Data Processing Agreement
Last updated: 2026-05-10 · Version: 1.0
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between Preferium AS(Org. nr. xxx xxx xxx, Norway — the "Processor") and the customer ("Controller") for the provision of Preferium AI Edge (the "Service"). It implements Article 28 of Regulation (EU) 2016/679 (GDPR) and Schedule 1 of the UK Data Protection Act 2018.
1. Definitions
Terms defined in the GDPR have the same meaning when used in this DPA. "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
2. Subject matter and duration
| Subject matter | Server-side optimization of the Controller's website HTML for AI search engines, including caching of optimized content at edge nodes. |
|---|---|
| Duration | The term of the active subscription plus 30 days for deletion (§10). |
| Nature of processing | Storage, retrieval, transformation (AI rewriting), and serving of HTML. |
| Categories of data subjects | Visitors to the Controller's website. |
| Categories of Personal Data | IP addresses, user agents, request paths, referrers (14-day retention). HTML content as published by the Controller. |
3. Roles
The Controller determines the purposes and means of processing. The Processor processes Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries.
4. Processor obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller.
- Ensure persons authorized to process the data are bound by confidentiality.
- Take all measures required pursuant to Article 32 GDPR (security — see §6).
- Respect the conditions for engaging Sub-Processors (§5).
- Assist the Controller in fulfilling data subject requests.
- Assist the Controller in ensuring compliance with Articles 32–36 GDPR.
- Delete or return all Personal Data after the end of services (§10).
- Make available all information necessary to demonstrate compliance with Article 28.
5. Sub-Processors
The Controller authorizes the Processor to engage the following Sub-Processors:
| Sub-Processor | Service | Location | Transfer mechanism |
|---|---|---|---|
| Cloudflare, Inc. | Edge hosting + KV cache | Global edge | EU SCCs + UK addendum |
| Supabase, Inc. | Postgres database | EU (Frankfurt / Stockholm) | EU SCCs + DPA |
| Anthropic PBC | LLM inference (Claude) | US | EU SCCs + DPA |
| OpenAI L.L.C. | LLM inference (GPT) | US | EU SCCs + DPA |
| Google LLC | LLM inference (Gemini) + GSC/GA4 | US/EU | EU SCCs |
| DataForSEO LLC | SERP + backlink data | US/EU | EU SCCs |
| Resend, Inc. | Transactional email | EU (Ireland) | DPA |
| Stripe, Inc. | Payment processing | US (with EU branch) | EU SCCs + DPA |
| Better Stack | Logging + uptime | EU (Germany) | DPA |
| Sentry | Error monitoring | US (EU residency available) | EU SCCs + DPA |
The Processor will inform the Controller of any intended changes to this list at least 14 days before the change takes effect.
6. Security measures
The Processor maintains the following technical and organizational measures:
- Encryption in transit: TLS 1.2+ on all customer-facing endpoints.
- Encryption at rest: Database storage encrypted (Supabase managed encryption). OAuth tokens encrypted with AES-GCM in worker memory; encryption key never reaches Postgres.
- Access control: Multi-tenant isolation via PostgreSQL Row-Level Security with explicit
tenant_idfilters in application code. Service-role keys held in Cloudflare Worker secrets. - Audit logging: All privileged actions logged to
audit_logstable with tenant, user, action, timestamp. Retained 24 months. - Backups: Daily Postgres backups (30-day retention). Weekly snapshots to R2 (90-day retention).
- Incident response: Sentry-driven alerting on error-rate spikes. On-call rotation for production.
- Secret management: Wrangler Secrets for production; rotation every 90 days.
- Vulnerability management: Dependency scanning via GitHub Dependabot. Annual penetration tests.
7. Personal Data breach
The Processor will notify the Controller without undue delay (target: within 24 hours) after becoming aware of a Personal Data breach. The notification will describe the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.
8. Data subject requests
The Processor will assist with:
- Right of access: SQL extracts via support within 30 days.
- Right to erasure:Tenant-level cascade delete via the dashboard's "Delete workspace" flow with KV cache invalidation propagated within 60 seconds globally.
- Right to rectification: Re-publish source HTML or update via the dashboard.
- Right to data portability: JSON export via
/v1/exports/full.
9. International transfers
For transfers outside the EEA, UK, or Switzerland, the Processor uses the European Commission's Standard Contractual Clauses (2021/914/EU). Where Sub-Processors are located in jurisdictions without adequacy decisions, supplementary measures apply (encryption-in-transit-and-at-rest by default, plus contractual obligations).
10. Return or deletion
Upon termination of the Service, the Processor will:
- Stop accepting new requests within 24 hours of termination notice.
- Make all Personal Data available for export for 30 days following termination.
- Delete from production systems within 30 days of the export window closing.
- Delete from backups within the natural rotation window (90 days for R2, 30 days for Supabase).
- Issue written certification of deletion within 7 days of completion.
11. Audits
The Controller may audit the Processor's compliance with this DPA no more than once per calendar year and at its own cost. The Processor may satisfy this obligation by providing a current SOC 2 Type II report or equivalent third-party assessment.
12. Liability and termination
This DPA is governed by Norwegian law. Disputes will be resolved by Oslo District Court. Liability under this DPA is subject to the limitations set out in the Master Services Agreement.
13. Changes
The Processor will notify the Controller of material changes to this DPA at least 30 days before they take effect. The Controller may terminate the Service if it does not accept the changes.
Signed for and on behalf of the Processor
Robert Andre Johansen, CEO
Preferium AS
post@preferium.no