Legal
Data Processing Agreement
Effective date: [EFFECTIVE DATE] · Between the Customer (controller) and [COMPANY LEGAL ENTITY NAME] (processor)
1. Roles
For personal data contained in Customer content (tracked pages, business information, competitor data, member emails), the Customer acts as data controller and [COMPANY LEGAL ENTITY NAME] acts as data processor, processing personal data only on the Customer's documented instructions as expressed through the Service's configuration.
2. Scope of Processing
Subject matter: operation of the Auerua platform. Duration: the subscription term plus the retention window in the Privacy Policy. Nature and purpose: monitoring AI-engine citations, generating and publishing content, applying technical fixes, and reporting. Categories of data subjects: the Customer's workspace members and individuals referenced in Customer content. Categories of data: contact details, business information, and content data.
3. Subprocessors
The Customer authorises the subprocessors listed in the Privacy Policy (Supabase, Vercel, Stripe, Anthropic, OpenAI, Google, Perplexity, [TRANSACTIONAL EMAIL PROVIDER]). We will provide [NOTICE PERIOD, e.g. 30 days'] notice of subprocessor changes, during which the Customer may object on reasonable data-protection grounds.
4. Data Location
Primary data storage is in the Supabase region [SUPABASE REGION — verify in your Supabase project settings, e.g. ap-southeast-1 (Singapore)]. AI providers process request content in their own regions under their own terms; transfers are safeguarded by [TRANSFER MECHANISM, e.g. SCCs] where required.
5. Security Measures
- Row-level security isolating each workspace's data.
- AES-256-GCM encryption for stored credentials and API keys; write-only after saving.
- Secret redaction at all logging and error-persistence points.
- Access to production data restricted to [ACCESS POLICY].
6. Breach Notification
We will notify the Customer of a personal data breach affecting their data without undue delay and within [BREACH WINDOW, e.g. 72 hours]of becoming aware, providing the information reasonably required for the Customer's own notification obligations.
7. Return & Deletion
On termination, Customer data is exportable on request and deleted per the retention schedule in the Privacy Policy, except where retention is required by law.