Skip to main content

Data Processing Agreement

Last updated: 2026-05-10 · Version: 1.0

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement between Preferium AS(Org. nr. xxx xxx xxx, Norway — the "Processor") and the customer ("Controller") for the provision of Preferium AI Edge (the "Service"). It implements Article 28 of Regulation (EU) 2016/679 (GDPR) and Schedule 1 of the UK Data Protection Act 2018.

1. Definitions

Terms defined in the GDPR have the same meaning when used in this DPA. "Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.

2. Subject matter and duration

Subject matter, duration, nature, and categories of personal data covered by this DPA
Subject matterServer-side optimization of the Controller's website HTML for AI search engines, including caching of optimized content at edge nodes.
DurationThe term of the active subscription plus 30 days for deletion (§10).
Nature of processingStorage, retrieval, transformation (AI rewriting), and serving of HTML.
Categories of data subjectsVisitors to the Controller's website.
Categories of Personal DataIP addresses, user agents, request paths, referrers (14-day retention). HTML content as published by the Controller.

3. Roles

The Controller determines the purposes and means of processing. The Processor processes Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries.

4. Processor obligations

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller.
  2. Ensure persons authorized to process the data are bound by confidentiality.
  3. Take all measures required pursuant to Article 32 GDPR (security — see §6).
  4. Respect the conditions for engaging Sub-Processors (§5).
  5. Assist the Controller in fulfilling data subject requests.
  6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR.
  7. Delete or return all Personal Data after the end of services (§10).
  8. Make available all information necessary to demonstrate compliance with Article 28.

5. Sub-Processors

The Controller authorizes the Processor to engage the following Sub-Processors:

Authorized sub-processors with purpose, hosting location, and Standard Contractual Clauses status
Sub-ProcessorServiceLocationTransfer mechanism
Cloudflare, Inc.Edge hosting + KV cacheGlobal edgeEU SCCs + UK addendum
Supabase, Inc.Postgres databaseEU (Frankfurt / Stockholm)EU SCCs + DPA
Anthropic PBCLLM inference (Claude)USEU SCCs + DPA
OpenAI L.L.C.LLM inference (GPT)USEU SCCs + DPA
Google LLCLLM inference (Gemini) + GSC/GA4US/EUEU SCCs
DataForSEO LLCSERP + backlink dataUS/EUEU SCCs
Resend, Inc.Transactional emailEU (Ireland)DPA
Stripe, Inc.Payment processingUS (with EU branch)EU SCCs + DPA
Better StackLogging + uptimeEU (Germany)DPA
SentryError monitoringUS (EU residency available)EU SCCs + DPA

The Processor will inform the Controller of any intended changes to this list at least 14 days before the change takes effect.

6. Security measures

The Processor maintains the following technical and organizational measures:

  • Encryption in transit: TLS 1.2+ on all customer-facing endpoints.
  • Encryption at rest: Database storage encrypted (Supabase managed encryption). OAuth tokens encrypted with AES-GCM in worker memory; encryption key never reaches Postgres.
  • Access control: Multi-tenant isolation via PostgreSQL Row-Level Security with explicit tenant_id filters in application code. Service-role keys held in Cloudflare Worker secrets.
  • Audit logging: All privileged actions logged to audit_logs table with tenant, user, action, timestamp. Retained 24 months.
  • Backups: Daily Postgres backups (30-day retention). Weekly snapshots to R2 (90-day retention).
  • Incident response: Sentry-driven alerting on error-rate spikes. On-call rotation for production.
  • Secret management: Wrangler Secrets for production; rotation every 90 days.
  • Vulnerability management: Dependency scanning via GitHub Dependabot. Annual penetration tests.

7. Personal Data breach

The Processor will notify the Controller without undue delay (target: within 24 hours) after becoming aware of a Personal Data breach. The notification will describe the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

8. Data subject requests

The Processor will assist with:

  • Right of access: SQL extracts via support within 30 days.
  • Right to erasure:Tenant-level cascade delete via the dashboard's "Delete workspace" flow with KV cache invalidation propagated within 60 seconds globally.
  • Right to rectification: Re-publish source HTML or update via the dashboard.
  • Right to data portability: JSON export via /v1/exports/full.

9. International transfers

For transfers outside the EEA, UK, or Switzerland, the Processor uses the European Commission's Standard Contractual Clauses (2021/914/EU). Where Sub-Processors are located in jurisdictions without adequacy decisions, supplementary measures apply (encryption-in-transit-and-at-rest by default, plus contractual obligations).

10. Return or deletion

Upon termination of the Service, the Processor will:

  1. Stop accepting new requests within 24 hours of termination notice.
  2. Make all Personal Data available for export for 30 days following termination.
  3. Delete from production systems within 30 days of the export window closing.
  4. Delete from backups within the natural rotation window (90 days for R2, 30 days for Supabase).
  5. Issue written certification of deletion within 7 days of completion.

11. Audits

The Controller may audit the Processor's compliance with this DPA no more than once per calendar year and at its own cost. The Processor may satisfy this obligation by providing a current SOC 2 Type II report or equivalent third-party assessment.

12. Liability and termination

This DPA is governed by Norwegian law. Disputes will be resolved by Oslo District Court. Liability under this DPA is subject to the limitations set out in the Master Services Agreement.

13. Changes

The Processor will notify the Controller of material changes to this DPA at least 30 days before they take effect. The Controller may terminate the Service if it does not accept the changes.

Signed for and on behalf of the Processor

Robert Andre Johansen, CEO
Preferium AS
post@preferium.no