Skip to main content
AzothOS← Back to home

Legal

Data Processing Agreement

GDPR Article 28 · Effective: 1 May 2026

This Data Processing Agreement (“DPA”) is incorporated by reference into the Azoth OS Terms of Service and applies wherever Beweird SAS processes personal data on behalf of a Customer in connection with providing the Service. For Enterprise customers requiring a signed DPA, contact legal@azothos.ai.

1. Definitions

  • “Controller” — the Customer, who determines the purposes and means of processing.
  • “Processor” — Beweird SAS, who processes personal data on behalf of the Controller.
  • “Personal Data” — any information relating to an identified or identifiable natural person within the scope of the Service (primarily account data: name, email).
  • “GDPR” — Regulation (EU) 2016/679 of the European Parliament and of the Council.

2. Subject matter and nature of processing

Azoth processes personal data to: authenticate users, deliver the Azoth OS platform, send transactional communications, and provide billing functionality. The nature of processing is storage, retrieval, and transmission. No special categories of personal data are processed.

3. Processor obligations

Azoth shall:

  • Process personal data only on documented instructions from the Controller (these Terms).
  • Ensure persons authorized to process personal data are bound by confidentiality.
  • Implement technical and organizational measures as described in our Security Policy.
  • Assist the Controller in responding to data subject rights requests.
  • Delete or return all personal data upon termination of the Service.
  • Make available to the Controller all information necessary to demonstrate compliance.

4. Sub-processors

Current approved sub-processors:

  • Supabase, Inc. — database and authentication · USA (EU region available)
  • Stripe, Inc. — payment processing · USA · PCI DSS L1
  • Vercel, Inc. — hosting · USA / EU Edge
  • Sentry, Inc. — error monitoring · USA
  • Anthropic, PBC — AI inference (when Anthropic models are selected) · USA
  • OpenAI, OpCo, LLC — AI inference (when OpenAI models are selected) and embedding generation for the semantic cache · USA
  • Resend, Inc. — transactional email delivery · USA
  • Upstash, Inc. — Redis (rate limiting, caching, idempotency) · USA / EU

We will notify Customers of sub-processor changes with 30 days advance notice.

5. International transfers

Where personal data is transferred outside the EEA, Azoth relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. EU-region data residency is available on Enterprise plans on request — contact legal@azothos.ai.

6. Data subject rights

Azoth will assist the Controller in fulfilling data subject rights within the timeframes required by GDPR. Data portability requests are fulfilled via GET /api/v1/export (JSON or NDJSON). Erasure requests are processed within 30 days.

7. Security incidents

In the event of a personal data breach, Azoth will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, providing information about the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken.

8. Contact

Data protection officer: privacy@azothos.ai
For signed enterprise DPAs: legal@azothos.ai

© 2026 Beweird SAS
PrivacyTermsSecurityAccessibilityDPA