← Trust Center
Draft template — sign-ready copy on request
Data Processing Agreement
GDPR Article 28 contract between you (Controller) and Eubulia (Processor) for personal data you store in Eubulia about your own clients and contacts.
Template version: 1.0 · Last updated: 2026-05-04 · Processor: Søren Porskrog, Eubulia (Copenhagen, Denmark) · Contact: hello@eubulia.eu
This page is the public template
For an executable, signed copy of this DPA tailored to your name and organization, email hello@eubulia.eu with subject "DPA request". We send a DocuSign-ready version within 2 business days. Material amendments are accepted by case-by-case review.
1. Parties and definitions
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service ("Principal Agreement") between:
- Controller: the customer of Eubulia ("you" or "Customer"), as named in Annex I
- Processor: Søren Porskrog, Eubulia, Copenhagen, Denmark ("we", "Eubulia")
"Personal data", "data subject", "controller", "processor", "sub-processor", "processing", and "appropriate technical and organizational measures" have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").
2. Subject matter, duration, nature, and purpose
- Subject matter: Processing of personal data by Eubulia on the Controller's behalf as part of providing the Eubulia service.
- Duration: For the term of the Principal Agreement, plus the data-return/deletion period in Section 12.
- Nature: Storage, indexing, retrieval, semantic search, classification, structured extraction, and AI-assisted analysis of personal data input by the Controller.
- Purpose: Enabling the Controller to organize programme context (people, risks, decisions, milestones) and obtain AI-assisted analytical output for their professional consulting work.
3. Categories of data subjects and personal data
Categories of data subjects (typical, non-exhaustive — depends on Controller's input):
- Controller's own clients and the clients' employees
- Stakeholders involved in Controller's engagements (board members, executives, vendors, regulators)
- Persons mentioned in meeting transcripts, documents, and notes input by Controller
Categories of personal data (typical):
- Identifiers: name, role/title, organizational affiliation, email (where input)
- Professional context: meeting attendance, expressed views, decisions taken, risks raised
- Behavioral observations made by the Controller (assessments of stakeholder positions)
Special categories (Art. 9 GDPR): Not requested by Eubulia. If Controller chooses to input such data, Controller bears responsibility for the lawful basis and informs Eubulia (via Settings → Identity → "Sensitive data flag") so we can apply additional handling.
4. Controller obligations
The Controller represents and warrants that:
- Processing has a lawful basis under GDPR Art. 6 (and Art. 9 where applicable)
- Data subjects have been informed (transparency obligation, Art. 13/14) where required
- Controller has obtained consent where consent is the lawful basis
- Instructions to Processor are lawful and consistent with the Principal Agreement
- Controller will not use Eubulia for purposes incompatible with the original purpose disclosed to data subjects
5. Processor obligations
Eubulia shall:
- Process personal data only on documented instructions from the Controller, including the Principal Agreement, this DPA, and explicit additional instructions in writing
- Inform the Controller without delay if an instruction infringes GDPR or other Union or Member State data-protection law
- Ensure persons authorized to process personal data (currently: the founder; future: employees and contractors) are bound by confidentiality
- Implement appropriate technical and organizational measures (TOMs) per Annex II
- Engage sub-processors only under the conditions in Section 6
- Assist the Controller per Section 9 (data subject rights) and Sections 7-8 (security and breach)
- Make available all information necessary to demonstrate compliance with this DPA, and allow audits per Section 10
- Return or delete personal data per Section 12 at the end of the Principal Agreement
6. Sub-processors
The Controller grants general written authorization to Eubulia to engage sub-processors to assist in providing the service.
The current list of authorized sub-processors is published at /legal/sub-processors. The list at the time of agreement is reproduced in Annex III.
Eubulia shall:
- Notify Controller at least 30 days in advance of any intended addition or replacement of a sub-processor, via email to the account address
- Provide Controller with the opportunity to object on reasonable grounds. If Controller objects and the parties cannot agree, Controller may terminate the Principal Agreement with full export of data per Section 12
- Impose on each sub-processor data-protection obligations no less protective than those in this DPA, in particular regarding TOMs and breach notification
- Remain fully liable to Controller for the sub-processor's performance of GDPR obligations
7. Technical and organizational measures
Specific TOMs are described in Annex II below and on our security page at /legal/security. They include:
- Encryption in transit (TLS 1.3) and at rest (AES-256 via Supabase managed encryption)
- Multi-tenant isolation enforced at the database level (Row-Level Security on 15 core tables; per-organization isolation across 35 tables)
- Authentication via Supabase Auth (JWT, SSO with Google and Microsoft)
- Bitemporal audit trail by design (immutable version history of all structured changes)
- Customer source documents kept in Customer's own cloud — never copied to Eubulia servers
- Logging of all processing activities (access, mutations, LLM calls)
- Periodic review of TOMs as the service evolves; material updates communicated to Customer
8. Personal data breach notification
Eubulia shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a personal data breach affecting Controller's data. The notification shall describe:
- The nature of the breach, including categories and approximate number of data subjects and records affected
- Likely consequences
- Measures taken or proposed to address the breach and mitigate its effects
- Contact point for further information
Eubulia will assist the Controller in fulfilling its own notification obligations to supervisory authorities (Art. 33) and data subjects (Art. 34) where applicable.
9. Assistance with data subject rights
Eubulia shall assist the Controller, by appropriate technical and organizational measures and to the extent possible, in fulfilling Controller's obligations to respond to data subject requests under GDPR (access, rectification, erasure, restriction, portability, objection).
- Access & portability: Customer can export all narrative content as Markdown and structured graph as JSON via in-product tooling
- Rectification: Customer can edit entities directly
- Erasure: Customer can hard-delete a specific data subject's records via the per-entity delete tool, or hard-delete an entire client via the per-client delete tool — both cascade across bitemporal versions, vector indexes, and backups within 30 days
- Where Customer's tooling is insufficient, Eubulia will assist on request at no extra charge during alpha; reasonable engineering fees may apply post-GA for non-routine assistance
10. Audit rights and information
Eubulia shall make available to the Controller information necessary to demonstrate compliance with this DPA. On reasonable request, Eubulia will:
- Provide written responses to security questionnaires (CAIQ Lite or Customer's format) within 10 business days
- Provide third-party audit reports, if and when obtained (SOC 2 / ISO 27001 are roadmap items, not yet completed)
- Allow Controller, or an independent auditor mandated by Controller, to conduct audits — including inspections — at Controller's expense, with at least 30 days' advance written notice, no more than once per year except where required following a personal data breach. Audits must respect Eubulia's confidentiality and security policies
11. International data transfers
By default, all processing occurs within the European Union (Frankfurt region) for primary infrastructure (Supabase, Qdrant, Render) and for default LLM routing (Mistral).
Optional LLM sub-processors operating outside the EU (Anthropic, OpenAI, Google Gemini — all USA) are engaged only if the Controller has not opted into "EU-only" mode in Settings. For such transfers:
- Standard Contractual Clauses (Decision 2021/914/EU) are in place between Eubulia and each non-EU sub-processor
- Where applicable, transfers rely on the EU-U.S. Data Privacy Framework adequacy decision
- Controller can disable all non-EU transfers at any time via Settings
12. Return and deletion of data
On termination of the Principal Agreement, the Controller has 30 days to export Customer Content via:
- Markdown export (chats, journal entries, transcripts, notes)
- JSON export (structured graph: people, risks, decisions, milestones)
- Source documents remain in Controller's own cloud throughout (Eubulia never had a copy)
After 30 days, Eubulia will hard-delete personal data from production systems. Backups expire over the following 30 days. The audit log of the deletion event is retained for 10 years as compliance evidence (containing only metadata: timestamp, categories deleted, no content).
If retention beyond 30 days is required by Union or Member State law (e.g. accounting records), the affected categories are documented to Controller, retained securely, and deleted at the end of the legal retention period.
13. Liability and indemnity
The Parties' liability under this DPA is governed by the Principal Agreement, except where applicable law (in particular GDPR Art. 82) provides otherwise. Liability for GDPR Art. 28 obligations cannot be limited below what GDPR mandates.
14. Term, termination, and order of precedence
This DPA is effective for the duration of the Principal Agreement and for the data-return/deletion period in Section 12.
In the event of conflict between this DPA, the Principal Agreement (Terms of Service), and the Privacy Policy, the order of precedence is:
- This DPA (for matters within its scope)
- The Principal Agreement
- The Privacy Policy
15. Governing law
This DPA is governed by the laws of Denmark. Disputes are subject to the jurisdiction of the Copenhagen City Court.
Annexes
Annex I — Description of processing
Categories of data subjects: as described in Section 3.
Categories of personal data: as described in Section 3.
Frequency of processing: Continuous, on Controller demand.
Nature and purpose of processing: as described in Section 2.
Period of processing: for the term of the Principal Agreement plus the deletion period in Section 12.
Annex II — Technical and organizational measures (TOMs)
Encryption: TLS 1.3 in transit; AES-256 at rest via Supabase managed encryption.
Confidentiality: Authentication required for all access. JWT sessions. Supabase Auth with Google + Microsoft SSO. Per-organization Row-Level Security on 15 core tables; org_id isolation on 35 tables.
Integrity: Bitemporal data model — every state change preserved as a new version with system-time and source-time timestamps. No silent updates.
Availability: Daily encrypted backups. 30-day rolling backup window. Disaster recovery via Supabase managed backup tooling.
Access controls: Customer self-administers user access within their organization. Eubulia staff (currently: the founder) access Customer Content only with explicit Customer consent or for service troubleshooting Customer has reported.
Sub-processor management: Annual review of sub-processor list. 30-day advance notification of changes. Sub-processors bound by data-protection terms no less protective than this DPA.
Logging: All processing activities logged. Logs retained 90 days rolling for service operations; LLM-usage events retained 5 years for billing reconciliation.
Reviews: Annual TOM review. Material updates communicated to Customer.
Incident response: 72-hour breach notification per Section 8. Founder maintains a documented response procedure.
Annex III — Authorized sub-processors
Current list maintained at /legal/sub-processors. Summary as of last update:
- Infrastructure (always engaged): Supabase (EU PostgreSQL), Qdrant (EU vector DB), Render (EU application hosting)
- LLM providers (engaged based on Customer settings + GDPR mode): Mistral (EU, default), Anthropic (USA, opt-in), OpenAI (USA, opt-in), Google Gemini (USA, opt-in)
- Operational tooling: Sentry (error monitoring, sanitized), Langfuse (LLM observability), Stripe (billing — engaged at GA)
Get a signed copy
Email hello@eubulia.eu with subject "DPA request" and your full legal name + organization name. We return a DocuSign-ready PDF within 2 business days. Standard amendments are accommodated; non-standard amendments are reviewed case-by-case.