Data Processing Agreement
Last updated: June 6, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and Softure UG (haftungsbeschränkt) ("Processor") for the provision of the Aira platform, pursuant to Article 28 of the General Data Protection Regulation (GDPR).
1. Scope & Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of providing AI evaluation, consensus scoring, and audit proof services as described in the Terms of Service.
2. Data Processed
- Data subjects: Controller's end users and individuals referenced in evaluation requests.
- Categories: Evaluation prompts, decision context, model responses, metadata (timestamps, request IDs).
- Special categories: Only if submitted by the Controller. The Controller is responsible for ensuring a lawful basis for any special-category data.
3. Sub-Processors
The Controller authorizes the use of the following sub-processors for AI model inference:
| Sub-Processor | Location | Purpose |
|---|---|---|
| OpenAI, Inc. | USA | AI model inference (GPT) |
| Anthropic, PBC | USA | AI model inference (Claude) |
| Google LLC | USA | AI model inference (Gemini) |
| Hetzner Online GmbH | Germany | Infrastructure hosting |
| Resend, Inc. | USA | Transactional email delivery |
| Stripe, Inc. | USA | Payment processing |
For US-based sub-processors, Standard Contractual Clauses (2021 version) are in place. Supplementary measures include: end-to-end TLS 1.3 encryption, AES-256-GCM encryption at rest, and hash-only mode (no raw data stored by default).
BYOK (Bring Your Own Key) Providers
The Aira platform allows Controllers to configure additional AI providers using their own API keys ("BYOK"). These providers include but are not limited to: xAI, DeepSeek, Mistral AI, Alibaba Cloud (Qwen), Amazon Web Services (Bedrock), Microsoft Azure (Azure OpenAI), and Moonshot AI.
When BYOK is enabled, data is transmitted directly from the Aira platform to the Controller-selected provider using the Controller's own API key. These providers are NOT sub-processors of Softure UG. The Controller is solely responsible for:
- Ensuring a lawful basis for data transfers to the selected provider (GDPR Articles 44–49)
- Establishing their own Data Processing Agreement with the provider
- Assessing data protection risks, including transfers to non-EU/EEA countries
Softure UG does not control, access, or store API keys provided by the Controller for BYOK providers. Keys are encrypted at rest using AES-256-GCM on the Controller's organization record.
Self-hosted deployments: When using Aira in self-hosted mode, no data is transmitted to Softure UG or any sub-processor listed above. All processing occurs on the Controller's own infrastructure. All AI providers are BYOK — the Controller is solely responsible for their provider relationships.
The Processor will inform the Controller of any intended changes to sub-processors at least 30 days in advance via email to the organization admin. If the Controller objects to a new sub-processor within the 30-day notice period, the Processor will either (a) not engage the sub-processor for the Controller's data, or (b) allow the Controller to terminate the Service without penalty.
The Processor ensures all sub-processors are contractually bound to equivalent GDPR Article 28 data protection obligations.
4. Data Flows & International Transfers
Evaluation requests are received via TLS 1.3-encrypted API calls, processed by the Processor's backend (EU — Hetzner, Germany), and forwarded to AI sub-processors for inference. Responses are aggregated, consensus is computed, and a cryptographically signed audit proof is generated and stored.
Data transfers to sub-processors in the USA are governed by Standard Contractual Clauses (2021 version, Commission Implementing Decision 2021/914). Supplementary measures include: (a) TLS 1.3 end-to-end encryption in transit, (b) AES-256-GCM encryption at rest, (c) hash-only mode by default (raw payloads not stored unless Controller opts in), (d) no unencrypted data at rest accessible to sub-processors.
5. Security Measures (Article 32)
The Processor implements the following technical and organizational measures pursuant to GDPR Article 32:
- Encryption in transit: TLS 1.3 for all API, inter-service, and sub-processor communication.
- Encryption at rest: AES-256-GCM for all stored data including provider API keys.
- Pseudonymization: Hash-only mode (SHA-256) by default — raw payloads not stored unless Controller opts in.
- Audit proof signing: Ed25519 digital signatures with RFC 3161 trusted timestamps.
- Access control: Role-based access (Owner, Admin, Member, Viewer) with API key + JWT authentication. Constant-time comparison for secrets.
- Infrastructure: Hosted in EU data centers (Hetzner Online GmbH, Falkenstein/Nuremberg, Germany). Data at rest never leaves the EU.
- Monitoring: Structured JSON logging, Prometheus metrics, automated alerting for unauthorized access.
- Rate limiting: Redis-backed sliding window rate limiter per IP and per organization.
- Deployments: Zero-downtime deployments via Traefik health-aware routing. No service interruption during updates.
6. Data Breach Notification
The Processor shall notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware of it. The notification will include:
- The nature of the breach and affected data categories
- The approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to mitigate the breach
- Contact details of the Processor's data protection point of contact
The Processor will provide follow-up reports within 7 days with investigation findings and remediation status. For breaches involving encrypted data where the encryption key was not compromised, the risk to data subjects is considered low.
7. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing appropriate technical and organizational measures. The Processor will fulfill data subject access requests within 5 business days of the Controller's request, and erasure requests within 3 business days.
8. Audits
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance.
- Frequency: Up to one audit per year, or on-demand with cause.
- Notice: 10 business days' written notice required.
- Cost: The first annual audit is at no charge. Additional audits may be charged at reasonable cost.
- Scope: Relevant security logs, infrastructure documentation, and processing records.
- Alternative: The Processor may satisfy audit requests by providing current security certifications, penetration test results, or independent third-party audit reports.
9. Data Deletion & Return
When a team member leaves an organization, the Processor immediately anonymizes their personal data (email address and credentials). Audit log entries are preserved with the actor shown as "Deleted user" to maintain compliance records.
When the organization owner deletes the organization, the Processor permanently removes all personal data and organization data within 30 days. Audit proofs and evaluation records may be retained for up to 7 years as required by applicable law (German tax law HGB §257, EU AI Act Article 12). The Processor shall certify deletion in writing upon request.
Upon request before deletion, the Processor will export all Controller data in machine-readable format (JSON) at no additional charge.
10. Binding Effect
By accepting the Terms of Service, the Controller acknowledges and accepts this DPA as binding pursuant to GDPR Article 28(3). The Controller may request a countersigned copy by emailing customers@softure-ug.de.
11. Term & Governing Law
This DPA remains in effect for the duration of the service agreement and for as long as the Processor processes personal data on behalf of the Controller. It is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Berlin, Germany.
12. Contact
For DPA-related inquiries: customers@softure-ug.de