This DPA forms part of the Terms of Service and applies when the Customer, as controller, processes personal data through Paidio, with Paidio acting as processor. It is governed by Bulgarian law, in consistency with the Terms.
1. Purpose and duration
Paidio will process personal data solely to provide the contracted service, following the Customer's documented instructions (the Terms, the account configuration and the use of the platform). Processing lasts for as long as the contractual relationship is in force. The details of the processing are set out in Annex I and the security measures in Annex II.
2. Obligations of the processor (Paidio)
Paidio undertakes to: (a) process the data only according to the Customer's documented instructions; (b) ensure the confidentiality of authorized personnel; (c) apply the security measures in Annex II (art. 32 GDPR); (d) reasonably assist the Customer in exercising data subjects' rights and in complying with arts. 32-36; (e) notify without undue delay and, in any event, within 48 hours of becoming aware of a personal data breach; (f) at the Customer's choice, delete or return the data at the end of the provision; (g) make available the information necessary to demonstrate compliance and allow audits in accordance with clause 7; (h) inform the Customer if, in its opinion, an instruction infringes the GDPR or other data-protection legislation.
3. Subprocessors
The Customer authorizes Paidio to use the following subprocessors, with which Paidio maintains contracts that impose equivalent data-protection obligations:
| Subprocessor | Purpose | Location |
|---|---|---|
| OpenAI | AI models, embeddings, moderation | USA |
| Stripe | Payments and billing data | EU / USA |
| Resend | Transactional email | USA |
| Cloudflare | Anti-fraud protection (Turnstile) | USA / global |
| Railway | Hosting of backend and database | USA |
| Netlify | Hosting of the frontend | USA |
Paidio will give reasonable advance notice of changes to the list. The Customer may object on reasonable data-protection grounds; if the objection cannot be resolved, the Customer may terminate the affected part of the service without penalty as its sole remedy.
4. International transfers
When a subprocessor processes data outside the EEA, the transfer is covered by adequate safeguards in accordance with Chapter V of the GDPR. To the extent that this involves international transfers, the Standard Contractual Clauses (Implementing Decision (EU) 2021/914) are deemed incorporated by reference, in their corresponding Module, and Paidio enters into the Module 3 clauses (processor to subprocessor) with each subprocessor, in addition to the applicable adequacy frameworks (e.g. EU-US Data Privacy Framework).
5. Data subjects' rights
Paidio will assist the Customer, by appropriate technical measures, in handling requests for access, rectification, erasure, objection, restriction and portability addressed to the Customer.
6. Return and deletion
At the end of the service, and at the Customer's choice, Paidio will return or delete the personal data processed on the Customer's behalf within 30 days, unless there is a legal obligation to retain it.
7. Audit
Paidio will make available to the Customer the reasonable information to demonstrate compliance with this DPA. Audits will be carried out once a year (except in the event of a breach or an authority's requirement), with 30 days' notice, at the Customer's cost and without compromising the security of other customers; the Customer may accept current reports or certifications instead of an on-site inspection.
8. Special categories of data
The Customer is solely responsible for the lawfulness of including personal data, including special categories under art. 9 GDPR (e.g. health/physical fitness data). Paidio is not configured for the enhanced processing of special categories unless agreed in writing; the Customer undertakes not to incorporate them without a legal basis and without such agreement.
9. Liability
Liability arising from this DPA is governed by the limits set out in the Terms of Service, to the extent permitted by law.
10. Contact
Data-protection matters: tiho@theorangecat.dev.
Annex I — Details of the processing
- Nature and purpose: hosting, indexing (embeddings), semantic retrieval and generation of AI responses over the content provided by the Customer; transactional email; account and billing management.
- Categories of data subjects: the Customer's end users (e.g. students, employees, the Customer's clients) and the Customer's administrators.
- Categories of data: those the Customer decides to include (e.g. name, email, contents of documents and conversations).
- Duration: for as long as the contractual relationship is in force.
Annex II — Security measures (art. 32)
Encryption in transit; hashing of credentials; logical isolation per tenant; role-based access control; rate limits and content moderation; audit logs; reasonable backups. Paidio reviews and improves these measures periodically.