Data Processing Addendum (template)
Template — finalise with counsel before customer execution.
This Data Processing Addendum (DPA) forms part of the Master Services Agreement (MSA) between Citera ("Processor") and the customer ("Controller") for the provision of the Citera content engine.
1. Definitions
Terms in this DPA carry the meaning given by Regulation (EU) 2016/679 (the GDPR).
2. Scope and details of processing
| Subject matter | Generation, audit, and citation tracking of marketing content |
| Duration | The term of the MSA |
| Nature | Storage, retrieval, embedding, prompt generation, third-party API calls (LLMs, SERP, AI assistants) |
| Purpose | Producing AI-citable content for the Controller |
| Categories of data subjects | Controller's employees with platform access; identifiable persons named in Controller-uploaded documents |
| Types of personal data | Email, name, role, IP, browser metadata; any personal data within Controller-uploaded documents |
3. Sub-processors
| Sub-processor | Service | Region |
|---|---|---|
| Neon | Postgres database | EU (Frankfurt) |
| Cloudflare R2 | Object storage | EU jurisdiction restricted |
| Hetzner | Agent runtime hosting | EU (Falkenstein DE / Helsinki FI) |
| Upstash | Redis queue | EU (Frankfurt) |
| OpenAI | LLM + image generation | US (no-training mode) |
| Clerk | Authentication | US |
| Stripe | Billing | Ireland |
| Resend | Transactional email | EU |
| Sentry | Error monitoring | EU |
| PostHog | Product analytics | EU |
| Axiom | Structured logs | EU |
| Vercel | Web app hosting | EU (Frankfurt-preferred) |
The Processor will give 30 days' written notice (via email or in-product banner) before adding or replacing a sub-processor. The Controller may object in writing; if no agreement is reached the Controller may terminate the affected service for the remainder of the billing period without penalty.
4. Region pinning
Customer data (database rows, object storage, queue messages, generated articles, log streams) are stored exclusively in EU regions per the table above. The Processor's agent runtime asserts this at boot and refuses to start if any service resolves outside the EU. Failures are logged to a non-customer-data region and paged to the on-call rotation.
The OpenAI sub-processor is the sole exception: prompts and responses transit the OpenAI API endpoint (US). The Controller acknowledges and consents to this transfer; standard contractual clauses are in place between the Processor and OpenAI.
5. Security measures
The Processor implements:
- TLS in transit, AES-256 at rest (database + object storage)
- Multi-tenancy enforced at every read and write through application-level guards; cross-tenant leak test runs in CI on every change
- HMAC-authenticated communication between web and agent runtime
- Idempotency keys on every mutating external API call
- Annual penetration test (planned for first anniversary of GA launch)
- All sub-processor accounts use 2FA / SSO
- Encrypted secrets management (Vercel + Hetzner env files mode 0600)
6. Data subject rights
The Processor will assist the Controller in fulfilling DSARs (access, rectification, erasure, portability, objection) within 30 days of written request.
The platform exposes self-serve data export (ZIP containing all rows + R2 blobs) and account deletion (soft-delete with a 30-day grace period before permanent purge).
7. Notification of personal data breach
The Processor will notify the Controller without undue delay (and no later than 72 hours) of any personal data breach affecting Controller data. Notification will include the categories and approximate number of data subjects, the categories and approximate number of records, the likely consequences, and the measures taken or proposed.
8. Audit
The Controller may, at its own cost and no more than once per calendar year, audit the Processor's compliance with this DPA. Audits will be conducted under reasonable terms mutually agreed in advance. The Processor may satisfy this obligation by providing an independent third-party report (e.g. SOC 2) once available.
9. Termination
On termination of the MSA the Processor will, at the Controller's option, return or destroy all Controller personal data within 60 days. Self-serve account deletion via the platform satisfies this obligation.
This DPA is governed by the laws of [Member State to be specified] and the parties agree to the exclusive jurisdiction of the courts of [city, Member State].
Signed for and on behalf of Citera: __
Signed for and on behalf of the Controller: __