Data Processing Agreement
This DPA forms part of the Terms of Service between Sria Digital B.V. (Xavira AI) and Customer. It sets out the terms under which Sria Digital B.V., acting as Processor, processes Personal Data on Customer's behalf, acting as Controller.
1.Definitions
Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679). Customer Data means Personal Data processed by Sria Digital B.V. on Customer's behalf via the Xavira AI service. Sub-processor means a third party engaged by Sria Digital B.V. to process Customer Data.
2.Subject matter, duration, nature, purpose
| Item | Specification |
|---|---|
| Subject matter | Provision of the Xavira AI image and video generation API and portal |
| Duration | For as long as Customer has an active account, plus a 30-day retention period after closure |
| Nature | Storage, processing, and transmission of prompts, reference images, and generated outputs; user authentication; billing |
| Purpose | Performance of the Terms of Service; abuse prevention; moderation auditing |
| Types of Personal Data | End-user identifiers (only if Customer chooses to embed them in prompts/metadata); IP addresses in access logs; reference images that may contain identifiable persons |
| Categories of data subjects | Customer's authorized users; Customer's end-users (only insofar as Customer chooses to include them in API requests) |
3.Roles
Customer is the Controller of any Personal Data submitted via the API. Sria Digital B.V. is the Processor. The relationship is established by Customer's acceptance of the Terms of Service.
For Customer's own account data (the email Customer signs up with, billing data, API key metadata), Sria Digital B.V. is the Controller. The Privacy Policy governs that processing.
4.Processor obligations
Sria Digital B.V. shall:
- Process Customer Data only on documented instructions from Customer (the API calls Customer makes are deemed Customer's documented instructions), except where required by EU or Member State law
- Ensure persons authorised to process Customer Data are under a confidentiality obligation
- Implement appropriate technical and organisational measures (TOMs); see Annex A
- Assist Customer in responding to data-subject rights requests, breach notifications, and DPIAs
- Delete or return all Customer Data at the end of the service relationship, at Customer's choice
- Make available all information necessary to demonstrate compliance with Article 28, including allowing audits, subject to reasonable notice and confidentiality, audits limited to once per twelve months unless a regulator orders more
5.Sub-processors
Customer authorises Sria Digital B.V. to engage the sub-processors listed in the Privacy Policy. Sria Digital B.V. will notify Customer of any intended addition or replacement of sub-processors at least 30 days in advance via the customer-of-record email address, and Customer may object on reasonable grounds (limited to demonstrable inadequacy of the sub-processor's GDPR posture).
Each sub-processor is bound by data-protection obligations substantially equivalent to this DPA.
6.International transfers
Some sub-processors (notably Netlify and OpenRouter) process data in the United States. Transfers rely on the EU Commission's Standard Contractual Clauses (SCCs) Module 3 (Processor-to-Processor), incorporated by reference. On request Sria Digital B.V. will provide the executed SCCs to Customer.
Customer-uploaded reference images and generated outputs are stored on Cloudflare R2 with EU residency configured for the xavira-assets bucket. RunPod compute is in the EU-RO-1 region (Romania).
7.Personal data breaches
Sria Digital B.V. will notify Customer without undue delay (within 72 hours of detection) of any Personal Data Breach affecting Customer Data, providing:
- Description of the nature of the breach, categories and approximate number of data subjects
- Likely consequences
- Measures taken or proposed
- Contact point for further information
8.Data subject requests
If Sria Digital B.V. receives a request directly from a data subject relating to Customer Data, Sria Digital B.V. will forward the request to Customer without responding. Sria Digital B.V. will, on Customer's reasonable request, assist Customer in responding to data-subject rights requests under Articles 15-22 GDPR.
9.Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing in this DPA limits a party's liability where it cannot be limited under Article 82 GDPR or under applicable consumer-protection law.
10.Term and termination
This DPA terminates automatically when the Terms of Service terminate. On termination, Sria Digital B.V. will, at Customer's choice, return or delete all Customer Data within 30 days, except where Union or Member State law requires retention (e.g. Dutch tax law, 7 years on financial records).
11.Conflict
In case of conflict between this DPA and the Terms of Service, this DPA governs as to matters of Personal Data processing. In case of conflict with a counter-signed enterprise DPA, the enterprise DPA governs.
A.Annex: Technical and Organisational Measures (TOMs)
Access control
- Production database access limited to two named operators with 2FA enforced via Neon's IAM
- API keys hashed with sha256; plaintext never stored
- Webhook signing secrets stored as 256-bit random hex per customer
- Supabase service role keys never embedded client-side
Transport security
- All API and portal traffic served over HTTPS (TLS 1.3) with Let's Encrypt certificates auto-rotated by Netlify
- Internal RunPod calls authenticated via Bearer tokens scoped to the Xavira RunPod sub-account
- R2 uploads signed with AWS SigV4
Storage
- Postgres (Neon, eu-central-1): encryption at rest, point-in-time recovery
- R2 object storage: server-side encryption, EU residency for
xavira-assets - Generated outputs accessible via the R2 public URL pattern; URLs are unguessable (sha-based)
Logging and monitoring
- API request logs retained 90 days
- Moderation audit logs retained 2 years (safety obligation)
- Production access by operators is logged via sub-processor dashboards
Incident response
- Internal 24/7 alerting on backend errors (Netlify function failures, Postgres connection drops, RunPod endpoint health degradations)
- Breach notification SOP targets < 72h to notify affected customers per GDPR Article 33