Data Processing Agreement

Last updated: 28 May 2026 · Version 1.0 (template)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Uboros (the "Processor") and the customer that has executed those Terms (the "Controller"). It applies whenever the Processor processes personal data on the Controller's behalf in the course of providing the Uboros service (the "Service").

This DPA is published in template form so prospective customers can review it before signing up. A signed per-customer copy is available on request from [email protected].

Contents

Definitions
Scope and roles
Processor obligations
Sub-processors
International transfers
Security measures
Personal-data breach notification
Assistance to the Controller
Audit
Return and deletion of data
Liability
Term
Annexes

1. Definitions

Capitalised terms used and not otherwise defined in this DPA have the meaning given in the GDPR. In particular:

"Controller", "Processor", "Sub-processor", "Personal Data", "Processing" — as defined in GDPR Article 4.
"Customer Personal Data" — Personal Data that the Controller submits to or that is generated within the Service in the course of the Controller's use of it.
"Service" — the Uboros platform, as described in the Terms of Service.
"SCCs" — the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.

2. Scope and roles

This DPA applies to the Processing of Customer Personal Data carried out by the Processor on behalf of the Controller. The Controller determines the purposes and means of the Processing; the Processor processes Customer Personal Data solely on the Controller's documented instructions, including the instructions set out in the Service configuration and these Terms.

Details of the Processing — categories of data, categories of data subjects, duration and purpose — are set out in Annex 1.

3. Processor obligations

The Processor undertakes to:

process Customer Personal Data only on the documented instructions of the Controller, including with regard to transfers to third countries;
ensure that persons authorised to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement appropriate technical and organisational measures as set out in Annex 2;
respect the conditions on engaging Sub-processors set out in Section 4;
taking into account the nature of the Processing, assist the Controller with appropriate technical and organisational measures to fulfil obligations to respond to requests from data subjects;
assist the Controller in ensuring compliance with security, breach-notification, impact-assessment, and consultation obligations under GDPR Articles 32–36;
at the choice of the Controller, return or delete all Customer Personal Data at the end of the Service, unless retention is required by Union or Member-State law;
make available all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and allow for and contribute to audits.

4. Sub-processors

The Controller grants the Processor general authorisation to engage Sub-processors to assist in providing the Service. The current list of Sub-processors is published in our Privacy Policy and is incorporated into this DPA by reference.

The Processor will inform the Controller of any intended changes to the list at least thirty (30) days before they take effect. The Controller may object to the change for reasonable cause within fifteen (15) days; if a satisfactory resolution cannot be agreed, the Controller may terminate the Service.

The Processor remains fully liable to the Controller for the performance of its Sub-processors' obligations.

5. International transfers

Where the Processor or a Sub-processor transfers Customer Personal Data outside the European Economic Area to a country without an adequacy decision, the transfer is governed by Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) of the SCCs. The SCCs are incorporated into this DPA by reference and prevail over any conflicting provision.

Where the SCCs require Annex specifications, the relevant details are set out in Annex 1 and Annex 2 of this DPA. The competent supervisory authority is the Comissão Nacional de Proteção de Dados (CNPD), Portugal.

6. Security measures

The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex 2. The measures will be reviewed and updated as appropriate; the Processor will not materially weaken them during the term.

7. Personal-data breach notification

The Processor will notify the Controller without undue delay, and where feasible within seventy-two (72) hours, of any confirmed Personal Data Breach affecting Customer Personal Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

8. Assistance to the Controller

Taking into account the nature of the Processing and the information available to the Processor, the Processor will provide reasonable assistance to the Controller with respect to:

responding to data-subject requests under GDPR Articles 15–22;
conducting data-protection impact assessments under Article 35;
consulting the supervisory authority under Article 36;
complying with security and breach-notification duties under Articles 32–34.

9. Audit

The Processor will make available to the Controller, on request, all information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and certifications held by the Processor or its Sub-processors. The Controller may, no more than once per twelve-month period, request an audit of the Processor's compliance, on at least thirty (30) days' written notice. Any audit will be conducted during normal business hours and in a manner that does not unreasonably interfere with the Processor's operations.

10. Return and deletion of data

On termination or expiry of the Service, the Processor will, at the choice of the Controller, return or delete Customer Personal Data. The Service provides export functionality available for thirty (30) days after termination; after that period, the Processor will delete Customer Personal Data from active systems within a reasonable period, with backups cycled out within thirty (30) further days. Records required by law (e.g. invoicing records under Portuguese tax law) may be retained for the legally required period.

11. Liability

The liability of each party under this DPA is governed by the liability provisions of the Terms of Service. Nothing in this DPA limits or excludes any party's liability that cannot be limited or excluded under applicable law.

12. Term

This DPA enters into force on the date the Terms of Service are accepted and remains in force for as long as the Processor processes Customer Personal Data on behalf of the Controller, plus any extended period required by the obligations regarding return and deletion of data.

13. Annexes

Annex 1 — Details of the Processing

Subject matter: the provision of the Uboros service, including AI-assisted competitor research, brief generation, creative rendering, ad-account deployment, and performance analysis.

Duration: for the term of the Service plus the retention periods set out in this DPA and the Privacy Policy.

Nature and purpose: storage, hosting, indexing, AI inference, transmission to third-party generative-AI providers and ad-platforms, and computation of billing metrics.

Categories of data subjects: the Controller's employees, contractors, and other authorised users of the Service; in some cases, the Controller's customers or audience members whose identifying information may incidentally appear in marketing assets uploaded to the Service.

Categories of personal data: name; email; account credentials (stored as hashes or encrypted tokens); workspace metadata; uploaded creative assets; brief text; competitor watch-lists; performance metrics keyed by ad-account; billing and tax information.

Special categories: none expected; the Controller agrees not to submit data falling within GDPR Article 9 to the Service.

Annex 2 — Technical and organisational measures

The Processor implements the following measures, which it may improve, but will not materially weaken, during the term:

Encryption — TLS 1.3 in transit; AES-256 at rest for the application database and file storage.
Access control — role-based access; project-scoped tenancy; audit logging of administrative actions.
Authentication — passwords stored as PBKDF2-SHA256 salted hashes; multi-factor authentication offered for operator accounts.
Application security — CSRF protection; secure session cookies (Secure, HttpOnly, SameSite=Lax); content-security policies; rate limiting on sensitive endpoints; dependency-vulnerability scanning.
Secrets management — third-party API tokens stored encrypted and never returned to the client; environment-variable separation for development, staging, and production.
Backups and continuity — encrypted off-site backups retained for up to 30 days; recovery procedures tested periodically.
Personnel — confidentiality undertakings from all persons with access to Customer Personal Data; access on a need-to-know basis.
Incident response — documented incident-response procedure with 72-hour notification to the Controller for confirmed breaches.
Sub-processor management — written engagement terms with each Sub-processor consistent with this DPA.

Annex 3 — Sub-processors

See the list of Sub-processors in our Privacy Policy, which is incorporated into this DPA by reference and kept up to date.