Data Processing Agreement
Standard Data Processing Agreement (DPA) for enterprise customers using Pauhu services.
Overview
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between Pauhu AI Ltd ("Processor", "we", "us") and the customer organization ("Controller", "you") for the provision of AI-powered language services.
Effective Date: Upon execution of Master Services Agreement
GDPR Basis: Article 28 (Processor obligations)
1. Definitions
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person |
| Processing | Any operation performed on Personal Data |
| Data Subject | The individual whose Personal Data is processed |
| Sub-processor | Third party engaged by Processor to process Personal Data |
| Controller | Entity determining purposes and means of processing |
| Processor | Entity processing Personal Data on behalf of Controller |
2. Scope of Processing
2.1 Subject Matter
Processing of Personal Data submitted by Controller through Pauhu services:
- Translation API
- Speech-to-Text API
- Text-to-Speech API
- Document processing services
2.2 Nature and Purpose
| Purpose | Processing Activity |
|---|---|
| Service provision | Translating, analyzing, or converting submitted content |
| Quality assurance | Verifying output accuracy (automated) |
| Error handling | Logging errors for debugging (anonymized) |
| Performance | Measuring response times and throughput |
2.3 Duration
Processing continues for the duration of the Master Services Agreement plus:
- 30 days for data deletion
- As required by law for audit records
3. Processor Obligations
3.1 Processing Instructions
We will:
- Process Personal Data only on documented instructions from Controller
- Inform Controller if instructions violate applicable law
- Not process data for our own purposes
3.2 Security Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 minimum |
| Encryption at rest | AES-256 |
| Access control | Role-based, least privilege |
| Authentication | MFA required for all systems |
| Monitoring | 24/7 security monitoring |
3.3 Sub-processors
Current sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Cloudflare, Inc. | EU (Germany, Netherlands) | Infrastructure, CDN |
| Hetzner Online GmbH | Germany, Finland | Server hosting |
| Stripe, Inc. | EU (Ireland) | Payment processing |
Sub-processor changes:
- 30 days advance notice before adding sub-processors
- Controller may object within 14 days
- If objection not resolved, either party may terminate affected services
3.4 Data Subject Rights
We will assist Controller in responding to Data Subject requests:
| Right | Response Time |
|---|---|
| Access | 72 hours |
| Rectification | 72 hours |
| Erasure | 72 hours |
| Portability | 72 hours |
3.5 Data Breach Notification
In case of Personal Data breach:
| Action | Timeline |
|---|---|
| Detection | Continuous monitoring |
| Assessment | Within 4 hours |
| Controller notification | Within 24 hours |
| Detailed report | Within 72 hours |
4. Data Location
4.1 Data Residency
All Personal Data is processed within the EU/EEA:
| Service | Data Location |
|---|---|
| API processing | Cloudflare EU (Germany, Netherlands) |
| Data storage | Hetzner (Finland, Germany) |
| Backups | Hetzner (Finland) |
4.2 International Transfers
Standard practice: No transfers outside EU/EEA
If transfer required:
- Standard Contractual Clauses (SCC) in place
- Transfer Impact Assessment conducted
- Controller notified in advance
5. Data Retention and Deletion
5.1 Retention Periods
| Data Type | Retention | Basis |
|---|---|---|
| API request content | Not stored (transient) | Privacy by design |
| Audit logs | 7 years | Legal requirement |
| Error logs | 90 days | Debugging |
| Usage metrics | 13 months | Analytics |
5.2 Deletion Procedures
Upon contract termination or Controller request:
| Action | Timeline |
|---|---|
| Cease processing | Immediate |
| Delete active data | 30 days |
| Delete backups | 90 days |
| Provide deletion certificate | On request |
6. Governing Law
This DPA is governed by:
- Primary: Finnish law
- GDPR: Regulation (EU) 2016/679
- Disputes: Helsinki District Court
7. Execution
To execute this DPA:
- Enterprise customers: DPA included in Master Services Agreement
- Self-service: Accept during account creation
- Custom terms: Contact legal@pauhu.ai
Contact
Data Protection Officer: dpo@pauhu.ai
Legal inquiries: legal@pauhu.ai
Security questions: security@pauhu.ai
Response time: 2 business days