Data Processing Agreement
This Data Processing Agreement governs the processing of personal data by Aetherya on behalf of customers, in accordance with Article 28 of the GDPR. It forms part of, and is incorporated into, our Terms of Service.
Last updated: June 14, 2026 · Effective: June 14, 2026
1. Parties & Scope
This Data Processing Agreement (“DPA”) is entered into between Aetherya SRL, registered office Intrarea Gheorghe Simionescu, Nr. 19, Ap. B26, Sector 1, Municipiul București, Romania, Trade Register No. J2026009029004, registration code 53864466 (“Aetherya”, the “Processor”), and the customer that accepts our Terms of Service (the “Customer”, the “Controller”).
It applies where Aetherya processes personal data on the Customer’s behalf in providing the Services and forms part of the Terms of Service. Capitalized terms not defined here have the meaning given in the Terms. Where the Customer is itself a processor for a third-party controller, this DPA applies on a back-to-back basis.
2. Definitions
“GDPR” means Regulation (EU) 2016/679. “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, “Supervisory Authority” and “Personal Data Breach” have the meanings given in the GDPR. “Applicable Data Protection Law” means the GDPR, Romanian Law 190/2018, the UK GDPR, and any other privacy law applicable to the processing under this DPA. “Customer Personal Data” means Personal Data contained in Customer Content that Aetherya processes on the Customer’s behalf.
3. Roles & Instructions
- •As between the parties, the Customer is the Controller and Aetherya is the Processor of Customer Personal Data.
- •Aetherya processes Customer Personal Data only on the Customer’s documented instructions — including those given through the Services and this DPA — unless required to do otherwise by EU or Member-State law, in which case Aetherya will inform the Customer (unless that law prohibits it).
- •Aetherya will immediately inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
- •The Customer is responsible for the accuracy, quality and lawfulness of Customer Personal Data and for having a valid legal basis and required notices for the processing.
4. Subject-Matter & Details of Processing (Annex I)
- •Subject-matter & duration: processing necessary to provide the Services for the term of the Terms of Service and as set out in Section 9 (Return & Deletion).
- •Nature & purpose: hosting, storage, computation, transmission and AI-based processing (persona generation, audience simulation, audits, analytics) to deliver the Services requested by the Customer.
- •Types of Personal Data: as determined by the Customer through its use of the Services — typically identifiers, contact details, content/prompts, and usage data. The Customer must not submit special-category data unless expressly agreed.
- •Categories of Data Subjects: as determined by the Customer — typically the Customer’s personnel and any individuals referenced in Customer Content.
5. Confidentiality
Aetherya ensures that persons authorized to process Customer Personal Data are bound by an appropriate obligation of confidentiality and process the data only as necessary to perform the Services.
6. Security (Article 32)
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, Aetherya implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including, as appropriate: encryption in transit, access controls and least-privilege, network isolation for internal services, logical separation of Customer data, monitoring, resilience and backup, and regular testing and review. Further detail is available on our Security page.
7. Sub-Processors
- •The Customer grants Aetherya general authorization to engage sub-processors to provide the Services. The current list is published in our Privacy Policy and available on request at privacy@aetherya.ai.
- •Aetherya imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for its sub-processors’ performance.
- •Aetherya will give the Customer reasonable prior notice of the addition or replacement of a sub-processor; the Customer may object on reasonable data-protection grounds, and the parties will work in good faith to resolve the objection.
8. International Transfers
Aetherya will not transfer Customer Personal Data outside the EEA unless appropriate safeguards under Chapter V GDPR are in place — primarily the European Commission’s Standard Contractual Clauses (SCCs), which are incorporated by reference where applicable, together with supplementary measures and, where relevant, a transfer impact assessment. For UK transfers, the UK International Data Transfer Addendum applies.
9. Assistance to the Controller
- •Data-subject requests: taking into account the nature of the processing, Aetherya assists the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests to exercise data-subject rights (access, rectification, erasure, restriction, portability, objection). Where a request is made directly to Aetherya, it will forward it to the Customer.
- •Compliance support: Aetherya assists the Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments and prior consultation), taking into account the information available to it.
10. Personal Data Breach
Aetherya will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations under Articles 33–34 GDPR. Notice will be sent to the Customer’s administrative contact. Such notification is not an acknowledgement of fault or liability.
11. Return & Deletion
On termination of the Services, and at the Customer’s choice, Aetherya will delete or return Customer Personal Data and delete existing copies, unless EU or Member-State law requires storage. The Customer may export Customer Content for a limited period (typically 30 days) after termination, after which data is deleted in the ordinary course, subject to routine backup cycles from which data is purged on a rolling basis.
12. Audits
Aetherya makes available to the Customer information necessary to demonstrate compliance with Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates. To minimise disruption, the Customer will first accept relevant certifications, reports, or a completed security questionnaire; on-site audits are limited to once per year (absent a breach or authority requirement), on reasonable prior notice, during business hours, subject to confidentiality, and at the Customer’s cost.
13. Liability & Term
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. This DPA takes effect when the Customer accepts the Terms and continues for as long as Aetherya processes Customer Personal Data. In the event of conflict between this DPA and the Terms on data-protection matters, this DPA prevails.
14. Contact
For DPA matters, a signed counterpart, or the current sub-processor list, contact us:
- •Aetherya SRL — Intrarea Gheorghe Simionescu, Nr. 19, Ap. B26, Sector 1, Municipiul București, Romania
- •Privacy / DPA: privacy@aetherya.ai
- •Data Protection contact: dpo@aetherya.ai