Protectron.ai
Legal

Data Processing Agreement

GDPR-compliant data processing terms for Protectron services.

Version 2.0Effective: January 1, 2025Last Updated: December 2025

This Data Processing Agreement ("DPA") forms part of the Agreement between Protectron B.V. ("Protectron", "we", "us", or "Processor") and the entity identified in the applicable Order Form or subscription agreement ("Customer", "you", or "Controller") for the provision of the Protectron platform and related services (the "Services").

This DPA reflects the parties' agreement with regard to the Processing of Personal Data in accordance with the requirements of Data Protection Laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

"Data Protection Laws"

All applicable laws and regulations relating to the processing of Personal Data, including (i) the GDPR; (ii) national implementing laws in EU Member States; (iii) the UK GDPR and UK Data Protection Act 2018; and (iv) any other applicable data protection legislation.

"Data Subject"

An identified or identifiable natural person whose Personal Data is Processed.

"Personal Data"

Any information relating to a Data Subject that is Processed by Protectron on behalf of Customer in connection with the Services.

"Processing"

Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Security Incident"

Any unauthorized access to, or acquisition, use, loss, destruction, or disclosure of Personal Data.

"Sub-processor"

Any third party engaged by Protectron to Process Personal Data on behalf of Customer.

"Standard Contractual Clauses (SCCs)"

The standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission Decision (EU) 2021/914.

Terms not defined herein shall have the meaning set forth in the GDPR.

2. Scope and Roles

2.1 Customer as Controller

Customer is the Controller of Personal Data. Customer determines the purposes and means of Processing Personal Data and is responsible for compliance with Data Protection Laws as they apply to Controllers.

2.2 Protectron as Processor

Protectron is the Processor of Personal Data. Protectron Processes Personal Data only on behalf of and in accordance with Customer's documented instructions.

2.3 Nature of Processing

Protectron Processes Personal Data to provide the Services, which include:

  • EU AI Act compliance management
  • AI system risk classification
  • Requirement tracking and documentation
  • Audit trail logging and evidence management
  • Document generation
  • Compliance reporting

2.4 Categories of Data Subjects

  • Customer's employees and contractors
  • Customer's end users interacting with Customer's AI systems
  • Individuals whose data appears in audit trails or compliance documentation

2.5 Types of Personal Data

  • Contact information (names, email addresses)
  • Employment information (job titles, departments)
  • AI interaction data (as logged by Customer's SDK integration)
  • User identifiers (which may be hashed)
  • Any other Personal Data Customer chooses to input into the Services

2.6 Duration

Protectron will Process Personal Data for the duration of the Agreement, plus any retention period specified herein or required by law.

3. Customer Responsibilities

3.1 Lawful Basis

Customer represents and warrants that:

  • (a) Customer has a lawful basis for Processing Personal Data;
  • (b) Customer has provided appropriate notices to Data Subjects;
  • (c) Customer has obtained any necessary consents;
  • (d) Customer's use of the Services complies with Data Protection Laws.

3.2 Instructions

Customer shall provide documented instructions for Processing. The Agreement, including this DPA, constitutes Customer's complete instructions at the time of signing. Customer may provide additional instructions consistent with the Agreement.

3.3 Data Accuracy

Customer is responsible for ensuring the accuracy of Personal Data submitted to the Services.

3.4 Security Configuration

Customer is responsible for:

  • (a) Maintaining the security of Customer's account credentials;
  • (b) Configuring appropriate access controls within the Services;
  • (c) Enabling available security features (e.g., MFA, SSO);
  • (d) Configuring PII redaction settings in the SDK if desired.

4. Protectron's Obligations

4.1 Processing Instructions

Protectron shall:

  • (a) Process Personal Data only on documented instructions from Customer, unless required by law;
  • (b) Inform Customer if, in Protectron's opinion, an instruction infringes Data Protection Laws;
  • (c) Immediately inform Customer if legally compelled to Process Personal Data contrary to instructions.

4.2 Confidentiality

Protectron shall ensure that persons authorized to Process Personal Data:

  • (a) Have committed to confidentiality or are under statutory obligation of confidentiality;
  • (b) Process Personal Data only on Customer's instructions.

4.3 Security Measures

Protectron shall implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Annex II (Security Measures).

4.4 Sub-processing

Protectron shall:

  • (a) Not engage a Sub-processor without Customer's prior authorization;
  • (b) Customer hereby provides general authorization for Sub-processors listed in Annex III;
  • (c) Notify Customer of any intended changes to Sub-processors at least 30 days in advance;
  • (d) Impose data protection obligations on Sub-processors equivalent to those in this DPA;
  • (e) Remain liable for Sub-processors' compliance with this DPA.

4.5 Data Subject Rights

Protectron shall:

  • (a) Assist Customer in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection);
  • (b) Provide tools within the Services to help Customer fulfill such requests;
  • (c) Promptly notify Customer if Protectron receives a request directly from a Data Subject.

4.6 Data Protection Impact Assessments

Protectron shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws.

4.7 Security Incident Response

In the event of a Security Incident:

  • (a) Protectron shall notify Customer without undue delay, and in any event within 72 hours of becoming aware;
  • (b) Notification shall include available details about the incident, affected data, and remediation steps;
  • (c) Protectron shall cooperate with Customer's investigation and mitigation efforts;
  • (d) Protectron shall document Security Incidents and maintain records for Customer review.

4.8 Audit Rights

Protectron shall:

  • (a) Make available information necessary to demonstrate compliance with this DPA;
  • (b) Allow for and contribute to audits conducted by Customer or an independent auditor;
  • (c) Audits shall be conducted with reasonable notice, during business hours, and subject to confidentiality;
  • (d) Protectron may satisfy audit obligations by providing relevant certifications or audit reports (e.g., SOC 2).

4.9 Deletion and Return

Upon termination of the Agreement:

  • (a) Customer may export Personal Data using the Services' export functionality;
  • (b) Protectron shall delete Personal Data within 90 days of termination, unless retention is required by law;
  • (c) Protectron shall certify deletion upon Customer's request.

5. International Data Transfers

5.1 EU Data Residency

Protectron stores and processes all Personal Data within the European Economic Area (EEA). Customer data is stored in AWS EU (Frankfurt, Germany).

5.2 Restricted Transfers

If Processing involves transfer of Personal Data outside the EEA, Protectron shall ensure appropriate safeguards are in place:

  • (a) Transfer to countries with an adequacy decision;
  • (b) Standard Contractual Clauses (Module Two: Controller to Processor); or
  • (c) Other valid transfer mechanisms under Data Protection Laws.

5.3 Standard Contractual Clauses

Where SCCs apply:

  • (a) The parties agree to be bound by the SCCs incorporated by reference in Annex IV;
  • (b) For transfers from the EEA, Protectron is the "data importer" and Customer is the "data exporter";
  • (c) The technical and organizational measures in Annex II apply.

5.4 UK Transfers

For transfers subject to UK data protection law:

  • (a) The UK Addendum to the EU SCCs shall apply;
  • (b) References to the GDPR include the UK GDPR.

Annex II: Security Measures

Protectron implements the following technical and organizational measures:

Physical Security

  • Data center access restricted to authorized personnel
  • 24/7 security monitoring and surveillance
  • Environmental controls (fire suppression, climate control)
  • Provided by AWS with SOC 2 and ISO 27001 certification

Access Control

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) available
  • SSO integration for Enterprise customers
  • Automatic session expiration
  • Password complexity requirements

Data Encryption

  • TLS 1.3 (minimum TLS 1.2) for data in transit
  • AES-256-GCM encryption for data at rest
  • AWS KMS key management
  • Customer-managed keys available (Enterprise)

Network Security

  • Virtual Private Cloud (VPC) isolation
  • Web Application Firewall (WAF)
  • DDoS protection
  • Intrusion detection and prevention

Annex III: Sub-Processors

Customer authorizes Protectron to use the following Sub-processors:

Sub-processorPurposeLocationSafeguards
Amazon Web Services (AWS)Cloud infrastructure, hosting, storageEU (Frankfurt, Germany)DPA, SOC 2, ISO 27001
Stripe, Inc.Payment processingUSADPA, SCCs, PCI DSS
OpenAI, LLCAI-powered document generationUSADPA, SCCs, SOC 2
Resend, Inc.Transactional email deliveryUSADPA, SCCs
Vercel, Inc.Application hostingEU/USADPA, SCCs

Updates: Protectron will update this list and notify Customer at least 30 days before engaging a new Sub-processor. Customer may object to a new Sub-processor by contacting privacy@protectron.ai.

Contact Information

This DPA is incorporated into and forms part of the Agreement between Customer and Protectron. By using the Services, Customer agrees to this DPA.

For a countersigned copy of this DPA, please contact legal@protectron.ai.

Data Protection Officer

dpo@protectron.ai

Legal Inquiries

legal@protectron.ai

Privacy Inquiries

privacy@protectron.ai

This DPA is provided for informational purposes. For the legally binding version, please request a signed copy from legal@protectron.ai.