Legal
Data Processing Agreement
GDPR Article 28 · Effective: 1 May 2026
1. Definitions
- “Controller” — the Customer, who determines the purposes and means of processing.
- “Processor” — Beweird SAS, who processes personal data on behalf of the Controller.
- “Personal Data” — any information relating to an identified or identifiable natural person within the scope of the Service (primarily account data: name, email).
- “GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Subject matter and nature of processing
Azoth processes personal data to: authenticate users, deliver the Azoth OS platform, send transactional communications, and provide billing functionality. The nature of processing is storage, retrieval, and transmission. No special categories of personal data are processed.
3. Processor obligations
Azoth shall:
- Process personal data only on documented instructions from the Controller (these Terms).
- Ensure persons authorized to process personal data are bound by confidentiality.
- Implement technical and organizational measures as described in our Security Policy.
- Assist the Controller in responding to data subject rights requests.
- Delete or return all personal data upon termination of the Service.
- Make available to the Controller all information necessary to demonstrate compliance.
4. Sub-processors
Current approved sub-processors:
- Supabase, Inc. — database and authentication · USA (EU region available)
- Stripe, Inc. — payment processing · USA · PCI DSS L1
- Vercel, Inc. — hosting · USA / EU Edge
- Sentry, Inc. — error monitoring · USA
- Anthropic, PBC — AI inference (when Anthropic models are selected) · USA
- OpenAI, OpCo, LLC — AI inference (when OpenAI models are selected) and embedding generation for the semantic cache · USA
- Resend, Inc. — transactional email delivery · USA
- Upstash, Inc. — Redis (rate limiting, caching, idempotency) · USA / EU
We will notify Customers of sub-processor changes with 30 days advance notice.
5. International transfers
Where personal data is transferred outside the EEA, Azoth relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. EU-region data residency is available on Enterprise plans on request — contact legal@azothos.ai.
6. Data subject rights
Azoth will assist the Controller in fulfilling data subject rights within the timeframes required by GDPR. Data portability requests are fulfilled via GET /api/v1/export (JSON or NDJSON). Erasure requests are processed within 30 days.
7. Security incidents
In the event of a personal data breach, Azoth will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, providing information about the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken.
8. Contact
Data protection officer: privacy@azothos.ai
For signed enterprise DPAs: legal@azothos.ai