Data Processing Agreement
GDPR Art. 28 · For EU customers
Need a signed DPA for procurement? Email [email protected] with your customer name + signing authority. Standard turnaround: 2 business days.
We’re happy to sign your DPA template, or you can use ours below.
1. Parties & subject matter
This DPA governs OOretz’s processing of personal data on behalf of you (the “Controller”). The Service is described at /factory.
2. Roles
- You are the Controller of personal data you submit (prompts, account info, end-user data your generated apps process).
- OOretz is a Processor acting on your documented instructions.
3. Categories of data
- Account data: name, email, organization.
- Prompts and outputs: the natural-language inputs and generated source code.
- Telemetry: build durations, error counts, model usage stats.
4. Categories of data subjects
- Customer employees and contractors using the Service.
- End users of apps built with the Service (if Controller’s generated apps process EU personal data).
5. Sub-processors
Current sub-processors (updated when changes are made):
| Sub-processor | Purpose | Location | SCC |
|---|---|---|---|
| Supabase | Database + auth + object storage | US (configurable) | ✓ |
| AWS Lightsail / EC2 | App hosting + bridge nodes | US (us-east-1, configurable) | ✓ |
| Cloudflare | CDN + WAF + DNS | Global (EU edge available) | ✓ |
| Anthropic | Claude AI inference | US | ✓ |
| OpenAI | GPT inference | US | ✓ |
| Gemini inference | US/EU | ✓ | |
| Mistral AI | Mistral inference | EU | — |
| Resend | Transactional email | US | ✓ |
| Stripe | Payment processing (Pro/Enterprise) | US | ✓ |
We notify Controllers of new sub-processors at least 30 days before activation. Object via email; we’ll work in good faith to find alternatives.
6. Security measures
See /factory/security for the full posture. Summary: TLS 1.2+, encryption at rest, RLS on all customer tables, tenant-scoped audit log with agent identity, MFA enforcement (Enterprise), VPC option (Enterprise).
7. Data subject requests
We assist Controllers with Art. 15-22 requests within 5 business days. Standard requests are honored at no charge. See our Privacy Policy for details.
8. Personal data breach
We notify Controllers of personal data breaches within 72 hours of becoming aware. Notifications include known facts, affected data categories, scope, and remediation steps.
9. International transfers
For transfers outside the EEA, we rely on Standard Contractual Clauses (Module 2: Controller-to-Processor). EU customers can configure EU-only data residency to avoid US transfers.
10. Audit rights
Controllers may audit our compliance once per 12-month period with 30 days notice. We also provide our SOC 2 Type II report (when available) and security questionnaire responses on request.
11. Return / deletion of data
On termination, we return or delete all personal data within 30 days per your written instruction. Backups follow our standard retention (max 90 days for free/pro, configurable for enterprise).
12. Contact
DPO: [email protected]
EU representative (if required): [email protected]