Data Processing Addendum

Daurada Prime – Data Processing Addendum (DPA)

Effective date: December 23, 2025

This Data Processing Addendum (“DPA”) forms part of the agreement between Daurada Prime and the Customer and satisfies Article 28 GDPR requirements.

1. Roles and Scope

For purposes of GDPR:

  • Customer is the Data Controller

  • Daurada Prime is the Data Processor

This DPA applies only to Personal Data processed on behalf of Customer in connection with the Services.

2. Processing Instructions

Daurada Prime shall process Personal Data only:

  • on documented instructions from Customer,

  • to provide and secure the Services,

  • as required by applicable law.

If Daurada Prime believes an instruction violates GDPR, it will inform Customer.

3. Categories of Data and Data Subjects

Typical processing includes:

  • Data Subjects: Customer employees, contractors, end users, business contacts

  • Personal Data: identifiers, contact details, device metadata, operational data

  • Special Categories: not intended to be processed unless explicitly configured by Customer

4. Confidentiality

Daurada Prime ensures personnel:

  • are bound by confidentiality obligations,

  • access data only on a need-to-know basis.

5. Security Measures

Daurada Prime implements appropriate technical and organizational measures, including:

  • access controls and least-privilege policies,

  • encryption in transit,

  • environment separation,

  • audit logging.

Security measures evolve with industry best practices.

6. Sub-processors

Customer authorizes Daurada Prime to use sub-processors for infrastructure and support.

  • A current sub-processor list will be maintained.

  • Customer will be notified of material changes and may object on reasonable grounds.

7. International Data Transfers

Where Personal Data is transferred outside the EEA:

  • EU Standard Contractual Clauses (SCCs) apply,

  • supplementary safeguards are implemented as required.

8. Data Subject Requests (DSARs)

Daurada Prime will:

  • promptly notify Customer of any DSAR received directly,

  • assist Customer in fulfilling DSARs where reasonably possible.

9. Personal Data Breach

In the event of a Personal Data Breach, Daurada Prime will:

  • notify Customer without undue delay after becoming aware,

  • provide available information required under GDPR Article 33.

10. Data Retention and Deletion

Upon termination:

  • Customer may request export of Personal Data,

  • Personal Data will be deleted within a reasonable period unless retention is legally required.

11. Audits

Customer may audit compliance:

  • no more than once per year,

  • with reasonable notice,

  • in a manner that does not unreasonably disrupt operations or compromise trade secret protections afforded to Daurada Prime and it's author, Prometheus Engineering SL

12. AI Act Forward-Compatibility

12.1 AI Usage Classification

Daurada Prime’s AI-assisted features are designed as:

  • low-risk or limited-risk AI systems under the EU AI Act,

  • non-autonomous,

  • human-in-the-loop by default.

12.2 Prohibited Uses

The Services are not designed or intended for:

  • biometric identification,

  • social scoring,

  • autonomous decision-making with legal or similarly significant effects.

12.3 Customer Responsibilities

Customer agrees not to use the Services in a manner that would:

  • reclassify them as high-risk AI systems,

  • violate AI Act transparency or oversight requirements.

13. Liability

Each party’s liability under this DPA is subject to the limitations set forth in the Terms of Service.

14. Precedence

In case of conflict, this DPA prevails over the Terms of Service with respect to data protection matters.