Data Processing Agreement (DPA)
PreamblePurpose and subject of this DPA
This Data Processing Agreement (the "DPA") is concluded between the Customer (as controller within the meaning of Article 4(7) of Regulation (EU) 2016/679 [GDPR]) and Civora (as processor within the meaning of GDPR Art. 4(8)), in connection with the Civora SaaS subscription. The DPA contains the elements mandated by GDPR Article 28(3) and (4) and forms an integral part of the Terms of Service.
1.Parties
- Controller (Customer)
- the Customer as identified on the Civora registration form (name, registered seat, tax number, contact — stored on the Civora account profile)
- Processor (Civora)
- Tibor Levente Székely, Hungarian sole trader; seat: Domaháza utca 46., 1154 Budapest; reg.: 59845982; tax: 90586961-1-42 (HU90586961); contact: hello@civora.hu
2.Subject-matter, duration, nature, and purpose of processing
| Item (GDPR Art. 28(3)) | Content |
|---|---|
| Subject-matter | AI-based moderation of messages posted on the Customer's Discord server + audit log generation |
| Duration | the term of the Customer-Civora subscription (Terms) + the period for return / deletion of data after termination |
| Nature | automated AI analysis + algorithmic decision-making (GDPR Art. 22); manual review/override via the Dashboard; audit-log generation; statistical analytics |
| Purpose | moderation of the Customer's Discord server community per the Customer-configured template + severity thresholds; auditability of moderation actions; operation of the Service |
| Data categories | message text; author Discord user_id; channel ID; timestamp; moderation decision (action type, AI score, explanation); Customer override decisions |
| Data subjects | End Users (natural persons being members of the Customer's Discord server) |
3.Processing solely on documented instructions
3.1. Civora processes personal data only on documented instructions of the Customer (GDPR Art. 28(3)(a)) — including transfers to a third country or international organisation —, unless required to do so by Union or Member State law to which Civora is subject; in such case Civora informs the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2. Documented instructions: (a) this DPA; (b) the configuration settings the Customer enters in the Civora Dashboard (template, severity threshold, retention setting); (c) additional written instructions sent by the Customer to Civora (email, in-Dashboard message).
3.3. Civora immediately informs the Customer if, in its opinion, an instruction infringes the GDPR or other Union/Member State data protection provisions (GDPR Art. 28(3) last subparagraph).
4.Confidentiality
Civora ensures that persons authorised to process personal data (employees, contractors) have committed themselves to confidentiality or are under an appropriate statutory duty of confidentiality (GDPR Art. 28(3)(b)).
5.Security of processing (GDPR Art. 28(3)(c) + Art. 32)
Civora implements appropriate technical and organisational measures required by GDPR Art. 32 to ensure a level of security appropriate to the risk. Specific measures are set out in Annex II — Technical and Organisational Measures (TOMs).
6.Sub-processors (GDPR Art. 28(2) and (4))
6.1. General written authorisation. By signing this DPA, the Customer grants Civora a general written authorisation to engage further processors (sub-processors) under GDPR Art. 28(2). The current list of sub-processors is in Annex I.
6.2. New or replacement sub-processor. Civora informs the Customer in advance of intended changes — by Dashboard banner and/or registered email, at least 30 days before the effective date —, giving the Customer the opportunity to object. On a reasoned, written objection, the parties negotiate in good faith; if the objection is not resolved within 30 days, the Customer may terminate the affected service tier with a special right of cancellation.
6.3. Sub-processor contract guarantees. Civora imposes on each sub-processor, by way of a contract, the same data protection obligations as set out in this DPA (GDPR Art. 28(4)). Where a sub-processor fails to fulfil its data protection obligations, Civora remains fully liable to the Customer for the performance of those obligations.
7.Assistance with data-subject rights (GDPR Art. 28(3)(e))
Civora — taking into account the nature of processing — assists the Customer by appropriate technical and organisational measures in fulfilling the Customer's obligation to respond to data-subject requests under Chapter III (information, access, rectification, erasure, restriction, portability, objection, automated-decision rights).
7.2. Practical mechanisms:
- Access + portability export: the Customer can request, from the Dashboard, an export (JSON) of the moderation audit log for a specific End User (GDPR Arts. 15 + 20).
- Rectification / erasure: Civora exposes an API (or executes it on Customer request) to remove a given message or audit-log entry from the Civora system.
- Objection: Civora documents the objection and suspends AI analysis on the affected End User's messages until the Customer (as controller) decides the matter.
- Automated-decision rights (GDPR Art. 22): Civora provides override functionality in the Dashboard (revoke moderation action; allowlist the End User).
8.Assistance with GDPR Arts. 32–36 obligations (Art. 28(3)(f))
8.1. Data-breach notification (GDPR Art. 33(2)): Civora notifies the Customer without undue delay and at the latest within 48 hours of becoming aware of a personal-data breach affecting personal data processed on behalf of the Customer. The notification includes the elements in GDPR Art. 33(3), to the extent available to Civora.
8.2. Data Protection Impact Assessment (DPIA, GDPR Art. 35): on request, Civora provides reasonable assistance to the Customer in carrying out a DPIA, supplying information about the nature of processing and Civora's systems.
8.3. Prior consultation (GDPR Art. 36): Civora assists the Customer in prior consultations with the supervisory authority on a similar basis.
9.Return or deletion of data at end of services (GDPR Art. 28(3)(g))
9.1. Following termination of the Service by the Customer, Civora will, at the Customer's written choice, return or delete all personal data processed on the Customer's behalf, and delete existing copies — unless Union or Member State law requires storage (in particular: the 8-year accounting document retention under Számv. tv. § 169; storage and confidentiality obligations apply for the duration of that retention).
9.2. Default behaviour absent specific instructions: if the Customer does not direct return or deletion within 30 days after termination, Civora automatically deletes or anonymises the non-accounting data processed on the Customer's behalf on the 30th day.
9.3. On request, Civora provides a written confirmation of return or deletion.
10.Demonstration and audit (GDPR Art. 28(3)(h))
10.1. Civora makes available to the Customer all information necessary to demonstrate compliance with GDPR Art. 28 obligations.
10.2. Civora allows for and contributes to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer. Audit costs are borne by the Customer — unless the audit reveals significant non-compliance on Civora's side — and audits must be conducted with at least 30 days' prior notice, during business hours, in a manner that does not materially disrupt Civora's operations.
10.3. Pre-audit documentation may substitute. Civora primarily satisfies audit requests by providing: (a) the current version of this DPA; (b) the Privacy Notice + sub-processor list; (c) the TOMs (Annex II); (d) where available, a third-party certification (e.g. SOC 2 Type II, ISO 27001).
11.International transfers (GDPR Arts. 44–49)
Personal data is by default stored and processed inside the EU (OVH Gravelines + Civora-self-hosted Supabase EU instance). For sub-processors outside the EU (currently Dodo Payments [USA], Google [USA], Discord [USA]), the parties rely on the appropriate GDPR Art. 46 mechanism:
- Commission Implementing Decision (EU) 2023/1795 under the EU-US Data Privacy Framework, where the recipient is certified;
- Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914. For this DPA, Module 2 (controller-to-processor) governs the Controller-Civora relationship and Module 3 (processor-to-processor) governs Civora-sub-processor relationships — both incorporated by reference. Annexes I and II of the present DPA fill in the corresponding SCC annexes (Annex I.A, I.B, II).
Copies of the supporting safeguards (DPF certifications, signed SCC) are available on request via hello@civora.hu.
12.Liability and indemnification
12.1. The parties are liable under GDPR Art. 82 for material and non-material damage caused to data subjects by infringements of the data-protection rules.
12.2. The parties' contractual liability arising from the processing is governed by clause 10 of the Terms of Service, taking due account of the mandatory limits under Ptk. § 6:152.
13.Governing law and disputes
Governing law: Hungarian law (without prejudice to the direct applicability of GDPR). Dispute resolution per clause 14 of the Terms of Service.
14.Term and termination
This DPA enters into force with the Civora-Customer subscription contract (or, at a later date, on acceptance of the DPA during registration) and remains in force until termination of the subscription. Obligations under clause 9 (return / deletion), clause 4 (confidentiality), and the accounting retention (Számv. tv. § 169) survive termination.
15.Signature
Acceptance of this DPA is validly given through a dedicated, express checkbox in the Civora Dashboard (Ptk. § 6:7(3)). Civora sends a confirmation of acceptance to the registered email.
I.ANNEX — Sub-processors (per clause 6)
| Sub-processor | Location | Processing activity | Transfer basis |
|---|---|---|---|
| OVH SAS | France (EU) — Gravelines DC | Hosting, compute, network infrastructure | EU-internal |
| Supabase (self-hosted by Civora) | EU | PostgreSQL database + Auth | EU-internal |
| Google LLC (Gemini API) | USA | AI translation (feature-request texts) | EU-US DPF / SCC Module 3 |
| Google LLC (Gmail / Workspace SMTP) | USA / EU mixed | Transactional email | EU-US DPF / SCC Module 3 |
| Discord Inc. | USA | Storage of the Discord server + bot operations | EU-US DPF / SCC; Discord's own privacy notice applies |
| Dodo Payments Inc. (see note below) | USA (Delaware) | Payment processing + tax collection — collected directly from Customer | EU-US DPF / SCC; Dodo is independent controller for billing data, not a sub-processor |
Note on Dodo: Dodo Payments collects the Customer's billing data directly at its hosted checkout and is independent controller in that respect (not a sub-processor). Civora only receives reconciliation identifiers from Dodo (Dodo customer_id, invoice_id, amount paid, currency, status). Dodo therefore falls outside the strict scope of this DPA; it is listed here for full transparency.
II.ANNEX — Technical and Organisational Measures (TOMs, GDPR Art. 32)
A. Confidentiality
- TLS 1.3 across all HTTPS traffic (Dashboard, API, bot connections).
- Encryption at rest: the Supabase / Postgres storage layer is encrypted; Discord OAuth tokens are stored under application-level AES-GCM encryption.
- Row-Level Security (RLS) at the Supabase layer — data partitioned per Customer account ID; the service-role key is restricted to server-side code.
- Least-privilege access: Civora staff access personal data strictly as needed for their tasks; separate audit log of each such access (Infotv. § 25/F).
- Sub-processor contracts include confidentiality clauses.
B. Integrity
- Idempotency on every webhook (Dodo webhook-id-based — duplicate-prevention).
- Database constraints + RLS preventing cross-account access.
- Input validation (zod schemas) on API surfaces.
C. Availability + Resilience
- Daily automated database backup on the Civora-self-hosted Supabase instance.
- Annual recoverability test — documented.
- Multi-layer failover (application replicas; load balancer).
- RTO target: 4 hours; RPO: 24 hours (daily backup frequency).
D. Continuous testing + evaluation
- Automated static analysis (TypeScript strict mode, ESLint security plugin) on every CI build.
- Annual documented security threat-modelling.
- Annual review of the incident-response procedure.
E. Auditability (Infotv. § 25/F)
An audit log of electronic operations on personal data is maintained, containing (a) the scope of data affected; (b) the purpose and reason of the operation; (c) the timestamp; (d) the operator; (e) the recipient of any transfer. Audit-log entries are retained for 10 years after deletion of the underlying data (Infotv. § 25/F(4)).
F. Incident response
- Customer notified within 48 hours of incident awareness — per clause 8.1.
- 72-hour NAIH notification (GDPR Art. 33) is automated on Civora's side.
- High-risk incidents: data subjects informed per GDPR Art. 34.