Data Processing Agreement (DPA)
Effective: 7 July 2026 · Version 1.0 · Compliant with GDPR Article 28
Short version. This DPA governs how ROLAXIT INNOVATION SRL (the AIFied operator, "Processor") handles personal data on behalf of business customers (the "Controller") when they use the AIFied platform. It complements our Terms of Service and Privacy Policy. If you're a consumer, this DPA doesn't apply to you — the Privacy Policy covers your case.
- Parties and scope
- Definitions
- Subject matter, nature and purpose of processing
- Categories of data and data subjects
- Controller obligations
- Processor obligations
- Security measures (Annex II)
- Sub-processors (Annex III)
- International data transfers
- Data subject rights
- Personal data breach notification
- Audit rights
- Return or deletion of data
- Liability, term, governing law
- How to accept this DPA
1. Parties and scope
ROLAXIT INNOVATION SRL
Sediu social: București, str. Ștubei 38, sector 3, România
CUI: 42351163 · Reg. Comerțului: J40/3171/03.03.2020
Administrator: Gheorghe Rusu
DPO / Privacy contact: hi@aified.online · Telefon: +40 740 661 660
1.2. The Controller ("you", "Customer") — the business entity that has subscribed to AIFied and accepted this DPA, either during checkout, by written signature, or by continued use of the Service after receiving notice of this DPA.
1.3. This DPA applies to all Personal Data processed by us on your behalf as part of providing the AIFied Service (as defined in the Terms of Service). It does not cover data we process as an independent Controller (e.g., your account contact details, billing info) — that's governed by our Privacy Policy.
1.4. In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal data processing.
2. Definitions
- Applicable Data Protection Law — Regulation (EU) 2016/679 (GDPR), Romanian Law 190/2018, and any other applicable EU/EEA privacy law.
- Personal Data — as defined in GDPR Art. 4(1): any information relating to an identified or identifiable natural person.
- Processing — as defined in GDPR Art. 4(2).
- Controller / Processor / Sub-processor — as defined in GDPR Art. 4(7), 4(8) and Recital 81.
- Data Subject — the natural person whose Personal Data is processed.
- Personal Data Breach — as defined in GDPR Art. 4(12).
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
3. Subject matter, nature and purpose of processing
3.1. Subject matter: processing of Personal Data by AIFied for the purpose of providing the Service to the Controller — namely drafting, scheduling and (where authorized) auto-publishing marketing content on the Controller's behalf.
3.2. Nature of processing: collection, storage, retrieval, generation via AI models, transmission to third-party publishing platforms (LinkedIn, Facebook, Instagram, Reddit, Bluesky, Zernio, Telegram, etc.), deletion.
3.3. Purpose of processing: exclusively to provide the Service under the Terms of Service and this DPA. No processing for our independent purposes (marketing, model training, resale) is performed on data processed under this DPA.
3.4. Duration: for the duration of the subscription, plus a 30-day grace period after termination for potential reactivation, then deletion per section 13.
4. Categories of Personal Data and Data Subjects
4.1. Categories of Data Subjects
- The Controller's employees, contractors and representatives who use the AIFied dashboard;
- The Controller's customers, subscribers or leads whose contact details are stored via lead-magnet capture, CRM sync, or email-forward parsing;
- Third parties (journalists, community members, Reddit posters) whose public statements are used as input to the Fleet's drafting agents.
4.2. Categories of Personal Data
- Account data: name, email address, password hash, plan, IP address, session tokens.
- Brand memory: founder story, banned words, voice examples, target audience descriptions, competitor names (as provided by the Controller).
- Content data: drafts generated by the Fleet, publishing history, engagement metrics from third-party platforms.
- Integration data: OAuth tokens for connected platforms (LinkedIn, GSC, Zernio, Bluesky, etc.), IMAP credentials where the Controller enables Featured/Connectively/Qwoted email parsing.
- Lead data: email addresses collected via lead magnets, source page URL, timestamp.
- Public inputs: Reddit posts, LinkedIn creator posts, journalist queries — as scraped/parsed for input to drafting agents.
4.3. Special categories of Personal Data. AIFied is not designed for the processing of GDPR Art. 9 special categories (health, biometrics, political opinions, etc.). The Controller shall not knowingly submit such data to the Service. If it inadvertently happens, we treat it under the same technical measures as regular data, but the Controller remains solely responsible.
5. Controller obligations
5.1. The Controller warrants that:
- it has a valid lawful basis (GDPR Art. 6) for the processing operations it entrusts to us;
- it has provided any legally required notices to Data Subjects (GDPR Art. 13/14);
- the instructions it gives us via the AIFied dashboard and API do not violate Applicable Data Protection Law;
- where consent is the legal basis (e.g., email marketing), consent has been obtained in a valid manner.
5.2. The Controller is responsible for the accuracy, quality and legality of the Personal Data it provides to us.
6. Processor obligations (GDPR Art. 28.3)
We shall:
6.1. Documented instructions. Process Personal Data only on the Controller's documented instructions — including with regard to transfers of Personal Data to a third country or an international organization — unless required to do so by EU or Romanian law (in which case we notify the Controller before processing, unless the law prohibits notification for reasons of public interest).
6.2. Confidentiality. Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.3. Security. Implement appropriate technical and organizational measures per GDPR Art. 32 — detailed in Annex II (section 7 below).
6.4. Sub-processors. Engage sub-processors only under the conditions in section 8.
6.5. Assist the Controller. Taking into account the nature of processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights (Chapter III GDPR).
6.6. Assist with compliance obligations. Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Art. 32 to 36 (security, breach notification, DPIA, consultation), taking into account the nature of processing and the information available to us.
6.7. Return or delete data. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to processing, and delete existing copies unless EU or Romanian law requires storage — see section 13.
6.8. Make available all information. Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits — see section 12.
7. Security measures (Annex II)
We maintain the following technical and organizational measures. This list may evolve — we may implement equivalent or more protective measures without amending this DPA, provided the level of protection is not reduced.
7.1. Physical security
- Production servers hosted with Hetzner (Germany, EU), an ISO/IEC 27001-certified provider.
- No paper storage of Personal Data; laptops with disk encryption for authorized personnel.
7.2. Access control
- Role-based access control on the dashboard; passwords hashed with bcrypt.
- 2-factor authentication required for privileged infrastructure access (SSH keys with passphrase, no password login).
- Least-privilege principle for internal roles.
7.3. Encryption
- In transit: TLS 1.2+ (HTTPS) for all connections between users and the Service and between the Service and sub-processors.
- At rest: full-disk encryption on database volumes; OAuth tokens encrypted at column level with AES-256.
7.4. Availability and resilience
- Daily off-site database backups, 30-day retention.
- Automated monitoring and alerting for downtime, error rates, and abnormal usage.
- Documented incident response procedure with defined roles and communication channels.
7.5. Logging and auditability
- Application-level logs of authentication, sensitive actions (draft publication, integration disconnection, data export).
- Immutable audit trail for admin actions on customer data.
7.6. Personnel
- Confidentiality clauses in all engagement contracts.
- Security awareness training for anyone with access to production systems.
7.7. Vendor management
- Sub-processor selection based on GDPR compliance track record and public policy documentation.
- Written data processing agreements or SCCs where required.
8. Sub-processors (Annex III)
8.1. The Controller provides general written authorization for us to engage sub-processors, subject to the conditions of this section.
8.2. Current sub-processors as of the effective date:
| Sub-processor | Service | Location | Transfer mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Production hosting (VPS, storage) | Germany (EU) | N/A (intra-EU) |
| Stripe Payments Europe Ltd. | Subscription billing | Ireland (EU) | N/A (intra-EU) |
| Google LLC (Gemini API) | LLM inference for drafting agents | USA (with EU regional endpoints where available) | SCCs (2021/914) + supplementary measures |
| OpenAI Ireland Ltd. | LLM fallback for drafting agents | Ireland (EU) with USA sub-processing | SCCs (2021/914) |
| Anthropic PBC | Occasional LLM use for specific agents | USA | SCCs (2021/914) |
| Brevo SAS | Transactional email (welcome, invoices, password reset) | France (EU) | N/A (intra-EU) |
| Sentry (Functional Software Inc.) | Error monitoring (opt-out available) | USA | SCCs (2021/914) + IP anonymization |
| Cloudflare Inc. | DNS, DDoS protection, CDN for public assets | Global (data proxied via EU nodes where possible) | SCCs (2021/914) |
8.3. Notification of changes. We publish the current sub-processor list at this URL. When we add, remove or replace a sub-processor, we update this list and notify subscribed Controllers by email at least 15 days in advance.
8.4. Right to object. If the Controller has reasonable, documented GDPR-based objections against a new sub-processor, they may notify us within 15 days of receiving notice. We will work in good faith to address the concerns. If we cannot, the Controller may terminate the affected Service portion with a pro-rated refund of prepaid amounts.
8.5. Flow-down obligations. We contractually impose on each sub-processor the same data protection obligations as set out in this DPA — in particular sufficient guarantees to implement appropriate technical and organizational measures.
9. International data transfers
9.1. Personal Data primarily stays in the EU/EEA (Hetzner Germany infrastructure).
9.2. Where transfer to a third country is necessary (LLM inference, error monitoring, CDN), we rely on:
- an adequacy decision under GDPR Art. 45 (e.g., EU-US Data Privacy Framework, where the sub-processor is certified);
- otherwise, Standard Contractual Clauses (Module 3 — Processor to Sub-processor) supplemented by additional technical measures (encryption at rest, restricted access, pseudonymization where feasible).
9.3. The Controller hereby authorizes us to enter into and execute Standard Contractual Clauses with sub-processors on the Controller's behalf, for the purposes of the transfers described above.
10. Data subject rights
10.1. Where a Data Subject contacts us directly with a request under GDPR Art. 12-22, we will:
- promptly forward the request to the Controller (if we can identify them);
- not respond substantively unless required by law or expressly authorized by the Controller.
10.2. On written request, we assist the Controller with the following, at no additional cost within the scope of the subscription:
- producing an export of Personal Data associated with a specific Data Subject;
- rectifying or erasing Personal Data upon Controller's instruction;
- restricting processing of specific data.
10.3. Where the volume of requests significantly exceeds typical use, we may agree with the Controller on additional charges for extraordinary technical work.
11. Personal data breach notification
11.1. If we become aware of a Personal Data Breach affecting Controller data, we will notify the Controller without undue delay and in any event within 72 hours of becoming aware.
11.2. Notification includes, to the extent then known:
- nature of the breach, categories and approximate number of Data Subjects and records affected;
- name and contact of the person providing more information;
- likely consequences of the breach;
- measures taken or proposed to address the breach and mitigate adverse effects.
11.3. We support the Controller in complying with its own notification obligations under GDPR Art. 33 and 34.
12. Audit rights
12.1. We will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and GDPR Art. 28, including copies of relevant certifications, penetration testing summaries and sub-processor DPAs (where public).
12.2. Once per calendar year, the Controller may request an audit — either performed by the Controller's authorized auditor (at Controller's expense) or by a mutually agreed independent third-party auditor. The audit is conducted with reasonable notice (at least 30 days), during business hours, in a manner that does not disrupt production systems.
12.3. For Controllers with < €10,000/year subscription value, section 12.2 audits are limited to written questionnaires and documentation review — no on-site audit — unless a Personal Data Breach or documented material GDPR concern justifies otherwise.
13. Return or deletion of data
13.1. Upon termination of the Service, at the Controller's written choice within 30 days after termination, we will:
- return all Controller Personal Data via a machine-readable export (JSON or CSV);
- or securely delete it from production systems and backups within a reasonable timeframe.
13.2. If the Controller does not make a choice within 30 days, we default to deletion.
13.3. Backups may retain Personal Data for up to 30 additional days due to backup rotation; access to such backups is restricted to disaster recovery scenarios only, and the data is not reused.
13.4. We may retain data where required by law (e.g., invoicing records under Romanian accounting law), for the minimum period required, under confidentiality and access-restriction measures.
14. Liability, term, governing law
14.1. This DPA is effective as of the first date the Controller accepts it (electronically or in writing) and remains in force for the duration of the Service.
14.2. Liability under this DPA is limited to the extent permitted by the Terms of Service, save that neither party's liability under GDPR to Data Subjects is limited by this DPA where the applicable law prohibits such limitation.
14.3. This DPA is governed by Romanian law. Disputes are submitted to the exclusive jurisdiction of the competent courts of Bucharest.
15. How to accept this DPA
Acceptance. This DPA is deemed accepted when you (a) create a paid subscription on aified.online and check the "I accept the Terms of Service, Privacy Policy and Data Processing Agreement" checkbox, (b) countersign an emailed copy, or (c) continue using the Service more than 15 days after receiving a notice of DPA update, whichever comes first.
If you need a countersigned PDF version of this DPA for your records or your compliance team, email hi@aified.online from a Controller-authorized address, mentioning your company name and VAT ID. We countersign within 5 business days.
Contact
Questions about this DPA or GDPR compliance? Email hi@aified.online.