Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Aeloria and the Customer (each a "Party", together the "Parties") and governs the processing of personal data by Aeloria on behalf of the Customer in connection with the Service. This DPA is concluded pursuant to Article 28 of the EU General Data Protection Regulation 2016/679 ("GDPR") and Article 9 of the Swiss Federal Act on Data Protection ("revDSG").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, processed by Aeloria on behalf of Customer in connection with the Service.
- "Processing" has the meaning given in GDPR Article 4(2).
- "Sub-Processor" means any third party engaged by Aeloria to process Personal Data on behalf of Customer.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
2. Roles
For the processing covered by this DPA, the Customer is the Controller and Aeloria is the Processor. Where Aeloria determines purposes and means of processing for its own purposes (e.g. account administration, security, service improvement), Aeloria acts as an independent Controller and such processing is governed by the Aeloria Privacy Policy rather than this DPA.
3. Subject Matter, Duration, Nature & Purpose
Subject matter: processing of Personal Data submitted by Customer to the Service for the purpose of providing AI visibility monitoring, scoring, and optimisation services.
Duration: for the term of the Subscription, plus any post-termination period during which Customer Data is retained under the Terms of Service.
Nature and purpose: hosting, storage, transmission, retrieval, organisation, structuring, analysis, and deletion of Personal Data as required to provide the Service. Detailed categories of data and Data Subjects are set out in Annex I.
4. Customer Instructions
Aeloria shall process Personal Data only on documented instructions from Customer. The Terms of Service, this DPA, and Customer's use of the Service through its standard interfaces constitute Customer's documented instructions. Aeloria shall promptly inform Customer if, in its opinion, an instruction infringes applicable data protection law.
5. Confidentiality
Aeloria ensures that persons authorised to process Personal Data are bound by appropriate confidentiality obligations and receive appropriate training.
6. Security Measures
Aeloria implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Annex II. These measures will be reviewed periodically and updated as necessary.
7. Sub-Processors
7.1 General Authorisation. Customer grants Aeloria general authorisation to engage Sub-Processors for the processing of Personal Data under this DPA, subject to the conditions below.
7.2 List. The current list of Sub-Processors is set out in Annex III and is updated as Sub-Processors change.
7.3 Notification. Aeloria will notify Customer of any intended addition or replacement of Sub-Processors at least 30 days in advance.
7.4 Objection. If Customer has a reasonable, data-protection-based objection to a new Sub-Processor, the Parties will work in good faith to find a resolution. If no resolution is reached, Customer may terminate the affected portion of the Subscription with a pro-rated refund for any prepaid, unused amount.
7.5 Liability. Aeloria remains fully liable to Customer for any failure by a Sub-Processor to fulfil its data protection obligations and shall impose on each Sub-Processor data protection obligations equivalent to those in this DPA.
8. International Transfers
Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not recognised as providing an adequate level of data protection, the Parties incorporate by reference the EU Standard Contractual Clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, with the elements specified in Annex IV of this DPA. For transfers from Switzerland, the Parties additionally rely on the Swiss adaptations published by the Swiss Federal Data Protection and Information Commissioner.
9. Data Subject Requests
Aeloria shall, taking into account the nature of the processing, assist Customer in responding to requests from Data Subjects exercising their rights under the GDPR or revDSG. If Aeloria receives a request directly from a Data Subject, Aeloria will forward it to Customer without undue delay and will not respond directly except to acknowledge receipt.
10. Personal Data Breach Notification
Aeloria shall notify Customer without undue delay, and in any case within 48 hours, after becoming aware of a Personal Data breach affecting Customer's Personal Data. The notification shall include the information required under Article 33(3) GDPR, to the extent available.
11. Data Protection Impact Assessments
Aeloria shall provide reasonable assistance to Customer in carrying out Data Protection Impact Assessments and prior consultations with supervisory authorities, where required under Articles 35 and 36 GDPR.
12. Audits
Aeloria shall make available to Customer all information necessary to demonstrate compliance with this DPA. Customer may, no more than once per twelve-month period (and more frequently if there is reasonable cause), audit Aeloria's compliance by: (a) reviewing certifications, audit reports, and security documentation provided by Aeloria; (b) submitting a written questionnaire to be answered within 30 days; or (c) by prior written agreement, conducting an on-site inspection at Customer's cost with at least 30 days' advance notice.
13. Return & Deletion
Upon termination of the Subscription, Aeloria shall, at Customer's choice, return or delete all Personal Data processed on Customer's behalf, except where applicable law requires storage. Standard export tools are available through the Service for 30 days following termination. Backup copies may persist for up to 90 days before being deleted, during which time they remain subject to the security and confidentiality obligations of this DPA.
14. Liability
The Parties' liability under this DPA is subject to the limitations set out in the Terms of Service. Where mandatory law (in particular Article 82 GDPR) requires a different allocation of liability, that mandatory allocation applies.
15. Term & Termination
This DPA enters into force on the same date as the Terms of Service and terminates automatically on termination of the Terms of Service, except for provisions that by their nature should survive.
16. Entity Migration
Customer acknowledges that upon incorporation of Aeloria's future Swiss corporate entity (Aeloria GmbH or Aeloria AG), this DPA will be assigned to the new entity by operation of the Terms of Service. The new entity shall assume all obligations of the Processor under this DPA on and from the assignment date.
17. Governing Law
This DPA is governed by the substantive laws of Switzerland. The exclusive forum for disputes is the competent courts of the Canton of Zürich, Switzerland.
18. Order of Precedence
In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection obligations.
Annex I — Details of Processing
Categories of Data Subjects
- Customer's authorised users (employees, contractors of Customer)
- Where Customer is an agency: end-client representatives whose contact details Customer chooses to include in Workspaces
- Where Customer submits content containing personal data: any individuals identifiable in such content
Categories of Personal Data
- Identification data (name, email, organisation, job title)
- Account credentials (stored as salted hashes)
- Application log data (IP address, browser, timestamps, in-app actions)
- Billing data (name, address, VAT identifier; payment method tokens held by Stripe)
- Content submitted by Customer into Workspaces, where it contains personal data
Special Categories of Data
Aeloria does not intend to process special categories of data (Article 9 GDPR) or criminal conviction data (Article 10 GDPR). Customer agrees not to submit such data through the Service.
Frequency of Processing
Continuous, for the duration of the Subscription.
Nature of Processing Operations
- Collection, storage, organisation, and retrieval of account, billing, and Workspace data
- Transmission of brand-related prompts to AI Engine APIs for visibility measurement
- Analysis and scoring of AI Engine responses
- Generation of dashboards, reports, and recommendations
- Email and in-product communications
- Deletion or return upon termination
Purpose of Processing
Performance of the Service as described in the Terms of Service: AI visibility monitoring, scoring, and optimisation guidance for the Customer's brands.
Retention Periods
As set out in the Aeloria Privacy Policy. In summary: account data for the duration of the Subscription plus 12 months; billing data for 10 years (Swiss commercial law); application logs for 12 months; Workspace content for the Subscription plus 30 days.
Annex II — Technical and Organisational Security Measures
Access Control
- Authentication required for all user access; passwords stored as salted hashes
- Role-based access control distinguishing administrator, agency, brand, and viewer roles
- Multi-factor authentication available for all user accounts and required for administrative access
- Production database and infrastructure access restricted to named administrators
- Principle of least privilege applied to internal access
- Automatic session expiration after period of inactivity
Encryption
- All data in transit encrypted using TLS 1.2 or higher
- Data at rest encrypted using AES-256 or equivalent (provider-managed)
- Database backups encrypted at rest
- API keys and credentials stored in encrypted secrets management
Network Security
- Production infrastructure isolated within a virtual private network
- Firewall rules restricting inbound traffic to required ports and sources
- Separation of production, staging, and development environments
- HTTPS-only enforced on all public endpoints
Application Security
- Protection against common web vulnerabilities (OWASP Top 10) including SQL injection, XSS, CSRF
- Input validation and output encoding
- Rate limiting on authentication and sensitive endpoints
- Dependency vulnerability scanning
- Security review prior to major releases
Backup and Recovery
- Automated daily backups of production data with at least 30-day retention
- Periodic restore testing
- Documented disaster recovery procedure
Logging and Monitoring
- Audit logs of administrative actions and access to Customer Data
- Centralised logging with retention of at least 12 months
- Monitoring of production systems for anomalies and security events
- Alerting on critical security and availability events
Privacy by Design
- Cookieless website analytics (Umami) with no personal data collected
- Minimal use of cookies on aeloria.ai: strictly necessary session/CSRF cookies plus a single language-preference cookie
- No third-party tracking, advertising, or behavioural profiling technologies
- Data minimisation: limiting collection and retention to what is necessary for the Service
Organisational Measures
- Confidentiality obligations binding on all personnel and contractors
- Internal data protection and incident response procedures
- Vendor due diligence before engaging new Sub-Processors
- Annual review of security measures and update where necessary
Incident Response
- Documented incident response procedure
- Customer notification within 48 hours of confirmed Personal Data breach
- Post-incident review and remediation
Annex III — List of Sub-Processors
| Sub-Processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Amazon Web Services EMEA SARL | Application hosting, storage, compute | EU (Ireland / Frankfurt) | Intra-EEA / Swiss adequacy |
| Stripe Payments Europe Ltd. | Subscription billing and payment processing | Ireland | Intra-EEA / Swiss adequacy |
| OpenAI Ireland Ltd. / OpenAI L.L.C. | Querying ChatGPT for brand visibility measurement | Ireland / United States | EU SCCs + DPF (where certified) |
| Anthropic PBC | Querying Claude for brand visibility measurement | United States | EU SCCs |
| Google Ireland Ltd. / Google LLC | Querying Gemini and Google AI Overviews | Ireland / United States | EU SCCs + DPF (where certified) |
| Perplexity AI Inc. | Querying Perplexity for brand visibility measurement | United States | EU SCCs |
| Microsoft Ireland Operations Ltd. | Querying Copilot for brand visibility measurement | Ireland / United States | EU SCCs + DPF (where certified) |
| Postmark (ActiveCampaign LLC) | Transactional email delivery | United States | EU SCCs |
| Umami | Aggregate, cookieless website analytics — no personal data collected | EU | Intra-EEA / Swiss adequacy |
"DPF" refers to the EU–U.S. Data Privacy Framework. "EU SCCs" refers to the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914. Customer should verify any provider-specific Sub-Processor list before relying on it for their own compliance assessment, as Sub-Processors may change over time.
Annex IV — Standard Contractual Clauses: Module Selection and Specifications
The Parties incorporate the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 ("SCCs") by reference, with the following specifications. The official text of the SCCs is published in the Official Journal of the European Union and at commission.europa.eu.
1. Modules Applicable
Module Two (Controller to Processor) applies to transfers of Personal Data from Customer (as Controller) to Aeloria (as Processor).
Module Three (Processor to Sub-Processor) applies, where relevant, to onward transfers from Aeloria to Sub-Processors that are Processors.
2. Clause 7 — Docking Clause
The optional docking clause does not apply.
3. Clause 9 — Sub-Processor Authorisation
The Parties select Option 2 (general written authorisation). The minimum time period for notification of Sub-Processor changes is 30 days, as set out in Section 7.3 of this DPA.
4. Clause 11 — Redress
The optional independent dispute resolution body language does not apply. Data Subjects may bring complaints before the competent supervisory authority and the competent courts.
5. Clause 17 — Governing Law
The SCCs shall be governed by the law of Ireland, being a Member State allowing third-party beneficiary rights under the SCCs.
6. Clause 18 — Forum and Jurisdiction
Disputes arising from the SCCs shall be resolved by the courts of Ireland. This does not affect a Data Subject's right under Article 79 GDPR to bring proceedings in their country of habitual residence.
7. Annex I.A — List of Parties
Data Exporter: The Customer, as identified in the executed Terms of Service or Order Form. Contact details: those provided by Customer at the time of subscription. Activities relevant to data transferred: use of the Aeloria Service. Role: Controller (or Processor, where Customer itself acts on behalf of an end client).
Data Importer: Aeloria, business name of Matteo Panzavolta, sole proprietor, Im Lindengut 15, 8803 Rüschlikon, Switzerland. Contact: privacy@aeloria.ai. Activities relevant to data transferred: provision of the Service as described in the Terms of Service. Role: Processor (or Sub-Processor in the case of Module Three).
8. Annex I.B — Description of Transfer
As described in Annex I of this DPA: categories of data subjects, categories of personal data, frequency, nature, purpose, and retention.
9. Annex I.C — Competent Supervisory Authority
The Irish Data Protection Commission (Customer House, Custom House Quay, Dublin 1, Ireland) acts as the competent supervisory authority for the purposes of the SCCs, given the Module Two governing-law selection. For transfers originating in Switzerland, the Swiss Federal Data Protection and Information Commissioner (FDPIC, Feldeggweg 1, 3003 Bern) also has jurisdiction under the revDSG.
10. Annex II — Technical and Organisational Measures
As described in Annex II of this DPA.
11. Annex III — List of Sub-Processors
As described in Annex III of this DPA.
12. Swiss Adaptations
Where the data exporter is established in Switzerland or the transfer is otherwise subject to the revDSG, the Parties apply the Swiss adaptations to the SCCs published by the FDPIC, including: (a) references to the GDPR being read as including the revDSG; (b) the FDPIC being recognised as a competent supervisory authority; (c) references to EU Member States being read as including Switzerland.
13. UK Adaptations
Where the data exporter is established in the United Kingdom, the UK International Data Transfer Addendum to the SCCs, issued under section 119A of the UK Data Protection Act 2018, applies in addition to the SCCs.