# Data Processing Agreement (DPA)
**Effective date:** 2026-05-26
**Template version:** 1.0
**Status:** template — populate the bracketed fields before signing.
---
## 1. Parties
This Data Processing Agreement (the **DPA**) is entered into between:
- **[Customer name]**, of **[customer address]** (the **Controller**), and
- **AAS Studio** (the **Processor**),
each a "Party", together the "Parties".
This DPA forms part of, and supplements, the AAS Studio Terms of Service in
effect between the Parties (the **Principal Agreement**). In the event of
any conflict between this DPA and the Principal Agreement, the terms of
this DPA prevail with respect to the processing of Personal Data.
## 2. Subject matter, duration, nature and purpose
| Item | Description |
| --- | --- |
| Subject matter | Processing of Personal Data uploaded by the Controller to AAS Studio for the purpose of creating, editing, and validating Asset Administration Shell (AAS) files. |
| Duration | The term of the Principal Agreement, plus any retention period required by applicable law (max 30-day grace after account deletion, per GDPR Article 17). |
| Nature & purpose | Storage, processing, and on-demand retrieval of AAS file content + extraction metadata + audit trail entries. |
| Type of Personal Data | Account data (email, name, profile image), usage metrics, audit trail timestamps, and any Personal Data embedded by the Controller in uploaded source documents. |
| Categories of data subjects | The Controller's employees, contractors, end-customers, and any other natural persons referenced in uploaded documents. |
## 3. Processor obligations (Article 28)
The Processor shall:
1. Process Personal Data only on the documented instructions of the
Controller, including transfers to third countries (see §6).
2. Ensure that persons authorised to process Personal Data have committed
to confidentiality or are under an appropriate statutory obligation of
confidentiality.
3. Implement the technical and organisational measures listed in §5
("Security measures").
4. Engage another processor (sub-processor) only after informing the
Controller (see §7).
5. Assist the Controller in responding to data-subject rights requests
(Articles 15–22) — see the `/api/v1/me/export` and `DELETE /api/v1/me`
endpoints provided by AAS Studio.
6. Notify the Controller without undue delay (within 48 hours) on
becoming aware of a Personal Data breach.
7. At the end of the Principal Agreement, delete or return all Personal
Data, at the Controller's choice. The Processor's 30-day soft-delete
window applies; after that, all owned rows are hard-deleted via the
`/api/cron/finalize-deletions` daily cron.
8. Make available to the Controller all information necessary to
demonstrate compliance with Article 28 obligations + allow for +
contribute to audits (subject to reasonable notice and a confidentiality
undertaking by the Controller's auditor).
## 4. Controller obligations
The Controller warrants that:
1. It has obtained all necessary consents, lawful bases, and notices
under GDPR Articles 6 and 13/14 for the Personal Data it uploads.
2. Its instructions to the Processor comply with applicable data
protection law.
3. It will not upload special categories of Personal Data (Article 9)
without first informing the Processor in writing and agreeing
supplementary measures.
## 5. Security measures (Article 32)
The Processor implements the following technical + organisational
measures appropriate to the risk:
- **Encryption in transit**: TLS 1.2+ on every network hop. Vercel-issued
certificates, HSTS enforced.
- **Encryption at rest**: AES-256 on the Postgres datastore (Neon).
- **Access control**: Role-based access via Clerk identity provider.
Two-factor authentication available + recommended.
- **Audit trail**: Every model creation, certification, instance
derivation, and edit is recorded in the `AuditLog` surface accessible
via `/api/v1/audit-log`. Retention: 7 years per ESPR Article 9.
- **Cryptographic provenance**: ECDSA P-256 signatures on every signed
export via `/api/v1/extractions/{id}/sign` for tamper-evidence.
- **Network isolation**: Vercel serverless functions with no inbound
shell, no persistent VM. Database access only via short-lived
connection pool credentials.
- **Personnel**: All engineers under written confidentiality + GDPR
awareness training annually.
- **Backups**: Neon's continuous PITR (point-in-time recovery) up to 7
days. No backup to off-region storage.
## 6. International transfers (Chapter V)
The Processor stores all Personal Data within the EU (Neon Frankfurt
region by default) unless the Controller selects a non-EU region in
writing. The following sub-processors may receive Personal Data outside
the EU under the listed safeguards:
| Sub-processor | Region | Purpose | Transfer mechanism |
| --- | --- | --- | --- |
| Vercel | USA (EU region for Enterprise) | Application hosting | SCCs + supplementary measures |
| Clerk | USA (EU residency available) | Authentication | SCCs |
| Anthropic / OpenAI / Google | USA | AI extraction (text only; no output stored) | SCCs |
| Resend | USA (EU residency available) | Transactional email | SCCs |
The Controller acknowledges that the Processor may update the
sub-processor list per §7.
## 7. Sub-processors (Article 28(2))
The current list of sub-processors is published at
**https://aas-studio.com/security**. The Processor will give the
Controller at least 30 days' notice of any addition or replacement by
email to the address registered on the Controller's account. The
Controller may object on reasonable grounds; if the Parties cannot
resolve the objection within 30 days, the Controller may terminate the
Principal Agreement without penalty.
## 8. Data-subject rights assistance
The Processor provides the following automated assistance:
- `GET /api/v1/me` — status of the data subject's account.
- `GET /api/v1/me/export` — zip of all rows owned by the subject (Article 15).
- `DELETE /api/v1/me` — schedule erasure (Article 17), with a 30-day
grace window.
Requests outside the automated surface (e.g. rectification of a single
field) should be sent to privacy@aas-studio.com; the Processor will
forward to the Controller for instruction.
## 9. Breach notification
The Processor will notify the Controller within 48 hours of becoming
aware of a Personal Data breach, including:
1. Description of the breach.
2. Categories and approximate number of data subjects affected.
3. Likely consequences.
4. Measures taken or proposed.
The Controller is responsible for any notification to its supervisory
authority + affected data subjects under Articles 33 + 34.
## 10. Term + termination
This DPA enters into force on the Effective Date and continues for the
term of the Principal Agreement. Termination of the Principal Agreement
terminates this DPA. Sections 3.7, 5, 9, and 11 survive termination.
## 11. Liability + indemnity
Each Party's liability under this DPA is subject to the limits of
liability set out in the Principal Agreement.
## 12. Signatures
| For the Controller | For the Processor |
| --- | --- |
| Name: | Name: |
| Title: | Title: |
| Date: | Date: |
| Signature: | Signature: |
---
*This DPA is a template provided in good faith and does not constitute
legal advice. Both Parties should have their own legal counsel review
before signing.*