Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Aktis SL ("Processor", "we") and the Customer ("Controller", "you") that has subscribed to the Euphania Service. It governs the processing of personal data by us on your behalf in the context of your use of the Service.

This DPA is designed to comply with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and comparable data protection laws.

1. Definitions

Terms such as "personal data", "data subject", "processing", "controller", "processor", and "supervisory authority" have the meanings given to them in the GDPR.

2. Subject matter and duration

We process personal data on your behalf for the duration of your Subscription to the Service. Upon termination, we will delete or return Customer Data within 30 days unless legally required to retain it.

3. Nature and purpose of processing

We process personal data to provide the Service: auditing product catalogues, generating AI content suggestions, publishing approved changes to connected platforms, billing, and customer support.

4. Categories of data subjects

Personal data processed under this DPA may relate to:

• Your staff who access the Service on your behalf.
• In rare cases, individuals whose names appear in product descriptions or metadata imported from your store.

The Service is not designed to process data about your end-customers. We do not access orders, customer records, or payment methods from connected stores.

5. Categories of personal data

• Identification data: names, email addresses.
• Account data: role, login metadata.
• Billing data: processed by our Merchant of Record.
• Usage data: application logs, timestamps.

6. Obligations of the Processor

We will:

• Process personal data only on your documented instructions.
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organizational measures (see Section 9).
• Assist you with responding to data subject requests to the extent reasonably possible.
• Assist you with data protection impact assessments and consultations with supervisory authorities.
• Notify you without undue delay (within 72 hours where feasible) after becoming aware of a personal data breach.
• Make available information necessary to demonstrate compliance with this DPA.

7. Subprocessors

You authorize us to engage subprocessors. We remain responsible for the acts and omissions of our subprocessors as if they were our own.

Current subprocessors:

• Railway Corp. — application hosting — USA
• Anthropic, PBC — AI inference (Claude API) — USA
• Lemon Squeezy / Stripe, Inc. — Merchant of Record, payment processing — USA
• Resend — transactional email delivery — USA
• Netlify, Inc. — website hosting — USA

We will give at least 30 days' notice before adding or replacing a subprocessor. You may object on reasonable data-protection grounds; if we cannot accommodate your objection, you may terminate your Subscription as your sole remedy.

8. International data transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, we rely on one of the following lawful transfer mechanisms:

• Adequacy decisions issued by the European Commission.
• Standard Contractual Clauses (EU 2021/914) and UK International Data Transfer Addendum.
• Other appropriate safeguards as required by applicable law.

9. Security measures

We implement the following technical and organizational measures:

• Encryption of personal data in transit (TLS 1.2+) and at rest.
• Strict access controls, with access granted on a need-to-know basis.
• Strong authentication on all administrative systems.
• Isolated production and development environments.
• Regular security reviews and dependency updates.
• Logging and monitoring of production access.
• Incident response procedures.
• Regular backups and tested restoration procedures.

10. Data subject rights

We will provide reasonable assistance to help you respond to requests from data subjects (access, rectification, erasure, etc.). Where a data subject contacts us directly, we will inform them that they should contact you.

11. Return and deletion of data

Upon termination, we will delete all personal data processed on your behalf within 30 days, unless applicable law requires retention. On request and within the same period, we can export your product data in a common machine-readable format.

12. Audit rights

Upon reasonable prior notice, we will make available to you the information necessary to demonstrate compliance with this DPA. On-site audits may be conducted once per calendar year at your cost, limited to normal business hours and subject to our confidentiality requirements.

13. Liability

The limitations of liability set out in the Terms of Service apply to this DPA.

14. Changes

We may update this DPA to reflect changes in law, practice, or subprocessors. Material changes will be notified at least 30 days in advance.

15. Contact

For questions or to designate a data protection point of contact, email info@aktisandorra.com.