Dossova
Effective · 04 Jul 2026v1.0Updated · 04 Jul 2026 UTC
ENES · soon

Data Processing Agreement

In short
This agreement governs how Dossova processes personal data on your behalf, under Article 28 GDPR. It forms part of our Terms of Service. The English version controls.

1 · Roles of the parties

You are the controller of the personal data you submit; Dossova is a processor acting on your documented instructions. Where Dossova determines its own purposes — for example account authentication and billing — it acts as an independent controller, as described in our Privacy Policy.

2 · Scope & instructions

We process personal data only to provide the service and on your documented instructions, unless required otherwise by EU or member- state law. The subject-matter, duration, nature and purpose of the processing, and the categories of data and data subjects, are set out in our Record of Processing Activities summary. Persons authorised to process the data are bound by confidentiality.

3 · Sub-processors

You give general authorisation for the sub-processors listed on our sub-processor register. Each is engaged under a written contract imposing the same data- protection obligations set out here. Before adding or replacing a sub-processor that handles personal data we update the register and, where required, give advance notice so you can object.

4 · International transfers

All customer data is stored at rest in the EU. The only transfers outside the EU are to OpenRouter and Vercel, both in transit only and both covered by the EU Standard Contractual Clauses together with a Data Processing Agreement. Customer content sent to the frontier model travels on a zero-retention, no-training route.

5 · Security measures

We apply technical and organisational measures appropriate to the risk: encryption in transit and at rest, least-privilege access, EU-only data residency, redacted telemetry (no personal data in logs or traces), single-use magic-link authentication, and short-lived, purged photo storage. Uploaded photos are deleted after the vision step; generated PDFs are retained for the statutory 10-year GPSR period.

6 · Assistance & audits

We assist you in responding to data-subject requests and in meeting your obligations for security, breach notification, data-protection impact assessments and prior consultation, taking into account the nature of the processing and the information available to us. We make available the information needed to demonstrate compliance and allow for and contribute to audits. We notify you without undue delay after becoming aware of a personal-data breach.

7 · Deletion on termination

On termination we delete or return the personal data we process on your behalf and delete existing copies, unless EU or member-state law requires retention — for example the 10-year GPSR document-retention obligation and tax-law payment records. To make a request, email privacy@dossova.com.