The GDPR contract your legal team asked for.
This DPA describes how Ciralgo processes personal data on your behalf as your processor under Article 28 GDPR. It forms part of the Terms of Service.
Who plays which role.
Under GDPR Article 28, roles are strictly defined. Here is how it maps for Ciralgo.
What data we process.
Only what you submit to the service and only for the purposes below.
Data subjects
Your employees, contractors, users, or anyone whose data you submit to the service.
Data categories
Identifiers, contact data, usage metadata, and any prompts or content you route through the service.
Purpose
To provide, secure, and improve the service in line with your documented instructions.
Sub-processors.
A short, named list. Any change gets at least 30 days' notice by email.
Security measures.
The controls that back this DPA. Full detail lives on our Security page.
Where your data lives.
EU by default. Transfers outside are the exception, not the rule.
-
EU-hosted infrastructure by default. All personal data is stored on servers physically inside the European Union.
-
Transfers use Standard Contractual Clauses. Where a transfer outside the EU cannot be avoided, we rely on the EU Commission SCCs.
Breach notification.
The GDPR clock is 72 hours. Ours is faster.
Return and deletion of data.
When the relationship ends, so does the data. On a predictable schedule.
-
You can export data at any time. Standard formats, self-service, no support ticket needed.
-
Deletion from active systems within 30 days. Once you terminate, data is removed from production within one month.
-
Deletion from backups within 90 days. Full removal follows the backup rotation cycle.
Talk to our DPO.
We can send you a countersigned copy on Team plans and above.
Ciralgo B.V., Amsterdam, the Netherlands
