Data Processing Agreement

Effective 2026-06-23

eustella Data Processing Agreement

Last updated: 23.06.2026 · Version 1.1.0

Deutsche Fassung (Auftragsverarbeitungsvertrag): eustella.com/de/services/dpa. In case of conflict, the language version executed by the parties prevails.

This Data Processing Agreement ("DPA") is intended solely for eustella's business (B2B) customers — organisations that use eustella's services for professional or commercial purposes. It does not apply to consumers using eustella's mobile applications or consumer features.

This DPA forms part of, and is incorporated into, the agreement between the Customer and eustella for the use of eustella's services (the "Main Agreement" — namely the purchase agreement (Kaufvertrag) concluded individually with the Customer), and governs the processing of personal data carried out by eustella on behalf of the Customer in connection with the Services. It is concluded pursuant to Article 28(3) of Regulation (EU) 2016/679 ("GDPR").

1. Parties

Processor

AI Newsrooms Technology GmbH Karl-Farkas-Gasse 22, 1030 Vienna, Austria Company register: FN 637289s, Commercial Court of Vienna VAT ID: ATU81169478 Contact for data protection matters: privacy@eustella.com

(hereinafter "eustella" or the "Processor")

Controller

Customer legal nameAddressCompany register / VAT IDContact for data protection matters

(hereinafter the "Customer" or the "Controller")

eustella and the Customer are each a "Party" and together the "Parties".

2. Subject matter, roles and scope

2.1 In the course of providing the Services under the Main Agreement, eustella processes personal data on behalf of and on the documented instructions of the Customer. With respect to such processing, the Customer acts as controller (or, where the Customer itself acts as a processor for a third party, as that third party's processor) and eustella acts as processor within the meaning of Article 4(8) GDPR.

2.2 Each Party is responsible for complying with its own obligations under applicable data protection law. The Customer is responsible for the lawfulness of the processing it instructs, including for having a valid legal basis for the personal data it submits to the Services.

2.3 The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are set out in Annex 1.

3. Duration

This DPA takes effect on the effective date of the Main Agreement and remains in force for as long as eustella processes personal data on behalf of the Customer under the Main Agreement. Obligations that by their nature survive termination — in particular Sections 11 (deletion and return) and 13 (confidentiality) — survive termination of this DPA.

4. Processing on documented instructions

4.1 eustella processes personal data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law to which eustella is subject. In such a case, eustella informs the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2 The Main Agreement, this DPA (including its Annexes), and the Customer's documented use of the Services constitute the Customer's complete and final instructions. Additional or alternative instructions must be agreed in writing and may be subject to adjustment of fees if they require changes to the Services.

4.3 eustella informs the Customer without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data protection provisions. eustella is entitled to suspend execution of such an instruction until it is confirmed or amended.

4.4 No use for own purposes; no model training. eustella does not use Customer personal data for its own purposes. This does not apply to ensuring the security, integrity and availability of the services, the prevention of abuse and fraud, compliance with legal obligations, and the creation of aggregated, non-personal statistics to improve the services. eustella does not use Customer content to train AI models — neither its own nor those of any third party.

5. Confidentiality

eustella ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer personal data is limited to personnel who need it to provide the Services; no employee has default access to the content of conversations or Customer inputs, and any such access is restricted to designated staff in specific, documented circumstances.

6. Technical and organisational measures

6.1 eustella implements appropriate technical and organisational measures pursuant to Article 32 GDPR to ensure a level of security appropriate to the risk. AI Newsrooms Technology GmbH is certified to ISO/IEC 27001:2022 (Certificate No. IS-IA-2026-04-15-01). The measures in force at the effective date are described in Annex 2.

6.2 eustella may update the measures over time provided that the level of security is not materially reduced.

7. Sub-processors

7.1 The Customer grants eustella general written authorisation to engage sub-processors. eustella maintains a current list of sub-processors at eustella.com/services/privacy/sub-processors, which forms part of Annex 3 and is the authoritative, up-to-date list.

7.2 eustella imposes on each sub-processor, by way of a contract, data protection obligations that are no less protective than those set out in this DPA, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures. eustella remains liable to the Customer for the performance of each sub-processor's obligations.

7.3 eustella informs the Customer of any intended addition or replacement of a sub-processor, giving the Customer the opportunity to object. The Customer may object on reasonable data-protection grounds within 30 days of being informed. If the Parties cannot resolve the objection, the Customer may terminate the Services as its sole remedy.

8. EU-only infrastructure; no international transfers

8.1 EU-only processing. eustella's infrastructure — the servers that run the Services, store Customer data, and perform AI inference — is hosted exclusively with providers established in the European Union. All personal data processed under this DPA is processed and stored within the EU/EEA.

8.2 eustella does not transfer Customer personal data to, or process it in, any third country outside the EU/EEA, and does not engage any sub-processor that processes Customer personal data outside the EU/EEA. All sub-processors are EU/EEA-established providers (see Annex 3). Were eustella ever to intend to introduce any such transfer, it would first notify the Customer in accordance with Section 7 and put in place an appropriate transfer mechanism under Chapter V GDPR; absent that, all processing remains within the EU/EEA.

9. Assistance with data subject rights

Taking into account the nature of the processing, eustella assists the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR (Articles 12–23). Support services exceeding the reasonable cooperation required to fulfil statutory obligations shall be remunerated by the customer on a time-and-materials basis as agreed. If a data subject contacts eustella directly regarding personal data processed on behalf of the Customer, eustella forwards the request to the Customer without undue delay and does not respond itself unless instructed by the Customer or legally required.

10. Assistance with security, breach and impact assessment

Taking into account the nature of processing and the information available to eustella, eustella assists the Customer in ensuring compliance with the obligations under Articles 32 to 36 GDPR, including security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with the supervisory authority. Support services exceeding the reasonable cooperation required to fulfil statutory obligations shall be remunerated by the customer on a time-and-materials basis as agreed.

11. Personal data breach

eustella notifies the Customer without undue delay after becoming aware, with reasonable certainty, of a personal data breach affecting Customer personal data. The notification describes, to the extent known, the nature of the breach, the likely consequences, the categories and approximate number of data subjects and records concerned, and the measures taken or proposed to address it. Where not all information is available at the time of the initial notification, eustella may provide it in phases. The notification does not constitute an acknowledgement of fault or liability. eustella does not notify supervisory authorities or data subjects on the Customer's behalf unless instructed to do so.

12. Demonstration of compliance

12.1 eustella makes available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.

12.2 The Customer's right to verify eustella's compliance is satisfied primarily by documentation and may be exercised no more than once per year; this does not apply where a competent supervisory authority orders a further audit. On written request, eustella provides relevant compliance documentation — in particular AI Newsrooms Technology GmbH's ISO/IEC 27001:2022 certification (Certificate No. IS-IA-2026-04-15-01), security descriptions, and independent third-party audit or assessment reports, where available. On-site audits and physical inspections of eustella's premises, systems or facilities are permitted only where the documentation provided is demonstrably insufficient to evidence compliance under Art. 28 GDPR or where a competent supervisory authority so orders. Any such audit shall take place upon reasonable prior notice of at least 30 days, during normal business hours, while preserving confidentiality and the security and personal data of other customers, and at the customer's expense. eustella's obligation under this section is subject to confidentiality and is otherwise limited to the documentation already available to eustella, unless a competent supervisory authority requires otherwise.

13. Deletion and return

At the Customer's choice, eustella deletes or returns all Customer personal data after the end of the provision of the Services and deletes existing copies, unless Union or Member State law requires storage of the personal data. Statutory retention obligations (for example under Austrian accounting law) and short-term retention in routine backups, which are deleted on their ordinary cycle, are unaffected.

14. Liability and governing law

14.1 Liability is governed by Article 82 GDPR and by the liability provisions of the Main Agreement.

14.2 This DPA is governed by the laws of Austria, excluding its conflict-of-law rules and the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction is Vienna, Austria, to the extent permitted by law.

15. Order of precedence and miscellaneous

15.1 In the event of a conflict between this DPA and the Main Agreement regarding the processing of personal data, this DPA prevails.

15.2 Should any provision of this DPA be or become invalid, the validity of the remaining provisions is not affected.


Annex 1 — Details of the processing

Subject matter: Processing of personal data by eustella in order to provide the Services to the Customer under the Main Agreement.

Duration: For the term of the Main Agreement and until deletion or return of the personal data in accordance with Section 13.

Nature and purpose: Hosting, storage, transmission, AI inference (generation of model outputs from Customer inputs), and related processing operations necessary to provide the Services, including, depending on the Services used: chat/agent completions, web search, optical character recognition (OCR), audio transcription, and image generation.

Types of personal data: Any personal data contained in the inputs, prompts, files, documents and other content that the Customer or its end users submit to the Services, and in the outputs generated therefrom; account and authentication data; and technical and usage data (such as IP address, device and browser information, and event logs). The specific categories are determined by the Customer through its use of the Services.

Special categories of personal data (Art. 9 GDPR): Not intended. The Customer is responsible for not submitting special-category data unless it has ensured a valid legal basis and has informed eustella where additional safeguards are required.

Categories of data subjects: The Customer's end users and any individuals whose personal data is contained in the content the Customer submits to the Services (which may include the Customer's customers, employees, contacts or other third parties).


Annex 2 — Technical and organisational measures (Art. 32 GDPR)

  • Certification: AI Newsrooms Technology GmbH is certified to ISO/IEC 27001:2022 (Certificate No. IS-IA-2026-04-15-01), covering its information-security management system. Independent black-box penetration testing of the production platform is conducted, with tracking and remediation of identified findings.
  • Encryption: Personal data is encrypted in transit (TLS 1.2 or higher, current cipher suites) and at rest (AES-256 or equivalent industry-standard protocols). Confidential configuration values, API keys and other secrets are held exclusively in dedicated secret-management / key-management systems.
  • Access control and authentication: Role-based access controls and least-privilege/need-to-know assignment, reviewed periodically; mandatory multi-factor authentication (2FA) for all privileged and administrative access (e.g. cloud console, CI/CD pipelines, administration); strict password and access policies; no default employee access to Customer content, with access limited to designated staff in specific, documented circumstances.
  • EU data residency: All processing and storage take place within the EU/EEA; no international transfers (see Section 8). All sub-processors are EU/EEA-established providers.
  • Network and infrastructure security: Operation of platform infrastructure in logically isolated networks (VPCs, subnets); segmentation by environment; firewall rules and network policies restricting access to necessary ports and protocols; use of an access-controlled, centrally managed container registry; regular patch and vulnerability management of base images and dependencies.
  • Separation of environments and tenants: Clear separation of development, staging and production environments; production Customer data is not used for development or testing; logical tenant/customer isolation at the database and/or application layer (e.g. separate databases/schemata, tenant IDs).
  • Integrity: Central logging of relevant access and administrative actions; protection against unauthorised modification.
  • Availability and resilience: Redundant, multi-region European infrastructure; routine backups, retained separately within the EU; regular restore testing against defined Recovery Time and Recovery Point Objectives (RTO/RPO); measures to restore availability and access to personal data in a timely manner after an incident.
  • Monitoring and incident response: Monitoring of infrastructure and services with alerting on anomalies; established internal processes for evaluating and handling security incidents, including escalation paths and documentation; defined breach-notification procedure to the Controller (minimum content and timing per Section 11).
  • No model training on Customer data: Customer content is not used to train, fine-tune or improve AI models — neither eustella's own nor those of any third party.
  • Sub-processor governance: Contractual data-protection obligations imposed on all sub-processors that are no less protective than this DPA; maintained sub-processor list.
  • Evaluation: Regular internal review (security and architecture reviews) to assess and, where appropriate, improve the effectiveness of these measures.

Annex 3 — Approved sub-processors

The authoritative, current list of sub-processors is published and maintained at eustella.com/services/privacy/sub-processors. The list below reflects the sub-processors engaged as at the effective date. All sub-processors engaged for business (B2B) processing are established in the EU/EEA and process Customer personal data exclusively within the EU/EEA. Which sub-processors apply depends on the Services the Customer uses.

Sub-processorLegal entity / locationPurposeTransfer safeguard
IONOSIONOS SE — Germany (EU)Core cloud infrastructure; servers and data storageEU — none required
ScalewayScaleway SAS — France (EU)Supplementary cloud compute and AI workloadsEU — none required
Mistral AIMistral AI — France (EU)OCR and audio transcriptionEU — none required
VerdaVerda Cloud Oy — Finland (EU)GPU compute for AI model inferenceEU — none required
LinkupLinkup Technologies SAS — France (EU)Real-time web searchEU — none required