Data Processing Agreement (DPA)
Last Updated: December 5, 2025
This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between Tjata.eu ("Company") and you ("Customer"). This DPA reflects the parties' agreement with regard to the processing of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
For the purposes of this DPA, the terms "personal data," "processing," "data subject," "data controller," and "data processor" shall have the meanings ascribed to them in the General Data Protection Regulation (GDPR).
2. Processing of Personal Data
The Company, as the data processor, shall process personal data on behalf of the Customer, the data controller, only for the purpose of providing the services as described in the Terms of Service.
3. Data Subject Rights
The Company shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a data subject to exercise the data subject's right of access, rectification, erasure, or other rights under the GDPR.
4. Security Measures
The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Content Security Policy (CSP) - Protection against cross-site scripting (XSS) attacks
- CSRF Protection - Prevention of cross-site request forgery attacks
- Encrypted Sessions - 24-hour session expiry with HttpOnly, Secure, and SameSite cookies
- Rate Limiting - Protection against brute-force and denial-of-service attacks
- Input Sanitization - All user inputs are validated and sanitized
- Privacy-Safe Logging - No personally identifiable information (PII) in system logs
- Automated Security Scanning - Continuous vulnerability monitoring
5. Data Location
All personal data processed under this agreement is stored and processed within the European Union. The Company uses EU-hosted AI providers (including Mistral AI, hosted in France) to ensure data residency compliance.
6. Sub-processors
The Company may engage sub-processors to assist in providing the services. Current sub-processors include:
- Mistral AI (France) - AI model hosting and inference
- Hetzner (Germany) - Infrastructure and data storage
The Customer will be notified of any changes to sub-processors with at least 30 days' notice.
7. Data Breach Notification
In the event of a personal data breach, the Company shall notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach, providing all information necessary for the Customer to fulfill its own notification obligations.
8. Audit Rights
The Company shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
9. Term and Termination
This DPA shall remain in effect for the duration of the processing of personal data by the Company. Upon termination of the services, the Company shall, at the Customer's choice, delete or return all personal data and delete existing copies unless EU or Member State law requires storage of the personal data.
10. EU Regulatory Alignment
This DPA and our security practices are designed in alignment with applicable EU regulations:
- GDPR (EU) 2016/679 - Full compliance with data protection requirements
- ePrivacy Directive - Electronic communications and cookie consent
- EU Cybersecurity Act - Security measures following ENISA guidelines
We continuously monitor evolving EU regulations including the Cyber Resilience Act (CRA) and NIS2 Directive to ensure our practices remain aligned with European security standards.
11. Contact
For questions regarding this DPA or to exercise your rights, please contact us at: privacy@tjata.eu