Data Processing Agreement (DPA)
Last Updated: 2026-01-10
This Data Processing Agreement ("DPA") is an addendum to the Terms of Service between CALLISTO AB ("Company") and you ("Customer"). This DPA reflects the parties' agreement with regard to the processing of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1. Definitions
For the purposes of this DPA, the terms "personal data," "processing," "data subject," "data controller," and "data processor" shall have the meanings ascribed to them in the General Data Protection Regulation (GDPR).
2. Processing of Personal Data
The Company, as the data processor, shall process personal data on behalf of the Customer, the data controller, only for the purpose of providing the services as described in the Terms of Service.
3. Data Subject Rights
The Company shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a data subject to exercise the data subject's right of access, rectification, erasure, or other rights under the GDPR.
4. Security Measures
The Company implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Content Security Policy (CSP) - Protection against cross-site scripting (XSS) attacks
- CSRF Protection - Prevention of cross-site request forgery attacks
- Encrypted Sessions - 24-hour session expiry with HttpOnly, Secure, and SameSite cookies
- Rate Limiting - Protection against brute-force and denial-of-service attacks
- Input Sanitization - All user inputs are validated and sanitized
- Privacy-Safe Logging with Automatic PII Sanitization - All system logs are automatically sanitized in real-time to remove personally identifiable information (PII) before writing to storage. Our EU-wide PII detection covers all 28 EU member states and sanitizes: email addresses, phone numbers (all EU country codes), person names (including Unicode characters and EU naming conventions), national ID numbers, postal codes, street addresses, credit card numbers, IP addresses, URLs, domain names, dates of birth, and social media profiles. Each sanitized log entry includes a SHA-256 hash for correlation debugging without exposing actual PII, ensuring full compliance with GDPR Articles 5(1)(c) Data Minimization and 5(1)(b) Purpose Limitation.
- Automated Log Rotation and Archiving - System logs are automatically rotated daily with compressed archiving. All logs are retained for 30-90 days depending on type, then automatically purged. This ensures compliance with data minimization requirements while maintaining sufficient operational history for security monitoring and debugging.
- Encrypted Data Storage - All data at rest is encrypted using AES-256 encryption. Data in transit uses TLS 1.3 with perfect forward secrecy.
- Automated Security Scanning - Continuous vulnerability monitoring
- DDoS Protection - All infrastructure is protected by network-layer (L3/L4) DDoS mitigation provided by Hetzner Online (Germany), with automatic volumetric attack filtering at the network edge.
- ISO 27001 Certified Infrastructure - All servers are hosted by Hetzner Online (Germany), which holds ISO/IEC 27001 certification for information security management, ensuring systematic protection of data confidentiality, integrity, and availability.
5. Data Retention Periods
The Company maintains strict data retention policies in compliance with GDPR Article 5(1)(e) (storage limitation). Personal data is retained only for as long as necessary for the purposes for which it was collected:
| Data Type | Retention Period | Purge Method |
|---|---|---|
| System Logs (Sanitized) | 30-90 days | Automatic deletion after rotation period |
| User Sessions | 24 hours | Automatic expiry and deletion |
| Chat History (Optional) | User-controlled (can delete anytime) | Immediate deletion upon user request |
| Account Data | Duration of service + 30 days | Deletion upon account termination |
| Security Incident Logs | Up to 12 months (legal compliance) | Automatic deletion after retention period |
All retained data is subject to the same security measures outlined in Section 4, including PII sanitization for logs and encryption for stored data.
6. Data Location
All personal data processed under this agreement is stored and processed within the European Union. The Company uses EU-hosted AI providers (including Mistral AI, hosted in France) to ensure data residency compliance.
All transactional emails sent by askaieu.com (such as account verification, login links, billing notifications, and subscription updates) are routed exclusively through EU-based infrastructure. Outbound email is relayed via Mailjet (Sinch Group, France) and queued through Postfix on our EU-hosted servers. No email content or metadata passes through non-EU infrastructure at any point in the delivery chain.
Recommendation for full EU-to-EU communication: While askaieu.com ensures all outbound email stays within the EU, the privacy of your replies depends on your own email provider. If you wish to ensure that all correspondence with askaieu.com remains entirely within EU jurisdiction, we recommend using an EU-based email provider such as Proton Mail (Switzerland) or Tuta (Germany). Using a non-EU email provider (e.g., Gmail, Outlook.com) means your replies may be processed outside the EU by your provider.
7. Sub-processors
The Company may engage sub-processors to assist in providing the services. Current sub-processors include:
- Mistral AI (France) - AI model hosting and inference
- Hetzner (Germany) - Infrastructure and data storage
- Mailjet (France, Sinch Group) - Transactional email delivery relay. All email content and metadata is processed within the EU.
- mailbox.org (Germany, Heinlein Hosting) - Business email hosting. All data stored and processed in Germany.
- Tavily (United States) - Web search API. Note: Search queries are sanitized to remove all PII before being sent to this sub-processor, ensuring no personal data crosses EU borders. Only anonymized search terms are transmitted.
The Customer will be notified of any changes to sub-processors with at least 30 days' notice.
8. Data Breach Notification
In the event of a personal data breach, the Company shall notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach, providing all information necessary for the Customer to fulfill its own notification obligations.
9. Audit Rights
The Company shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
10. Term and Termination
This DPA shall remain in effect for the duration of the processing of personal data by the Company. Upon termination of the services, the Company shall, at the Customer's choice, delete or return all personal data and delete existing copies unless EU or Member State law requires storage of the personal data.
11. EU Regulatory Alignment
This DPA and our security practices are designed in alignment with applicable EU regulations:
- GDPR (EU) 2016/679 - Full compliance with data protection requirements
- ePrivacy Directive - Electronic communications and cookie consent
- EU Cybersecurity Act - Security measures following ENISA guidelines
We continuously monitor evolving EU regulations including the Cyber Resilience Act (CRA) and NIS2 Directive to ensure our practices remain aligned with European security standards.
12. Limitation of Liability
To the maximum extent permitted by applicable law, and subject to the mandatory provisions of the GDPR:
- General Limitation - The Company's total aggregate liability under this DPA shall not exceed the greater of (i) €10,000 or (ii) the total fees paid by the Customer in the 12 months preceding the event giving rise to liability.
- Exclusion of Indirect Damages - Neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, loss of data (except where caused by failure to meet security obligations), loss of business, or business interruption.
- Security Measures Standard - The Company commits to implementing and maintaining security measures that are "appropriate to the risk" as required by GDPR Article 32, but does not guarantee absolute security. No system can be 100% secure against all possible threats.
- Force Majeure - Neither party shall be liable for delays or failures in performance resulting from acts beyond reasonable control, including but not limited to: acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, earthquakes, accidents, network infrastructure failures, strikes, or shortages of transportation, facilities, fuel, energy, labor, or materials. This includes sophisticated cyberattacks employing zero-day vulnerabilities or advanced persistent threats despite implementation of industry-standard security measures.
- Exceptions to Limitations - Nothing in this DPA shall limit liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) gross negligence or willful misconduct; (iv) violations of data subjects' rights under the GDPR where such violations result from the Company's intentional or grossly negligent conduct; or (v) any other liability that cannot be limited under applicable law.
- Breach Notification Compliance - The Company's liability for data breaches is limited to situations where the Company failed to implement appropriate technical and organizational measures or failed to notify the Customer within the required 72-hour timeframe. The Company is not liable for breaches resulting from: (i) Customer's failure to secure their own systems; (ii) unauthorized access caused by Customer's employees or systems; (iii) Customer's failure to follow security recommendations; or (iv) disclosure required by law.
- Indemnification - The Customer shall indemnify and hold harmless the Company from any claims, damages, or costs arising from: (i) Customer's breach of this DPA; (ii) Customer's violation of applicable data protection laws; (iii) Customer's instructions to process data in a manner that violates applicable law; or (iv) claims by data subjects resulting from Customer's own data processing activities.
- Third-Party Claims - The Company is not liable for claims arising from the acts or omissions of sub-processors beyond the Company's reasonable control, provided the Company has exercised reasonable care in selecting and monitoring such sub-processors.
Important Note: These limitations apply only to the extent permitted by law. Where GDPR or other applicable data protection laws impose stricter liability standards, those standards shall prevail. This limitation of liability is in addition to, and should be read together with, the general terms in our Terms of Service.
13. Contact
For questions regarding this DPA or to exercise your rights, please contact us through our contact form .