Data Processing Agreement
Last updated: March 17, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Controller") and Softure UG (haftungsbeschränkt) ("Processor") for the provision of the Aira platform, pursuant to Article 28 of the General Data Protection Regulation (GDPR).
1. Scope & Purpose
The Processor processes personal data on behalf of the Controller solely for the purpose of providing AI evaluation, consensus scoring, and audit proof services as described in the Terms of Service.
2. Data Processed
- Data subjects: Controller's end users and individuals referenced in evaluation requests.
- Categories: Evaluation prompts, decision context, model responses, metadata (timestamps, request IDs).
- Special categories: Only if submitted by the Controller. The Controller is responsible for ensuring a lawful basis for any special-category data.
3. Sub-Processors
The Controller authorizes the use of the following sub-processors for AI model inference:
| Sub-Processor | Location | Purpose |
|---|---|---|
| OpenAI, Inc. | USA | AI model inference (GPT) |
| Anthropic, PBC | USA | AI model inference (Claude) |
| Google LLC | USA | AI model inference (Gemini) |
| Hetzner Online GmbH | Germany | Infrastructure hosting |
The Processor will inform the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
4. Data Flows
Evaluation requests are received via TLS-encrypted API calls, processed by the Processor's backend, and forwarded to AI sub-processors for inference. Responses are aggregated, consensus is computed, and a cryptographically signed audit proof is generated and stored. Data transfers to sub-processors in the USA are governed by Standard Contractual Clauses (SCCs).
5. Security Measures
- Encryption in transit: TLS 1.3 for all API and inter-service communication.
- Encryption at rest: AES-256 for all stored data.
- Audit proof signing: Ed25519 digital signatures with RFC 3161 timestamps.
- Access control: Role-based access with API key authentication.
- Infrastructure: Hosted in EU data centers (Hetzner, Germany).
- Monitoring: Automated alerting for unauthorized access attempts.
6. Data Breach Notification
The Processor shall notify the Controller of any personal data breach without undue delay and no later than 72 hours after becoming aware of it. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to mitigate the breach.
7. Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing appropriate technical and organizational measures.
8. Audits
The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall make available all information necessary to demonstrate compliance and allow for audits upon reasonable notice.
9. Data Deletion
When a team member leaves an organization, the Processor immediately anonymizes their personal data (email address and credentials). Audit log entries are preserved with the actor shown as "Deleted user" to maintain compliance records.
When the organization owner deletes the organization, the Processor permanently removes all personal data and organization data within 30 days, unless retention is required by applicable law (e.g., audit proofs retained for regulatory compliance). The Processor shall certify deletion in writing upon request.
10. Term & Governing Law
This DPA remains in effect for the duration of the service agreement. It is governed by the laws of the Federal Republic of Germany. The exclusive place of jurisdiction is Berlin, Germany.
11. Contact
For DPA-related inquiries: customers@softure-ug.de