TO
Transfer OracleSign in
← Back to Transfer Oracle

Data Processing Agreement

Effective: 2026-04-17 | Transfer Oracle

1. Parties

This Data Processing Agreement ("DPA") is entered between:

  • Data Controller: You, the customer ("Controller")
  • Data Processor: Droidtech 42 AI Labs AB, operating as Transfer Oracle, organisation number 559534-0745 ("Processor")

This DPA supplements the Terms of Service and applies where the Processor processes personal data on behalf of the Controller through the Transfer Oracle API.

2. Scope of Processing

Nature: Structural analysis of numerical feature vectors via API.

Purpose: AI model quality auditing before deployment.

Duration: For the duration of the service agreement.

Categories of data: Feature vectors (numerical arrays), API usage metadata.

Data subjects: Not applicable — feature vectors do not contain personal data in normal use. If Controller submits data that contains personal data, Controller is responsible for ensuring a lawful basis.

3. Processor Obligations

  • Process data only on documented instructions from the Controller
  • Ensure persons authorised to process data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Not engage sub-processors without prior written consent
  • Assist the Controller with data subject requests
  • Delete or return all personal data at end of service
  • Make available all information necessary to demonstrate compliance

4. Security Measures

  • TLS encryption for all API traffic
  • API key authentication (hashed at rest)
  • Feature vectors processed in memory, not persisted (except session-based endpoints with 1-hour TTL)
  • Infrastructure hosted in EU (Hetzner, Germany) with ISO 27001 certified provider
  • Access controls: SSH key authentication, no shared credentials
  • Regular security updates and dependency auditing

5. Sub-Processors

The following sub-processors are authorised:

ProviderPurposeLocation
Hetzner Online GmbHServer hostingGermany (EU)
Stripe Inc.Payment processingUSA (SCCs)
Resend Inc.Transactional emailUSA (SCCs)

6. International Transfers

Primary processing occurs in EU (Hetzner, Germany). Transfers to the USA (Stripe, Resend) are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach, providing all information necessary for the Controller to fulfil its obligations under Article 33 GDPR.

8. Governing Law

This DPA is governed by the laws of Sweden and the General Data Protection Regulation (EU) 2016/679.

9. Contact

Data Protection Officer: support@transferoracle.ai