpose

Subject matter: the provision of Depaza's AI assistant, document generation, search, developer API and coding CLI. Duration: the term of the Agreement, plus the deletion windows described below. Nature and purpose: hosting, storing and processing Customer Content in order to generate the responses, documents and search results the Customer requests, and to let users access their own history. Details are set out in Annex 1.

04Categories of data subjects and personal data

Data subjects: the Customer's users, and any individuals whose personal data appears in Customer Content. Personal data: any personal data contained in prompts, conversations, uploaded files and generated documents — the categories are determined by what the Customer chooses to submit, and may include special categories if the Customer submits them. The Customer is responsible for having a lawful basis for the personal data it submits.

05Processing on documented instructions

Depaza processes Customer Content only on the Customer's documented instructions — the Agreement, this DPA and the Customer's use of the services' features constitute those instructions — unless processing is required by EU or member state law, in which case Depaza will inform the Customer before processing unless that law prohibits it. Depaza will inform the Customer if, in its opinion, an instruction infringes the GDPR.

06Model improvement and opt-out

As described in the Privacy Policy, Depaza may use Customer Content to improve Depaza's own EU-hosted models. This processing takes place exclusively on EU infrastructure; content used for it is never sent to providers outside the EU and never sold. For this specific purpose Depaza acts as an independent controller.

The Customer can exclude its account from model improvement at any time by emailing hello@depaza.com — the exclusion is applied to the account and confirmed in writing. Enterprise agreements exclude model improvement contractually by default (no-train guarantee).

07Confidentiality

Depaza ensures that every person authorised to process Customer Content is bound by confidentiality, either by contract or by statutory obligation, and accesses Customer Content only where strictly necessary to operate the services, provide support the Customer has requested, investigate abuse, or comply with law.

08Security of processing

Depaza implements and maintains the technical and organisational measures set out in Annex 2, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. Depaza may update the measures from time to time, provided the overall level of protection is not reduced.

09Sub-processors

The Customer grants Depaza general authorisation to engage the sub-processors listed at depaza.com/subprocessors. Depaza imposes data protection obligations on every sub-processor that are no less protective than this DPA, and remains fully liable to the Customer for their performance.

Depaza gives at least 30 days' notice of any new sub-processor or material change by updating that page and, for customers who have requested it by email, by direct notice. If the Customer reasonably objects on data protection grounds and no resolution is found, the Customer may terminate the affected services.

10Assistance with data subject requests

Taking into account the nature of the processing, Depaza assists the Customer with appropriate technical and organisational measures in fulfilling the Customer's obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). Users can delete conversations in the product; for anything else, email hello@depaza.com and we respond within the statutory timeframe. If a data subject contacts Depaza directly about Customer Content, Depaza will refer them to the Customer without undue delay.

11Personal data breach notification

Depaza notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Content. The notification describes, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Depaza documents breaches and cooperates with the Customer's own notification obligations.

12Impact assessments and prior consultation

Depaza provides the Customer with reasonable assistance — primarily through the information in this DPA, the sub-processor list and the security documentation — for data protection impact assessments and prior consultation with supervisory authorities, where required and insofar as the information is available to Depaza.

13Deletion and return of data

Users can delete individual conversations at any time. On termination of the Agreement, or on written request, Depaza deletes the Customer's Customer Content within 30 days, unless EU or member state law requires longer storage. Encrypted backups expire automatically on their retention schedule. On request before deletion, Depaza provides an export of the Customer's conversations in a structured, machine-readable format.

14Audits and information

Depaza makes available the information necessary to demonstrate compliance with Article 28 GDPR — this DPA, the sub-processor list, and our security documentation — and answers reasonable written audit questionnaires within a reasonable period, at most once per year unless a supervisory authority requires otherwise or a breach has occurred. Where this is insufficient, the Customer may conduct an audit through an independent third party bound by confidentiality, on at least 30 days' notice, during business hours, without disrupting operations, and at the Customer's cost.

15International transfers

Customer Content is hosted and processed — including all AI inference and any model improvement — on infrastructure in the European Union. Depaza does not transfer Customer Content to third countries.

A small number of supporting services involve providers outside the EU for limited, non-content data (for example payment processing, transactional email delivery, and network transit), each covered by an adequacy decision or standard contractual clauses, as set out per provider at depaza.com/subprocessors.

16Liability and order of precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In case of conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails.

17Governing law and changes

This DPA is governed by the same law as the Agreement (Danish law) and follows its dispute resolution. Depaza may update this DPA to reflect changes in law or the services; material changes are announced on this page with an updated version number, and the version in force when a dispute arises is the one that applies to it.

18Annex 1 — Details of processing

• Processing operations: receipt, storage, display and transmission of prompts, conversations and files; AI inference (chat, document generation, vision, audio transcription); EU web search; document export; deletion.
• Location: European Union (application hosting, database, file storage, AI inference and backups).
• Data subjects: the Customer's users and individuals appearing in Customer Content.
• Personal data: as contained in Customer Content; categories are determined by the Customer.
• Sensitive data: only if and to the extent the Customer submits it.
• Frequency: continuous, for the duration of the Agreement.
• Retention: until deleted by the user or Customer, on termination (30 days), or per the retention schedule in the Privacy Policy.

19Annex 2 — Technical and organisational measures

• Encryption in transit: TLS for all connections, including between internal services.
• Encryption at rest: encrypted storage volumes on EU infrastructure; encrypted off-site backups within the EU.
• Access control: production access is limited to named, authorised personnel on a need-to-know basis; user-facing access is authenticated (password or single-use magic links) and every data access is scoped to the requesting account.
• EU-only AI processing: all model inference runs on EU-hosted infrastructure; no Customer Content is sent to AI providers outside the EU.
• Tenant separation: conversations, files and generated documents are scoped to the owning account at the application and database layer.
• Abuse and availability controls: per-account and per-IP rate limiting, upload size and type restrictions, and restrictive file permissions on stored uploads.
• Change management: changes are version-controlled and pass pre-deployment verification gates before reaching production.
• Incident response: a documented breach-notification process (see the breach section above); contactable at hello@depaza.com.
• Data minimisation: we store only what the product needs; raw audio uploads are deleted after transcription.