pliuz
Get started
Menu
Featuresvs DIYSecurityDocsAbout
Sign in

Legal · DPA

Data Processing Addendum

Placeholder. This page is a structural placeholder while we work with counsel on the formal document. We do not fake legal text. Full document available on request: founder@pliuz.com.

Pliuz acts as Data Processor for Customer Data (audit events, approval requests, tool args, originator metadata) under the GDPR. The full DPA covers processing purposes, sub-processors, security measures, data subject rights, breach notification, and international transfers.

  • Data Controller: Customer (you). For end-user Personal Data flowing through Approval Requests, Customer is still the controller — Pliuz is a processor of that downstream data.
  • Data Processor: Pliuz, EU-hosted via Supabase (Frankfurt eu-central-1 primary; Dublin fallback) + Vercel (Frankfurt for app routes).
  • Sub-processors: 5 active (see /legal/subprocessors). 30-day prior notice on any addition or replacement; Customer right to object → terminate per the DPA.
  • Cross-border transfers: EU-only by default. Slack (US default infrastructure) is the only non-EU sub-processor and only engages if Customer enables the Slack integration. EU SCCs Module 2 (Controller→Processor) applies for that transfer; Customer may opt for web-inbox-only routing to keep all data within EU.
  • Data retention: per Customer-configured tenant policy (default per tier 7d / 90d / 1y / 10y for audit events; tenant config retained for lifetime of relationship + 30 days post-termination). Retention enforcement cron implementation in progress.
  • Pliuz commitments (contractual + mechanically enforceable): no training on Customer Personal Data; no payload reading for non-execution purposes; no third-party sale or sharing; SDK-side redaction primitives provided.
  • Security measures (Annex II): AES-256 at rest, TLS 1.3 in transit, RLS on every table, append-only events with SHA-256 hash chain (verifiable via pliuz_verify_chain RPC), per-agent API keys (HMAC hashed), backups encrypted with 30-day rolling expiry.
  • Breach notification: <72h to Customer Data Controller per GDPR Art 33(2), with material facts known at the time. Pliuz cooperates with Customer on response and mitigation.
  • Data subject rights assistance: Pliuz assists Customer per Art 28(3)(e)-(h) on DSARs, DPIAs, prior consultation, breach response — included for routine assistance, additional charges only for non-routine large-scale.
  • Audit rights: annual third-party audit reports (SOC 2 once obtained — currently in planning); ad-hoc audit cooperation on material incident. Customer-conducted audit 1/year with 30-day notice (cost-shifted to Customer).
  • Deletion / return on termination: 30-day window; signed JSONL export available; deletion certificate issued on request.
  • Reference materials available on request under NDA: full DPA template, Privacy Impact Assessment of the audit log, AI Impact Assessment of Pliuz as an Art 14 compliance instrument.

Last updated: 2026-05-24. Full DPA template available on request; required for any EU customer. Reviewed internally; independent counsel review pending before signature. Material changes communicated 30 days in advance via /legal/subprocessors subscription.

← Read our security model