Data Processing Agreement
1 · Roles of the parties
You are the controller of the personal data you submit; Dossova is a processor acting on your documented instructions. Where Dossova determines its own purposes — for example account authentication and billing — it acts as an independent controller, as described in our Privacy Policy.
2 · Scope & instructions
We process personal data only to provide the service and on your documented instructions, unless required otherwise by EU or member- state law. The subject-matter, duration, nature and purpose of the processing, and the categories of data and data subjects, are set out in our Record of Processing Activities summary. Persons authorised to process the data are bound by confidentiality.
3 · Sub-processors
You give general authorisation for the sub-processors listed on our sub-processor register. Each is engaged under a written contract imposing the same data- protection obligations set out here. Before adding or replacing a sub-processor that handles personal data we update the register and, where required, give advance notice so you can object.
4 · International transfers
All customer data is stored at rest in the EU. The only transfers outside the EU are to OpenRouter and Vercel, both in transit only and both covered by the EU Standard Contractual Clauses together with a Data Processing Agreement. Customer content sent to the frontier model travels on a zero-retention, no-training route.
5 · Security measures
We apply technical and organisational measures appropriate to the risk: encryption in transit and at rest, least-privilege access, EU-only data residency, redacted telemetry (no personal data in logs or traces), single-use magic-link authentication, and short-lived, purged photo storage. Uploaded photos are deleted after the vision step; generated PDFs are retained for the statutory 10-year GPSR period.
6 · Assistance & audits
We assist you in responding to data-subject requests and in meeting your obligations for security, breach notification, data-protection impact assessments and prior consultation, taking into account the nature of the processing and the information available to us. We make available the information needed to demonstrate compliance and allow for and contribute to audits. We notify you without undue delay after becoming aware of a personal-data breach.
7 · Deletion on termination
On termination we delete or return the personal data we process on your behalf and delete existing copies, unless EU or member-state law requires retention — for example the 10-year GPSR document-retention obligation and tax-law payment records. To make a request, email privacy@dossova.com.