All of ciralgo.com Data Processing Agreement

The GDPR contract your legal team asked for.

This DPA describes how Ciralgo processes personal data on your behalf as your processor under Article 28 GDPR. It forms part of the Terms of Service.

Last updated 2 July 2026
Section 01

Who plays which role.

Under GDPR Article 28, roles are strictly defined. Here is how it maps for Ciralgo.

You are the Controller You decide what data goes in and why.
Ciralgo is the Processor We act only on your documented instructions.
Sub-processors Bound by the same GDPR-aligned terms.
Section 02

What data we process.

Only what you submit to the service and only for the purposes below.

01

Data subjects

Your employees, contractors, users, or anyone whose data you submit to the service.

02

Data categories

Identifiers, contact data, usage metadata, and any prompts or content you route through the service.

Identifiers Contact data Usage metadata Prompt content
03

Purpose

To provide, secure, and improve the service in line with your documented instructions.

Section 03

Sub-processors.

A short, named list. Any change gets at least 30 days' notice by email.

See the full sub-processor list Vendor, purpose, region, and change history.
Section 04

Security measures.

The controls that back this DPA. Full detail lives on our Security page.

Encryption in transit
Encryption at rest
Access controls with MFA
Tenant isolation
Audit logging
Documented incident response
Section 05

Where your data lives.

EU by default. Transfers outside are the exception, not the rule.

  • EU-hosted infrastructure by default. All personal data is stored on servers physically inside the European Union.
  • Transfers use Standard Contractual Clauses. Where a transfer outside the EU cannot be avoided, we rely on the EU Commission SCCs.
Section 06

Breach notification.

The GDPR clock is 72 hours. Ours is faster.

DetectionAutomated monitoring flags the incident
Immediate
Initial notificationYou are told what we know and what we do not
Within 24 hours
Regulatory notificationData protection authority notified per GDPR Article 33
Within 72 hours
Full reportRoot cause, mitigations, and follow-up actions
Within 14 days
Section 07

Return and deletion of data.

When the relationship ends, so does the data. On a predictable schedule.

  • You can export data at any time. Standard formats, self-service, no support ticket needed.
  • Deletion from active systems within 30 days. Once you terminate, data is removed from production within one month.
  • Deletion from backups within 90 days. Full removal follows the backup rotation cycle.
Need a signed DPA?

Talk to our DPO.

We can send you a countersigned copy on Team plans and above.

Ciralgo B.V., Amsterdam, the Netherlands