Data Processing Agreement (DPA)

Effective: 7 July 2026 · Version 1.0 · Compliant with GDPR Article 28

Short version. This DPA governs how ROLAXIT INNOVATION SRL (the AIFied operator, "Processor") handles personal data on behalf of business customers (the "Controller") when they use the AIFied platform. It complements our Terms of Service and Privacy Policy. If you're a consumer, this DPA doesn't apply to you — the Privacy Policy covers your case.

Table of contents
  1. Parties and scope
  2. Definitions
  3. Subject matter, nature and purpose of processing
  4. Categories of data and data subjects
  5. Controller obligations
  6. Processor obligations
  7. Security measures (Annex II)
  8. Sub-processors (Annex III)
  9. International data transfers
  10. Data subject rights
  11. Personal data breach notification
  12. Audit rights
  13. Return or deletion of data
  14. Liability, term, governing law
  15. How to accept this DPA

1. Parties and scope

1.1. The Processor ("we", "AIFied")
ROLAXIT INNOVATION SRL
Sediu social: București, str. Ștubei 38, sector 3, România
CUI: 42351163 · Reg. Comerțului: J40/3171/03.03.2020
Administrator: Gheorghe Rusu
DPO / Privacy contact: hi@aified.online · Telefon: +40 740 661 660

1.2. The Controller ("you", "Customer") — the business entity that has subscribed to AIFied and accepted this DPA, either during checkout, by written signature, or by continued use of the Service after receiving notice of this DPA.

1.3. This DPA applies to all Personal Data processed by us on your behalf as part of providing the AIFied Service (as defined in the Terms of Service). It does not cover data we process as an independent Controller (e.g., your account contact details, billing info) — that's governed by our Privacy Policy.

1.4. In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters of personal data processing.

2. Definitions

3. Subject matter, nature and purpose of processing

3.1. Subject matter: processing of Personal Data by AIFied for the purpose of providing the Service to the Controller — namely drafting, scheduling and (where authorized) auto-publishing marketing content on the Controller's behalf.

3.2. Nature of processing: collection, storage, retrieval, generation via AI models, transmission to third-party publishing platforms (LinkedIn, Facebook, Instagram, Reddit, Bluesky, Zernio, Telegram, etc.), deletion.

3.3. Purpose of processing: exclusively to provide the Service under the Terms of Service and this DPA. No processing for our independent purposes (marketing, model training, resale) is performed on data processed under this DPA.

3.4. Duration: for the duration of the subscription, plus a 30-day grace period after termination for potential reactivation, then deletion per section 13.

4. Categories of Personal Data and Data Subjects

4.1. Categories of Data Subjects

4.2. Categories of Personal Data

4.3. Special categories of Personal Data. AIFied is not designed for the processing of GDPR Art. 9 special categories (health, biometrics, political opinions, etc.). The Controller shall not knowingly submit such data to the Service. If it inadvertently happens, we treat it under the same technical measures as regular data, but the Controller remains solely responsible.

5. Controller obligations

5.1. The Controller warrants that:

5.2. The Controller is responsible for the accuracy, quality and legality of the Personal Data it provides to us.

6. Processor obligations (GDPR Art. 28.3)

We shall:

6.1. Documented instructions. Process Personal Data only on the Controller's documented instructions — including with regard to transfers of Personal Data to a third country or an international organization — unless required to do so by EU or Romanian law (in which case we notify the Controller before processing, unless the law prohibits notification for reasons of public interest).

6.2. Confidentiality. Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.3. Security. Implement appropriate technical and organizational measures per GDPR Art. 32 — detailed in Annex II (section 7 below).

6.4. Sub-processors. Engage sub-processors only under the conditions in section 8.

6.5. Assist the Controller. Taking into account the nature of processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfilment of the Controller's obligation to respond to requests for exercising Data Subject rights (Chapter III GDPR).

6.6. Assist with compliance obligations. Assist the Controller in ensuring compliance with the obligations pursuant to GDPR Art. 32 to 36 (security, breach notification, DPIA, consultation), taking into account the nature of processing and the information available to us.

6.7. Return or delete data. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to processing, and delete existing copies unless EU or Romanian law requires storage — see section 13.

6.8. Make available all information. Make available to the Controller all information necessary to demonstrate compliance with GDPR Art. 28, and allow for and contribute to audits — see section 12.

7. Security measures (Annex II)

We maintain the following technical and organizational measures. This list may evolve — we may implement equivalent or more protective measures without amending this DPA, provided the level of protection is not reduced.

7.1. Physical security

7.2. Access control

7.3. Encryption

7.4. Availability and resilience

7.5. Logging and auditability

7.6. Personnel

7.7. Vendor management

8. Sub-processors (Annex III)

8.1. The Controller provides general written authorization for us to engage sub-processors, subject to the conditions of this section.

8.2. Current sub-processors as of the effective date:

Sub-processorServiceLocationTransfer mechanism
Hetzner Online GmbHProduction hosting (VPS, storage)Germany (EU)N/A (intra-EU)
Stripe Payments Europe Ltd.Subscription billingIreland (EU)N/A (intra-EU)
Google LLC (Gemini API)LLM inference for drafting agentsUSA (with EU regional endpoints where available)SCCs (2021/914) + supplementary measures
OpenAI Ireland Ltd.LLM fallback for drafting agentsIreland (EU) with USA sub-processingSCCs (2021/914)
Anthropic PBCOccasional LLM use for specific agentsUSASCCs (2021/914)
Brevo SASTransactional email (welcome, invoices, password reset)France (EU)N/A (intra-EU)
Sentry (Functional Software Inc.)Error monitoring (opt-out available)USASCCs (2021/914) + IP anonymization
Cloudflare Inc.DNS, DDoS protection, CDN for public assetsGlobal (data proxied via EU nodes where possible)SCCs (2021/914)

8.3. Notification of changes. We publish the current sub-processor list at this URL. When we add, remove or replace a sub-processor, we update this list and notify subscribed Controllers by email at least 15 days in advance.

8.4. Right to object. If the Controller has reasonable, documented GDPR-based objections against a new sub-processor, they may notify us within 15 days of receiving notice. We will work in good faith to address the concerns. If we cannot, the Controller may terminate the affected Service portion with a pro-rated refund of prepaid amounts.

8.5. Flow-down obligations. We contractually impose on each sub-processor the same data protection obligations as set out in this DPA — in particular sufficient guarantees to implement appropriate technical and organizational measures.

9. International data transfers

9.1. Personal Data primarily stays in the EU/EEA (Hetzner Germany infrastructure).

9.2. Where transfer to a third country is necessary (LLM inference, error monitoring, CDN), we rely on:

9.3. The Controller hereby authorizes us to enter into and execute Standard Contractual Clauses with sub-processors on the Controller's behalf, for the purposes of the transfers described above.

10. Data subject rights

10.1. Where a Data Subject contacts us directly with a request under GDPR Art. 12-22, we will:

10.2. On written request, we assist the Controller with the following, at no additional cost within the scope of the subscription:

10.3. Where the volume of requests significantly exceeds typical use, we may agree with the Controller on additional charges for extraordinary technical work.

11. Personal data breach notification

11.1. If we become aware of a Personal Data Breach affecting Controller data, we will notify the Controller without undue delay and in any event within 72 hours of becoming aware.

11.2. Notification includes, to the extent then known:

11.3. We support the Controller in complying with its own notification obligations under GDPR Art. 33 and 34.

12. Audit rights

12.1. We will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and GDPR Art. 28, including copies of relevant certifications, penetration testing summaries and sub-processor DPAs (where public).

12.2. Once per calendar year, the Controller may request an audit — either performed by the Controller's authorized auditor (at Controller's expense) or by a mutually agreed independent third-party auditor. The audit is conducted with reasonable notice (at least 30 days), during business hours, in a manner that does not disrupt production systems.

12.3. For Controllers with < €10,000/year subscription value, section 12.2 audits are limited to written questionnaires and documentation review — no on-site audit — unless a Personal Data Breach or documented material GDPR concern justifies otherwise.

13. Return or deletion of data

13.1. Upon termination of the Service, at the Controller's written choice within 30 days after termination, we will:

13.2. If the Controller does not make a choice within 30 days, we default to deletion.

13.3. Backups may retain Personal Data for up to 30 additional days due to backup rotation; access to such backups is restricted to disaster recovery scenarios only, and the data is not reused.

13.4. We may retain data where required by law (e.g., invoicing records under Romanian accounting law), for the minimum period required, under confidentiality and access-restriction measures.

14. Liability, term, governing law

14.1. This DPA is effective as of the first date the Controller accepts it (electronically or in writing) and remains in force for the duration of the Service.

14.2. Liability under this DPA is limited to the extent permitted by the Terms of Service, save that neither party's liability under GDPR to Data Subjects is limited by this DPA where the applicable law prohibits such limitation.

14.3. This DPA is governed by Romanian law. Disputes are submitted to the exclusive jurisdiction of the competent courts of Bucharest.

15. How to accept this DPA

Acceptance. This DPA is deemed accepted when you (a) create a paid subscription on aified.online and check the "I accept the Terms of Service, Privacy Policy and Data Processing Agreement" checkbox, (b) countersign an emailed copy, or (c) continue using the Service more than 15 days after receiving a notice of DPA update, whichever comes first.

If you need a countersigned PDF version of this DPA for your records or your compliance team, email hi@aified.online from a Controller-authorized address, mentioning your company name and VAT ID. We countersign within 5 business days.

Contact

Questions about this DPA or GDPR compliance? Email hi@aified.online.