1. Definitions

In this DPA, capitalized terms have the following meanings:

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR, or "Personal Information" as defined under the CCPA/CPRA.
"Data Controller" (or "Business" under CCPA) means the Customer, who determines the purposes and means of processing Personal Data.
"Data Processor" (or "Service Provider" under CCPA) means the Company, which processes Personal Data on behalf of the Data Controller.
"Data Subject" (or "Consumer" under CCPA) means the identified or identifiable natural person to whom the Personal Data relates.
"Sub-processor" means any third party engaged by the Company to process Personal Data on behalf of the Customer.
"Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law, including the Danish Data Protection Agency (Datatilsynet).
"Standard Contractual Clauses" (or "SCCs") means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.

2. Scope and Applicability

This DPA applies to the processing of Personal Data by the Company on behalf of the Customer in the course of providing the Service. This includes, but is not limited to:

Account creation and management
AI-powered application generation, editing, and hosting
Processing of data from third-party services connected by the Customer (e.g., Google Calendar, Gmail, Stripe)
Backend infrastructure provisioning for Customer applications
Billing, credit metering, and subscription management
Customer support and service communications

This DPA does not apply to data that the Company processes as a Data Controller in its own right (e.g., website analytics, marketing to prospective customers), which is governed by the Company's Privacy Policy.

3. Roles and Responsibilities

3.1 Customer as Data Controller

The Customer is the Data Controller and determines the purposes and means of processing Personal Data through the Service. The Customer is responsible for:

Ensuring a lawful basis for processing Personal Data submitted to the Service
Providing any required notices to, and obtaining any required consents from, Data Subjects
Ensuring the accuracy and relevance of Personal Data provided to the Service
Complying with applicable data protection laws in its use of the Service

3.2 Company as Data Processor

The Company is the Data Processor and processes Personal Data only on behalf of and in accordance with the documented instructions of the Customer. The Company shall:

Process Personal Data only in accordance with the Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law
Promptly inform the Customer if, in its opinion, an instruction infringes applicable data protection law
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

4. Categories of Personal Data and Data Subjects

4.1 Categories of Data Subjects

The Customer's employees, contractors, and authorized users
The Customer's own customers and end-users, where their data is processed through applications built on the Service
Contacts and correspondents from connected third-party services (e.g., email contacts, calendar attendees)

4.2 Categories of Personal Data

Account information: name, email address, authentication credentials
User-generated content: prompts, application configurations, edit instructions
Connected service data: calendar events, email content, contact information, transaction records, as authorized by the Customer through OAuth
Technical data: IP addresses, browser information, usage logs
Billing data: payment method information, credit usage records, subscription details

4.3 Sensitive Data

The Service is not designed for the processing of special categories of Personal Data as defined in Article 9 of the GDPR (e.g., health data, biometric data, racial or ethnic origin). The Customer should not submit such data to the Service. If the Customer chooses to process sensitive data through the Service, the Customer assumes full responsibility for ensuring a lawful basis and appropriate safeguards.

5. Technical and Organizational Security Measures

The Company shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, in accordance with Article 32 of the GDPR. These measures include, but are not limited to:

5.1 Encryption

AES-256 encryption at rest for all stored credentials, tokens, and sensitive data
TLS 1.2 or higher for all data in transit
Encryption key management with strict separation from encrypted data

5.2 Access Controls

Cryptographically signed session-based authentication for all users
Row-level security policies enforcing strict tenant data isolation at the database layer
Principle of least privilege applied to all internal system access
No customer-facing API keys - all third-party interactions are proxied server-side

5.3 Infrastructure

Hosting and database providers maintain SOC 2 Type II certification
Primary data storage within the European Union
Automated deployment pipelines with integrity verification
Continuous health monitoring and anomaly detection across all critical services

5.4 Application Security

Rate limiting on all API endpoints to mitigate abuse and automated attacks
Protection against OWASP Top 10 vulnerabilities
Automated test suite running on every code change through continuous integration
Versioned deployment snapshots with instant rollback capability
Checksum verification on deployment plans to prevent tampering

6. Sub-processors

6.1 Authorization

The Customer provides general authorization for the Company to engage Sub-processors for the purposes of providing the Service. The Company shall maintain an up-to-date list of Sub-processors and shall notify the Customer of any intended changes to Sub-processors, providing the Customer with the opportunity to object.

6.2 Current Sub-processors

Sub-processor	Purpose	Location	Safeguards
Supabase Inc.	Database hosting, authentication, backend infrastructure	EU (AWS eu-west)	SOC 2 Type II, SCCs
Vercel Inc.	Application hosting, serverless compute, edge delivery	United States (global edge)	SOC 2 Type II, SCCs, DPF
Anthropic PBC	AI model inference (Claude API)	United States	SOC 2 Type II, SCCs, zero-retention API
Stripe Inc.	Payment processing, subscription management	United States	PCI DSS Level 1, SOC 2, SCCs, DPF
Google LLC	Connected services (Calendar, Gmail, Drive, Sheets) when authorized by Customer	Global	SOC 2, ISO 27001, SCCs, DPF

6.3 Sub-processor Obligations

The Company shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Company remains fully liable to the Customer for the performance of each Sub-processor's obligations.

7. Data Subject Rights

The Company shall assist the Customer in fulfilling its obligation to respond to Data Subject requests exercising their rights under Chapter III of the GDPR and applicable provisions of the CCPA/CPRA, including:

Right of access (Article 15 GDPR / CCPA s1798.100) - the right to obtain confirmation of whether Personal Data is being processed and access to that data
Right to rectification (Article 16 GDPR / CCPA s1798.106) - the right to correct inaccurate Personal Data
Right to erasure (Article 17 GDPR / CCPA s1798.105) - the right to request deletion of Personal Data
Right to restriction of processing (Article 18 GDPR) - the right to request limitation of processing
Right to data portability (Article 20 GDPR) - the right to receive Personal Data in a structured, commonly used, machine-readable format
Right to object (Article 21 GDPR) - the right to object to processing based on legitimate interests

The Company shall promptly notify the Customer of any Data Subject request received directly, unless prohibited by law. The Company shall not respond to Data Subject requests directly without the Customer's prior authorization, except to confirm receipt and redirect the request.

8. Personal Data Breach Notification

The Company shall notify the Customer without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach, as defined in Article 4(12) of the GDPR. The notification shall include:

A description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects and Personal Data records concerned
The name and contact details of the Company's designated contact for breach-related communications
A description of the likely consequences of the breach
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Company shall cooperate with the Customer in investigating, remediating, and mitigating the effects of any Personal Data Breach and in complying with the Customer's notification obligations under Article 33 and 34 of the GDPR.

9. International Data Transfers

The Company shall not transfer Personal Data to a country outside the European Economic Area (EEA) unless appropriate safeguards are in place in accordance with Chapter V of the GDPR. The Company relies on the following transfer mechanisms:

EU-US Data Privacy Framework (DPF) - for transfers to US-based Sub-processors that are certified under the DPF
Standard Contractual Clauses (SCCs) - Commission Implementing Decision (EU) 2021/914, Module Two (Controller to Processor) and Module Three (Processor to Sub-processor), as applicable
Adequacy Decisions - where the European Commission has determined that a third country provides an adequate level of data protection

The Company shall conduct and document a transfer impact assessment where required and shall implement supplementary measures as necessary to ensure an essentially equivalent level of protection for Personal Data transferred outside the EEA.

10. Data Retention and Deletion

Upon termination of the Service agreement, the Company shall, at the Customer's election:

Delete all Personal Data processed on behalf of the Customer within 30 days of receiving a written deletion request, unless retention is required by applicable law
Return all Personal Data to the Customer in a structured, commonly used, machine-readable format upon request prior to deletion

During the term of the agreement:

OAuth tokens are deleted immediately upon service disconnection
Account data is retained while the account is active
Generated applications and associated data are retained while the account is active
Billing records are retained for up to 5 years as required by Danish bookkeeping law (Bogforingsloven)
Server logs are retained for up to 90 days for security and debugging purposes

The Company shall certify deletion in writing upon the Customer's request.

11. Audits and Compliance Verification

The Company shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

Audit requests shall be subject to the following conditions:

The Customer shall provide at least 30 days' written notice of any audit request
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Company's operations
The auditor shall be bound by appropriate confidentiality obligations
The Customer shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by the Company
The Company may satisfy audit requests by providing relevant SOC 2 Type II reports, penetration test summaries, or other third-party certifications of its Sub-processors

12. CCPA/CPRA Specific Provisions

To the extent that the CCPA/CPRA applies to the processing of Personal Information under this DPA:

The Company acts as a "Service Provider" as defined in CCPA s1798.140(ag) and shall not sell, share, or use Personal Information for any purpose other than providing the Service as specified in this DPA
The Company shall not retain, use, or disclose Personal Information outside of the direct business relationship between the Company and the Customer
The Company shall not combine Personal Information received from the Customer with Personal Information received from other sources, except as permitted by the CCPA/CPRA
The Company certifies that it understands and will comply with the restrictions set forth in this section
The Company shall assist the Customer in responding to verifiable consumer requests as required under the CCPA/CPRA

13. AI-Specific Data Processing

The Service uses artificial intelligence models provided by third-party Sub-processors to generate and edit software applications. With respect to AI processing:

Customer prompts and relevant project context may be transmitted to the AI Sub-processor for the sole purpose of generating or editing applications as instructed by the Customer
The AI Sub-processor is contractually prohibited from using API inputs or outputs for model training purposes
All AI interactions are proxied through the Company's backend infrastructure - no direct communication occurs between the Customer's client and the AI Sub-processor
The Company does not use Personal Data processed on behalf of the Customer to train, fine-tune, or improve any AI model
The Customer is advised not to include special categories of Personal Data (Article 9 GDPR) in prompts or application configurations

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except that no limitation of liability shall apply to either party's liability for:

Breaches of its obligations regarding the confidentiality or security of Personal Data
Its indemnification obligations under this DPA
Any liability that cannot be limited under applicable data protection law

15. Term and Termination

This DPA shall remain in effect for the duration of the Service agreement and shall automatically terminate upon termination or expiry of the Service agreement, subject to the Company's obligations regarding data deletion and return as set out in Section 10.

Provisions of this DPA that by their nature should survive termination (including, without limitation, provisions relating to confidentiality, data deletion, liability, and audit rights) shall survive the termination of this DPA.

16. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Denmark, without regard to its conflict of laws provisions. The courts of Copenhagen, Denmark shall have exclusive jurisdiction over any dispute arising from or related to this DPA.

Notwithstanding the foregoing, Data Subjects retain the right to lodge complaints with the Supervisory Authority in the Member State of their habitual residence, place of work, or place of the alleged infringement, and to seek judicial remedy in such jurisdiction, in accordance with Articles 77-79 of the GDPR.

17. Contact

For questions regarding this DPA or to exercise any rights hereunder:

naffe.ai - Data Protection

Denmark, EU

Email: privacy@naffe.ai

Security issues: security@naffe.ai

Data Processing Addendum