Data Processing Agreement
Last updated: March 2026
This is a standard Data Processing Agreement template based on GDPR Article 28 requirements. For a signed, binding copy tailored to your organization, contact legal@ai-deskflow.com. We recommend that you have this reviewed by your legal counsel before execution.
1. Definitions
- "Controller" means the Customer, who determines the purposes and means of the processing of Personal Data.
- "Processor" means ETERNA-APP INC. ("AI DeskFlow"), who processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on Personal Data, as defined in GDPR Article 4(2).
- "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1b. Corporate Structure and Data Residency
ETERNA-APP INC. is incorporated in the State of Delaware, USA. As data processor, ETERNA-APP INC. fully complies with GDPR requirements applicable to non-EU processors under Article 3(2) and Chapter V of the Regulation. All EU customer data is stored and processed within the European Union through our infrastructure partner Supabase (EU-West region, AWS eu-west-1, Ireland). No EU personal data is transferred to US-based servers or data centers for storage or processing.
When the Customer selects the "EU Only" or "Local" data region in their workspace settings, AI processing is restricted to EU-hosted models (Mistral) or on-premise infrastructure respectively, ensuring no personal data leaves the EU at any point. For the "Cloud" data region, AI queries are sent to cloud LLM providers under their respective zero-retention data processing agreements.
2. Subject Matter and Duration
This DPA governs the processing of Personal Data by AI DeskFlow on behalf of the Customer in connection with the Customer's use of the AI DeskFlow platform. The duration of processing corresponds to the duration of the Customer's subscription agreement.
3. Nature and Purpose of Processing
AI DeskFlow processes Personal Data for the following purposes:
- Storing and indexing documents uploaded by the Customer
- Processing natural language queries against stored documents using AI models
- Generating vector embeddings of document content for semantic search
- Managing user accounts, authentication, and workspace access
- Processing subscription payments via Stripe
- Sending transactional emails (account verification, notifications)
4. Types of Personal Data
The following categories of Personal Data may be processed:
- Account data: name, email address, hashed password
- Document content: any personal data contained in documents uploaded by the Customer (which may include names, addresses, financial information, medical information, or other sensitive data depending on the Customer's use case)
- Usage data: timestamps, query counts, token usage, workspace identifiers
- Payment data: processed by Stripe (PCI DSS certified); AI DeskFlow does not store card numbers
5. Categories of Data Subjects
Data subjects may include:
- The Customer's employees and team members
- The Customer's clients, patients, or contacts (as referenced in uploaded documents)
- Any natural person whose data appears in documents uploaded to the platform
6. Obligations of the Processor
AI DeskFlow shall:
- Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 8)
- Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller (see Section 9)
- Assist the Controller in responding to requests from data subjects exercising their rights under GDPR Chapter III
- Assist the Controller in ensuring compliance with GDPR Articles 32 to 36 (security, breach notification, DPIA, prior consultation)
- At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage
- Make available to the Controller all information necessary to demonstrate compliance and allow for audits
7. Obligations of the Controller
The Controller shall:
- Ensure that there is a lawful basis for the processing of Personal Data
- Provide documented instructions to the Processor regarding the processing of Personal Data
- Ensure that data subjects are informed of the processing in accordance with GDPR Articles 13 and 14
- Not upload documents containing special categories of data (GDPR Article 9) unless the Controller has ensured an appropriate legal basis and has selected the Sovereign plan with private server processing
8. Security Measures
AI DeskFlow implements the following technical and organizational measures:
Encryption
- All data in transit encrypted via TLS 1.3 with HSTS preload
- API keys and sensitive credentials encrypted at rest with AES-256-GCM
- Unique initialization vector (IV) per encryption operation
Access control
- PostgreSQL Row-Level Security (RLS) on all database tables — workspace-scoped
- Authentication via Supabase Auth with JWT tokens
- Role-based access control (Owner, Admin, Member, Viewer)
- Rate limiting on all API endpoints (Upstash Redis)
Infrastructure
- Database hosted in Supabase EU-West (Ireland)
- Private servers provisioned in EU (Hetzner, Germany/Finland)
- Docker container isolation per client on private server plans
- HTTP security headers: HSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff
Data minimization
- AI decision logs store input hashes (SHA-256), not plaintext prompts
- Optional PII anonymization masks personal data before cloud AI processing
- No
SELECT *queries — explicit column selection on all database operations
For a detailed description of all security controls, see our Security & Architecture page.
9. Sub-processors
The Controller provides general authorization for the Processor to engage the following sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object.
| Sub-processor | Purpose | Location | Sovereign plan |
|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU-West (Ireland) | Used (metadata only) |
| Vercel Inc. | Web application hosting | Global (US primary) | Used (web app only) |
| Stripe Inc. | Payment processing (PCI DSS Level 1) | US | Used |
| Resend Inc. | Transactional email delivery | US | Used |
| OpenAI Inc. | LLM inference, document embeddings | US | Not used |
| Anthropic Inc. | LLM inference | US | Not used |
| Groq Inc. | LLM inference | US | Not used |
| Hetzner Online GmbH | Private server hosting (optional) | EU (Germany/Finland) | Optional (managed) |
On the Sovereign plan with private server and local_onlydata region, OpenAI, Anthropic, and Groq are not contacted. All AI processing occurs on the Customer's own infrastructure.
10. International Data Transfers
Where Personal Data is transferred to sub-processors located outside the EU/EEA (specifically Vercel, Stripe, Resend, and optionally OpenAI, Anthropic, Groq — all US-based), such transfers are governed by:
- The EU-US Data Privacy Framework (where the sub-processor is certified)
- Standard Contractual Clauses (SCCs) as adopted by the European Commission
- The sub-processor's own DPA and data protection commitments
On the Sovereign plan with local_only data region, document content and AI queries do not leave EU-hosted infrastructure. Only account metadata (email, workspace name) is stored in Supabase EU-West.
11. Data Breach Notification
In the event of a Data Breach affecting the Controller's Personal Data, AI DeskFlow shall:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide the Controller with sufficient information to allow the Controller to meet its own notification obligations under GDPR Articles 33 and 34
- Take immediate steps to contain and remediate the breach
- Cooperate with the Controller and provide ongoing information as the investigation progresses
Breach notifications shall be sent to the email address associated with the Controller's account, as well as to any designated security contact.
12. Data Subject Rights
AI DeskFlow shall assist the Controller in responding to data subject requests under GDPR Chapter III:
- Right of access (Art. 15): Account data export available in Settings > Account > Export Data
- Right to rectification (Art. 16): Account information can be updated in Settings
- Right to erasure (Art. 17): Full account and data deletion available in Settings > Danger Zone. All documents, conversations, AI history, and embeddings are permanently deleted.
- Right to data portability (Art. 20): Data export in JSON format via the account export feature
- Right to restriction (Art. 18): Workspace can be deactivated by the Controller at any time
13. Data Retention and Deletion
- Documents: retained for the duration of the subscription. Deleted within 30 days of account deletion or upon Controller request.
- Conversations and AI history: retained for the duration of the subscription. Deleted with account deletion.
- Usage logs: retained for 24 months for billing and analytics purposes.
- AI decision logs: retained for 90 days (EU AI Act compliance). Contains input hashes only, not plaintext.
- Billing records: retained for 10 years as required by accounting regulations.
- Backups: purged within 30 days of data deletion request.
14. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify AI DeskFlow's compliance with this DPA. AI DeskFlow shall:
- Make available all information necessary to demonstrate compliance with GDPR Article 28 obligations
- Allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller
- Provide access to AI decision audit logs (available via Dashboard > Security > Export)
- On the Cabinet and Enterprise plans, provide direct server access for inspection upon reasonable notice
15. Termination
Upon termination of the subscription agreement, AI DeskFlow shall, at the Controller's choice:
- Return all Personal Data in a portable format (JSON export), and/or
- Delete all Personal Data, including all copies, within 30 days
The Controller may exercise its right to data export at any time during the subscription via Settings > Account > Export Data. After termination and deletion, AI DeskFlow shall certify in writing that all data has been deleted.
16. Governing Law
This DPA shall be governed by the laws of the State of Delaware, United States, without regard to its conflict of laws provisions. For data subjects located in the EU/EEA, the mandatory provisions of GDPR shall prevail in case of conflict.
17. Contact
For questions about this DPA, data processing practices, or to request a signed copy:
- Legal: legal@ai-deskflow.com
- Data Protection Officer: dpo@ai-deskflow.com
- Security: security@ai-deskflow.com
ETERNA-APP INC. — 131 Continental Dr Suite 305, Newark, DE 19713, USA