Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and Unify Technology, s.r.o. ("Processor", "we", "our") and governs the processing of Personal Data in accordance with the General Data Protection Regulation (GDPR - Regulation EU 2016/679).

1. Definitions

The following terms shall have the meanings set out below:

"Controller" means you, the customer, who determines the purposes and means of processing Personal Data.
"Processor" means Unify Technology, s.r.o., who processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) GDPR.
"Processing" means any operation performed on Personal Data as defined in Article 4(2) GDPR.
"Sub-processor" means any third party engaged by the Processor to process Personal Data.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Supervisory Authority" means an independent public authority responsible for monitoring GDPR compliance.
"Standard Contractual Clauses" (SCCs) means the EU Commission's approved clauses for international data transfers.

2. Scope and Application

2.1 Application

This DPA applies when the Customer processes Personal Data through the Service. The Customer acts as Data Controller, and Advine.ai acts as Data Processor.

2.2 Processing Activities

The Processor shall process Personal Data for the following purposes:

Providing the PPC monitoring service as described in the Terms of Service
Synchronizing campaign data from connected advertising platforms
Generating alerts, reports, and analytics
Providing customer support and technical assistance
Maintaining and improving the Service security and performance

2.3 Hierarchy of Documents

In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

3. Processor's Obligations (Article 28 GDPR)

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by EU or Member State law.

Documented Instructions: The Terms of Service, this DPA, and written instructions provided through the Service dashboard or via email to support@advine.ai.

3.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3 Security Measures (Article 32 GDPR)

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption: AES-256-GCM for sensitive data at rest; TLS 1.3 for data in transit
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA)
Network Security: Firewall protection, DDoS mitigation, intrusion detection
Database Security: Row-level security (RLS), encrypted backups, audit logging
Application Security: Regular security audits, penetration testing, vulnerability scanning
Physical Security: SOC 2 Type II certified data centers (Supabase infrastructure)
Monitoring: Real-time error tracking (Sentry), 24/7 uptime monitoring
Incident Response: Documented incident response plan, 72-hour breach notification

Detailed security measures are described in our Security Policy.

3.4 Sub-processors

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall:

Maintain an up-to-date list of Sub-processors (see Section 9 below)
Notify the Controller of any intended changes concerning Sub-processors (30 days' advance notice)
Impose the same data protection obligations on Sub-processors via written contract
Remain fully liable to the Controller for Sub-processor performance

The Controller may object to Sub-processor changes within 30 days of notification. If the Controller objects, they may terminate the Service.

3.5 Data Subject Rights

The Processor shall, to the extent possible, assist the Controller in fulfilling Data Subject requests to exercise their rights under Chapter III GDPR:

Right of Access (Art. 15): Export functionality in dashboard
Right to Rectification (Art. 16): Edit capabilities in account settings
Right to Erasure (Art. 17): Account deletion functionality (permanently deletes data within 30 days)
Right to Restrict Processing (Art. 18): Account suspension option
Right to Data Portability (Art. 20): JSON/CSV export of all Customer Data
Right to Object (Art. 21): Revoke platform connections, opt-out of marketing

The Processor will respond to Data Subject requests forwarded by the Controller within 10 business days.

3.6 Assistance with Controller's Obligations

The Processor shall assist the Controller in:

Ensuring compliance with security obligations (Art. 32 GDPR)
Notification of personal data breaches (Art. 33 GDPR)
Data protection impact assessments (Art. 35 GDPR) - upon request
Prior consultation with Supervisory Authorities (Art. 36 GDPR) - upon request

Such assistance may be subject to additional fees for services beyond standard Service operations.

3.7 Data Breach Notification

The Processor shall notify the Controller without undue delay and in any event within 24 hoursof becoming aware of a Personal Data breach affecting the Controller's data.

Notification shall include:

Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of Personal Data records affected
Likely consequences of the breach
Measures taken or proposed to address the breach

Email notification to: [Customer's designated email]

3.8 Deletion or Return of Data

Upon termination of the Service, the Processor shall, at the Controller's choice:

Delete: Permanently delete all Personal Data within 30 days of termination
Return: Provide a copy of all Personal Data in portable format (JSON/CSV)

Exception: The Processor may retain Personal Data to the extent required by EU or Member State law (e.g., tax records for 10 years).

3.9 Audit and Inspection Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit Process:

Controller must provide 30 days' written notice
Audits limited to once per year (unless regulatory requirement or breach)
Audits conducted during business hours with minimal disruption
Controller bears costs of audits (unless breach is found)
Auditor must sign NDA before accessing Processor systems

SOC 2 Reports: In lieu of audits, the Processor provides annual SOC 2 Type II reports (via our infrastructure provider Supabase).

4. Controller's Obligations

4.1 Compliance with Law

The Controller warrants that it processes Personal Data in compliance with all applicable data protection laws, including GDPR, and has obtained all necessary consents or legal bases for processing.

4.2 Processing Instructions

The Controller is responsible for ensuring that its processing instructions comply with applicable laws. If the Processor believes an instruction violates GDPR, it shall immediately inform the Controller.

4.3 Data Quality

The Controller is responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

5. Data Categories and Subjects

5.1 Categories of Data Subjects

Employees, contractors, and agents of the Controller
Authorized Users of the Controller's organization
Clients of the Controller (if client portal is used)

5.2 Categories of Personal Data

Identity Data: Name, email address, phone number, job title
Account Data: Username, password (hashed), profile photo
Technical Data: IP address, browser type, device information
Usage Data: Pages viewed, features used, session duration
Platform Data: OAuth tokens (encrypted), advertising account IDs
Billing Data: Company name, VAT ID, billing address

5.3 Special Categories of Data

The Service is NOT intended to process special categories of Personal Data under Article 9 GDPR (e.g., health data, biometric data, racial origin). The Controller must NOT upload such data to the Service.

6. International Data Transfers

🌍 EU-First Data Processing

Primary data processing occurs within the European Union. Limited transfers to US (email delivery via Resend) are covered by Standard Contractual Clauses (SCCs).

6.1 Data Residency Guarantee

ALL Personal Data is processed and stored exclusively in the European Union:

Service	Provider	Location	Data Center
Database & Auth	Supabase	🇮🇪 Ireland	AWS eu-west-1 (Dublin)
Application Hosting	Vercel	🇩🇪 Germany	fra1 (Frankfurt)
Error Tracking	Sentry	🇩🇪 Germany	ingest.de.sentry.io (Frankfurt)
Analytics	PostHog	🇪🇺 EU	eu.i.posthog.com
Payment Processing	Stripe	🇪🇺 EU	EU entities only

6.2 International Transfers

The majority of data processing occurs within the EU/EEA. For limited data transfers to the United States (email delivery via Resend), appropriate safeguards are in place:

✅ Standard Contractual Clauses (SCCs) - EU Commission Decision 2021/914
✅ Data Processing Agreement with Resend Inc.
✅ Transfer limited to email addresses and alert content only

All core data processing (database, authentication, analytics, error tracking) remains exclusively in the EU.

6.3 Backup and Disaster Recovery

All backups and disaster recovery systems are also located exclusively in EU data centers:

Primary backups: Same EU region (automated daily)
Geo-redundancy: Secondary EU region only (if enabled)
Archive storage: EU-only cloud storage

6.4 Verification & Audits

The Controller may request evidence of EU-only processing:

Infrastructure audit reports (annual)
Sub-processor DPAs with data residency clauses
Network logs showing no traffic to non-EU endpoints

7. Data Retention

7.1 Retention Periods

Data Category	Retention Period	Legal Basis
Account Data	Account lifetime + 30 days	Contract performance
Campaign Metrics	90 days (configurable)	Contract performance
Logs	30 days	Legitimate interest (security)
Billing Records	10 years	Legal obligation (tax law)
Support Tickets	2 years	Legitimate interest

7.2 Automated Deletion

The Processor employs automated deletion scripts to ensure Personal Data is not retained beyond the specified periods.

8. Liability and Indemnification

8.1 Liability Allocation

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, except where GDPR mandates otherwise.

8.2 GDPR Fines

In the event of a GDPR fine imposed due to a party's breach of this DPA:

Processor breaches: Processor indemnifies Controller for fines attributable to Processor's actions
Controller breaches: Controller indemnifies Processor for fines attributable to Controller's instructions

9. List of Sub-processors

9.1 Current Sub-processors

Sub-processor	Service	Location	Data Center	Safeguards
Supabase Inc.	Database hosting, authentication	🇮🇪 EU ONLY	AWS eu-west-1 (Dublin)	SOC 2 Type II, GDPR DPA
Vercel Inc.	Application hosting, edge functions	🇩🇪 EU ONLY	fra1 (Frankfurt)	SOC 2, GDPR DPA, EU region enforced
Sentry (Functional Software Inc.)	Error tracking, performance monitoring	🇩🇪 EU ONLY	ingest.de.sentry.io (Frankfurt)	GDPR DPA, PII scrubbing, EU data residency
PostHog Inc.	Product analytics, feature flags	🇪🇺 EU ONLY	eu.i.posthog.com	GDPR compliant, no third-party sharing
Stripe Inc.	Payment processing (tokenized)	🇪🇺 EU Entity	EU operations	PCI-DSS Level 1, GDPR DPA
Upstash Inc.	Redis caching, rate limiting	🇪🇺 EU ONLY	eu-west-1 (Ireland)	SOC 2 Type II, GDPR DPA
Railway Corporation	Background worker hosting	🇪🇺 EU ONLY	EU Region	SOC 2 Type II, GDPR DPA
Resend Inc.	Transactional email delivery	🇺🇸 USA (SCCs)	AWS US	SOC 2 Type II, GDPR DPA, SCCs

✅ 7 of 8 Sub-processors process data exclusively in EU/EEA. Resend (email delivery) is covered by Standard Contractual Clauses.

Note on Stripe: Stripe Payments Europe Ltd. (Irish entity) handles EU customer payments. Payment data is tokenized and stored in EU. No raw credit card data is stored by Processor.

9.2 Sub-processor Change Notification

Controller will be notified of Sub-processor changes via:

Email to registered account email
In-app notification
Updated list at advine.ai/legal/subprocessors

10. Term and Termination

10.1 Term

This DPA shall commence on the Effective Date of the Terms of Service and shall remain in effect until termination of the Service.

10.2 Survival

Sections 3.7 (Data Breach), 3.8 (Deletion), 8 (Liability), and 10 (Term) survive termination.

11. Governing Law and Jurisdiction

This DPA is governed by the laws of the Czech Republic. Disputes shall be resolved in the courts of Prague, Czech Republic.

Nothing in this DPA limits the rights of Data Subjects under GDPR or the jurisdiction of Supervisory Authorities.

12. Contact Information

For DPA-related inquiries:

Data Protection Officer: dpo@advine.ai
Legal Department: legal@advine.ai

✅ GDPR Compliance Guarantee

This DPA is compliant with Article 28 GDPR. Because all data processing occurs exclusively within the EU/EEA, no Standard Contractual Clauses (SCCs) are required. By using the Service, this DPA is automatically incorporated into your Terms of Service.

Version: 1.0
Effective Date: January 17, 2026
Processor: Unify Technology, s.r.o., IČO: 17266637, Korunní 2569/108, Vinohrady, Praha 10, Czech Republic