Data Processing Agreement

This DPA forms part of the Terms of Service between Sria Digital B.V. (Xavira AI) and Customer. It sets out the terms under which Sria Digital B.V., acting as Processor, processes Personal Data on Customer's behalf, acting as Controller.

Effective date: 2026-05-21 · Version: 1.0 · GDPR (EU 2016/679) Article 28 compliant draft
Draft template. This is a baseline DPA suitable for most B2B customers under GDPR Article 28. Larger customers (regulated industries, > 10k end-users) should request a counter-signed version with negotiated SCCs and named sub-processor approval rights. Email hello@xavira.ai with "DPA review" in the subject.

1.Definitions

Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679). Customer Data means Personal Data processed by Sria Digital B.V. on Customer's behalf via the Xavira AI service. Sub-processor means a third party engaged by Sria Digital B.V. to process Customer Data.

2.Subject matter, duration, nature, purpose

ItemSpecification
Subject matterProvision of the Xavira AI image and video generation API and portal
DurationFor as long as Customer has an active account, plus a 30-day retention period after closure
NatureStorage, processing, and transmission of prompts, reference images, and generated outputs; user authentication; billing
PurposePerformance of the Terms of Service; abuse prevention; moderation auditing
Types of Personal DataEnd-user identifiers (only if Customer chooses to embed them in prompts/metadata); IP addresses in access logs; reference images that may contain identifiable persons
Categories of data subjectsCustomer's authorized users; Customer's end-users (only insofar as Customer chooses to include them in API requests)

3.Roles

Customer is the Controller of any Personal Data submitted via the API. Sria Digital B.V. is the Processor. The relationship is established by Customer's acceptance of the Terms of Service.

For Customer's own account data (the email Customer signs up with, billing data, API key metadata), Sria Digital B.V. is the Controller. The Privacy Policy governs that processing.

4.Processor obligations

Sria Digital B.V. shall:

5.Sub-processors

Customer authorises Sria Digital B.V. to engage the sub-processors listed in the Privacy Policy. Sria Digital B.V. will notify Customer of any intended addition or replacement of sub-processors at least 30 days in advance via the customer-of-record email address, and Customer may object on reasonable grounds (limited to demonstrable inadequacy of the sub-processor's GDPR posture).

Each sub-processor is bound by data-protection obligations substantially equivalent to this DPA.

6.International transfers

Some sub-processors (notably Netlify and OpenRouter) process data in the United States. Transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) Module 3 (Processor-to-Processor), incorporated by reference. On request Sria Digital B.V. will provide the executed SCCs to Customer.

Customer-uploaded reference images and generated outputs are stored on Cloudflare R2 with EU residency configured for the xavira-assets bucket. RunPod compute is in the EU-RO-1 region (Romania).

7.Personal data breaches

Sria Digital B.V. will notify Customer without undue delay (within 72 hours of detection) of any Personal Data Breach affecting Customer Data, providing:

8.Data subject requests

If Sria Digital B.V. receives a request directly from a data subject relating to Customer Data, Sria Digital B.V. will forward the request to Customer without responding. Sria Digital B.V. will, on Customer's reasonable request, assist Customer in responding to data-subject rights requests under Articles 15-22 GDPR.

9.Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits a party's liability where it cannot be limited under Article 82 GDPR or under applicable consumer-protection law.

10.Term and termination

This DPA terminates automatically when the Terms of Service terminate. On termination, Sria Digital B.V. will, at Customer's choice, return or delete all Customer Data within 30 days, except where Union or Member State law requires retention (e.g. Dutch tax law, 7 years on financial records).

11.Conflict

In case of conflict between this DPA and the Terms of Service, this DPA governs as to matters of Personal Data processing. In case of conflict with a counter-signed enterprise DPA, the enterprise DPA governs.


A.Annex: Technical and Organisational Measures (TOMs)

Access control

Transport security

Storage

Logging and monitoring

Incident response