EU GDPR Processor Terms
Effective March 4, 2026
• Incorporated into Terms of Service • Customer = Controller, Genaura = Processor for Customer Content • Processing only on documented instructions unless law requires otherwise • Security, breach notice, subprocessor controls, and transfer safeguards included • Return/deletion obligations apply at end of service
This DPA forms part of the Terms of Service and applies when Genaura processes personal data on behalf of a customer. It is intended to satisfy EU GDPR and EU General Data Protection Regulation (GDPR) processor requirements.
For Customer Content submitted to Services: • Customer acts as Controller • Genaura acts as Processor For Genaura account administration, fraud prevention, billing, and legal compliance processing, Genaura may act as Controller.
Subject matter: delivery of GenauraBrain bot, web dashboard, sync, connector, and artifact workflows. Duration: term of service + limited post-termination retention as required by law. Nature: collection, storage, retrieval, transmission, analysis, and deletion. Data categories: identifiers, contact data, conversation/file content, connector/payment metadata, operational logs. Data subjects: customer users and individuals whose data is submitted by customer.
Genaura processes personal data only on customer instructions, unless required by law. Personnel with data access are bound by confidentiality obligations.
Genaura applies appropriate technical and organizational measures, including access control, encryption, secret management, monitoring, and incident response. Security controls are reviewed and improved as the platform evolves.
Customer grants general authorization to use subprocessors needed to operate Services. Genaura ensures subprocessors are bound by contractual data protection obligations. Current subprocessors may include cloud infrastructure, payment providers, and transactional communications providers.
Genaura will reasonably assist customers to respond to access, rectification, erasure, restriction, portability, and objection requests. If Genaura receives a request directly about Customer Content, it will route that request to the customer unless law requires direct handling.
Genaura will notify customer without undue delay after becoming aware of a personal data breach affecting Customer Content. Notification will include available details to support customer regulatory obligations.
Where processing involves international transfer of Customer Content personal data, Genaura applies lawful transfer mechanisms (such as EU Standard Contractual Clauses (SCCs) or adequacy decisions).
At service end, Genaura will delete or return Customer Content personal data, unless retention is legally required. Backup and disaster recovery retention may continue for limited periods until deletion cycles complete.
Genaura will provide information reasonably necessary to demonstrate DPA compliance, subject to confidentiality and security controls. Audits must be reasonable, proportionate, and coordinated to avoid service disruption.
If this DPA conflicts with the Terms on data protection matters, this DPA prevails for those matters.
dpo@genaura.app privacy@genaura.app
Genaura Ltd · Nicosia, Cyprus