← Trust Center Draft template — sign-ready copy on request

Data Processing Agreement

GDPR Article 28 contract between you (Controller) and Eubulia (Processor) for personal data you store in Eubulia about your own clients and contacts.

Template version: 1.0 · Last updated: 2026-05-04 · Processor: Søren Porskrog, Eubulia (Copenhagen, Denmark) · Contact: hello@eubulia.eu

This page is the public template

For an executable, signed copy of this DPA tailored to your name and organization, email hello@eubulia.eu with subject "DPA request". We send a DocuSign-ready version within 2 business days. Material amendments are accepted by case-by-case review.

Contents
  1. Parties and definitions
  2. Subject matter, duration, nature, and purpose
  3. Categories of data subjects and personal data
  4. Controller obligations
  5. Processor obligations
  6. Sub-processors
  7. Technical and organizational measures
  8. Personal data breach notification
  9. Assistance with data subject rights
  10. Audit rights and information
  11. International data transfers
  12. Return and deletion of data
  13. Liability and indemnity
  14. Term, termination, and order of precedence
  15. Governing law
  16. Annex I — Description of processing · Annex II — TOMs · Annex III — Sub-processors

1. Parties and definitions

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service ("Principal Agreement") between:

"Personal data", "data subject", "controller", "processor", "sub-processor", "processing", and "appropriate technical and organizational measures" have the meanings given in the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR").

2. Subject matter, duration, nature, and purpose

3. Categories of data subjects and personal data

Categories of data subjects (typical, non-exhaustive — depends on Controller's input):

Categories of personal data (typical):

Special categories (Art. 9 GDPR): Not requested by Eubulia. If Controller chooses to input such data, Controller bears responsibility for the lawful basis and informs Eubulia (via Settings → Identity → "Sensitive data flag") so we can apply additional handling.

4. Controller obligations

The Controller represents and warrants that:

5. Processor obligations

Eubulia shall:

6. Sub-processors

The Controller grants general written authorization to Eubulia to engage sub-processors to assist in providing the service.

The current list of authorized sub-processors is published at /legal/sub-processors. The list at the time of agreement is reproduced in Annex III.

Eubulia shall:

7. Technical and organizational measures

Specific TOMs are described in Annex II below and on our security page at /legal/security. They include:

8. Personal data breach notification

Eubulia shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a personal data breach affecting Controller's data. The notification shall describe:

Eubulia will assist the Controller in fulfilling its own notification obligations to supervisory authorities (Art. 33) and data subjects (Art. 34) where applicable.

9. Assistance with data subject rights

Eubulia shall assist the Controller, by appropriate technical and organizational measures and to the extent possible, in fulfilling Controller's obligations to respond to data subject requests under GDPR (access, rectification, erasure, restriction, portability, objection).

10. Audit rights and information

Eubulia shall make available to the Controller information necessary to demonstrate compliance with this DPA. On reasonable request, Eubulia will:

11. International data transfers

By default, all processing occurs within the European Union (Frankfurt region) for primary infrastructure (Supabase, Qdrant, Render) and for default LLM routing (Mistral).

Optional LLM sub-processors operating outside the EU (Anthropic, OpenAI, Google Gemini — all USA) are engaged only if the Controller has not opted into "EU-only" mode in Settings. For such transfers:

12. Return and deletion of data

On termination of the Principal Agreement, the Controller has 30 days to export Customer Content via:

After 30 days, Eubulia will hard-delete personal data from production systems. Backups expire over the following 30 days. The audit log of the deletion event is retained for 10 years as compliance evidence (containing only metadata: timestamp, categories deleted, no content).

If retention beyond 30 days is required by Union or Member State law (e.g. accounting records), the affected categories are documented to Controller, retained securely, and deleted at the end of the legal retention period.

13. Liability and indemnity

The Parties' liability under this DPA is governed by the Principal Agreement, except where applicable law (in particular GDPR Art. 82) provides otherwise. Liability for GDPR Art. 28 obligations cannot be limited below what GDPR mandates.

14. Term, termination, and order of precedence

This DPA is effective for the duration of the Principal Agreement and for the data-return/deletion period in Section 12.

In the event of conflict between this DPA, the Principal Agreement (Terms of Service), and the Privacy Policy, the order of precedence is:

  1. This DPA (for matters within its scope)
  2. The Principal Agreement
  3. The Privacy Policy

15. Governing law

This DPA is governed by the laws of Denmark. Disputes are subject to the jurisdiction of the Copenhagen City Court.

Annexes

Annex I — Description of processing

Categories of data subjects: as described in Section 3.

Categories of personal data: as described in Section 3.

Frequency of processing: Continuous, on Controller demand.

Nature and purpose of processing: as described in Section 2.

Period of processing: for the term of the Principal Agreement plus the deletion period in Section 12.

Annex II — Technical and organizational measures (TOMs)

Encryption: TLS 1.3 in transit; AES-256 at rest via Supabase managed encryption.

Confidentiality: Authentication required for all access. JWT sessions. Supabase Auth with Google + Microsoft SSO. Per-organization Row-Level Security on 15 core tables; org_id isolation on 35 tables.

Integrity: Bitemporal data model — every state change preserved as a new version with system-time and source-time timestamps. No silent updates.

Availability: Daily encrypted backups. 30-day rolling backup window. Disaster recovery via Supabase managed backup tooling.

Access controls: Customer self-administers user access within their organization. Eubulia staff (currently: the founder) access Customer Content only with explicit Customer consent or for service troubleshooting Customer has reported.

Sub-processor management: Annual review of sub-processor list. 30-day advance notification of changes. Sub-processors bound by data-protection terms no less protective than this DPA.

Logging: All processing activities logged. Logs retained 90 days rolling for service operations; LLM-usage events retained 5 years for billing reconciliation.

Reviews: Annual TOM review. Material updates communicated to Customer.

Incident response: 72-hour breach notification per Section 8. Founder maintains a documented response procedure.

Annex III — Authorized sub-processors

Current list maintained at /legal/sub-processors. Summary as of last update:

Get a signed copy

Email hello@eubulia.eu with subject "DPA request" and your full legal name + organization name. We return a DocuSign-ready PDF within 2 business days. Standard amendments are accommodated; non-standard amendments are reviewed case-by-case.