Data Processing Addendum
The Data Processing Addendum (DPA) governs the processing of personal data that flows through Ultron in connection with the customer's business. When you push the personal data of your contacts, leads, employees, or end users through Ultron, you act as a data controller and Ultron acts as your processor. This DPA sets out the terms of that relationship.
Purpose
This DPA reflects the parties' agreement regarding the processing of personal data carried out by Ultron on behalf of the customer in the course of providing the service. It supplements the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA controls for matters of personal data processing.
Definitions
Terms that are capitalised but undefined here have the meaning given by the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR). The terms controller, processor, data subject, personal data, processing, and personal data breach carry their GDPR meanings.
Customer Personal Data means personal data that the customer or its authorised users submit to or generate through the service. Subprocessor means a third party engaged by Ultron to process Customer Personal Data on its behalf in connection with the service.
Roles
The customer acts as the data controller for Customer Personal Data. Ultron acts as the processor of Customer Personal Data and processes it only on the customer's documented instructions. Where Ultron processes personal data for its own purposes (for example, billing records, telemetry, account information), Ultron acts as a separate data controller and the Privacy Policy describes that processing.
Scope of processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Ultron platform and related services as defined in the Terms of Service |
| Duration | For the term of the subscription, plus the retention windows in the Privacy Policy |
| Nature and purpose | Storage, organisation, transmission, retrieval, and analysis as needed to deliver the service the customer has subscribed to |
| Categories of data subjects | Individuals whose personal data the customer chooses to submit, including end users, customers, leads, employees, contractors |
| Categories of personal data | Identification data, contact data, professional data, content data, technical metadata, and any other category the customer chooses to submit |
| Special categories | Special category personal data should not be submitted unless the customer has a lawful basis and has notified Ultron in writing |
Customer instructions
Ultron processes Customer Personal Data only on the customer's documented instructions, including with regard to international transfers, unless required to act otherwise by Romanian or Union law to which Ultron is subject. In the latter case, Ultron will inform the customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest.
The customer's instructions are reflected in this DPA, in the Terms of Service, and in the customer's documented use of the service. The customer can issue further instructions by writing to privacy@51ultron.com. Ultron will inform the customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.
Confidentiality
Ultron ensures that personnel authorised to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether through written agreements or under a statutory duty of confidence. Access is granted on a need-to-know basis and audited.
Security measures
Technical and organisational measures
Ultron implements appropriate technical and organisational measures designed to provide a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, and the risk to data subjects. A summary of those measures is published on the Security page and reproduced in Annex 2 below; both form an integral part of this DPA.
Model providers and AI processing
Delivering the service involves sending Customer Personal Data to the model providers listed in Annex 3 for inference. Ultron engages each model provider under a contractual commitment that Customer Personal Data, including prompts, conversation history, tool results, and outputs, is not used to train or improve any foundation model. Ultron does not use Customer Personal Data to train its own or any third party's models. Code that runs on the customer's behalf executes in an isolated, ephemeral sandbox; data acquired from the public web through the platform's ingestion tools is processed only to deliver the service the customer requested and is not added to any training or shared corpus.
Subprocessors
The customer authorises Ultron to engage subprocessors to process Customer Personal Data, subject to the conditions below. The current list of subprocessors is published on the Subprocessors page.
- Ultron imposes on each subprocessor data protection obligations no less protective than those in this DPA.
- Ultron remains liable to the customer for the performance of its subprocessors.
- Ultron gives at least thirty days notice of the addition or replacement of a subprocessor by updating the Subprocessors page and, on request, by emailing customers who have signed up for the notification list.
- The customer may object to a new subprocessor on reasonable data protection grounds within the notice period. If the parties cannot reach a resolution, the customer may terminate the affected portion of the service and receive a prorated refund of pre-paid fees for that portion.
International transfers
European Economic Area
Where the provision of the service involves a transfer of Customer Personal Data outside the European Economic Area to a country without an adequacy decision, the parties incorporate the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 (the EU SCCs). Module Two (controller to processor) applies to transfers where the customer is the controller and Ultron is the processor. Module Three (processor to processor) applies where Ultron transfers Customer Personal Data to a subprocessor.
For the purpose of the EU SCCs: the customer is the data exporter and Ultron is the data importer; the optional docking clause in Clause 7 applies; under Clause 9, option 2 (general written authorisation) applies with the notice period stated in the Subprocessors section; under Clause 11, the optional independent dispute resolution body language does not apply; under Clause 17, the clauses are governed by the law of Romania; under Clause 18, disputes are resolved before the courts of Romania. Annex 1, Annex 2, and Annex 3 below populate the corresponding annexes of the EU SCCs.
United Kingdom
For transfers subject to the UK GDPR, the EU SCCs apply as amended by the International Data Transfer Addendum issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 (the UK Addendum). The UK Addendum is incorporated by reference. Tables 1 to 3 are populated by the EU SCC annexes below; in Table 4, the data importer may end the Addendum as set out in its Section 19. The governing law and forum for the UK Addendum are England and Wales.
Switzerland
For transfers subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply with the following adjustments: the Federal Data Protection and Information Commissioner is the competent supervisory authority for Swiss transfers; references to the GDPR are read as references to the FADP where the FADP applies; and the term member state must not be interpreted to exclude data subjects in Switzerland from enforcing their rights in their place of habitual residence.
A copy of the executed clauses for a specific transfer is available on request to privacy@51ultron.com.
California (CCPA and CPRA)
This section applies where Ultron processes personal information of California residents that is subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the CCPA). For that personal information, the customer is the business and Ultron is a service provider as those terms are defined in the CCPA.
- Ultron processes the personal information only to perform the service under the Terms of Service, or as otherwise permitted by the CCPA for a service provider.
- Ultron does not sell or share the personal information, and does not retain, use, or disclose it for any purpose other than the business purposes specified in the agreement, including outside the direct business relationship with the customer.
- Ultron does not combine the personal information with personal information it receives from other sources, except as permitted by the CCPA for a service provider.
- Ultron certifies that it understands the restrictions in this section and will comply with them.
- Ultron notifies the customer if it determines it can no longer meet its obligations under the CCPA, and the customer may take reasonable steps to stop and remediate unauthorised use.
Assistance to the customer
Data subject requests
Ultron provides reasonable assistance, by appropriate technical and organisational measures, to enable the customer to respond to requests from data subjects exercising their rights under Articles 12 to 22 of the GDPR. Where Ultron receives a request from a data subject relating to Customer Personal Data, it will forward the request to the customer without responding to the data subject unless legally required to do so.
Impact assessments and prior consultation
Ultron provides reasonable assistance to the customer with data protection impact assessments and prior consultation with supervisory authorities under Articles 35 and 36 of the GDPR, to the extent the assessments relate to processing carried out by Ultron on the customer's behalf.
Personal data breach
Ultron notifies the customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notification describes, to the extent the information is available, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.
Ultron does not notify the relevant supervisory authority or data subjects on the customer's behalf for breaches involving Customer Personal Data. That obligation sits with the customer as controller. Ultron provides the information the customer needs to comply with that obligation.
Audits
Ultron makes available to the customer all information reasonably necessary to demonstrate compliance with this DPA, including by providing the Security page, summaries of independent audits where they exist, and answers to a reasonable security questionnaire on request.
The customer may, at its own cost, audit Ultron's compliance with this DPA no more than once per calendar year, subject to thirty days written notice, during regular business hours, in a manner that does not interfere with Ultron's operations or compromise the security of other customers. The parties cooperate in good faith on the scope and conduct of the audit. The customer may also rely on the most recent independent third-party audit reports Ultron provides under non-disclosure terms.
Ultron retains records of its processing activities carried out on behalf of the customer for three years after the end of the agreement, or longer where a law to which Ultron is subject requires it, so that the customer can demonstrate compliance to a supervisory authority.
Return and deletion
Upon termination or expiration of the service, the customer can export Customer Personal Data from the platform until the end of the retention window described in the Privacy Policy. After that window, Ultron deletes Customer Personal Data from its systems, except where retention is required by Union or Romanian law, in which case Ultron isolates the retained data and continues to process it only to the extent and for the period required by that law.
Order of precedence
If there is a conflict between the documents that govern the processing of Customer Personal Data, the following order of precedence applies, from highest to lowest: first, the Standard Contractual Clauses and any country-specific addendum incorporated under the International transfers section; second, this DPA; third, the Terms of Service; fourth, any other agreement between the parties. A more specific term controls over a more general one on the same subject.
Liability
Each party's liability arising out of or related to this DPA, whether in contract, tort, or any other theory, is subject to the limitations and exclusions of liability set out in the Terms of Service. Any reference in those limitations to the liability of a party means the aggregate liability of that party and its affiliates under the Terms of Service and all DPAs together. Nothing in this DPA limits a data subject's rights under the GDPR or the Standard Contractual Clauses.
How to execute
For most customers, the published DPA is automatically incorporated into the Terms of Service. No separate signature is required. Enterprise customers who need a signed counterpart can request one by writing to legal@51ultron.com. We can also execute the European Commission's Standard Contractual Clauses separately on request.
Annex 1: Description of processing
This annex populates Annex I of the Standard Contractual Clauses.
A. List of parties
| Role | Party |
|---|---|
| Data exporter | The customer, acting as controller. Identity and contact details are those on the customer's account and in the Terms of Service. |
| Data importer | The operator of Ultron, acting as processor, established in Bucharest, Romania. Contact: privacy@51ultron.com. |
| Exporter role | Controller |
| Importer role | Processor |
B. Description of transfer
| Item | Detail |
|---|---|
| Categories of data subjects | Individuals whose personal data the customer submits, including the customer's end users, customers, leads, prospects, employees, and contractors |
| Categories of personal data | Identification and contact data, professional data, content the customer submits or generates, and technical metadata |
| Special categories | Not intended to be processed. The customer must not submit special category data without a lawful basis and prior written notice to Ultron |
| Frequency of transfer | Continuous, for the duration of the subscription |
| Nature of processing | Storage, organisation, transmission, retrieval, and analysis to deliver the service, including inference by the model providers listed in Annex 3 |
| Purpose of processing | Provision of the Ultron platform and related services under the Terms of Service |
| Retention | For the term of the subscription plus the retention windows in the Privacy Policy |
| Subprocessor processing | For the duration and purpose set out for each subprocessor in Annex 3 |
C. Competent supervisory authority
The competent supervisory authority is the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP). For transfers subject to the UK Addendum, the competent authority is the UK Information Commissioner. For transfers subject to the FADP, the competent authority is the Swiss Federal Data Protection and Information Commissioner.
Annex 2: Technical and organisational measures
This annex populates Annex II of the Standard Contractual Clauses.
The technical and organisational measures Ultron applies to protect Customer Personal Data are documented in full on the Security page, which is incorporated into this DPA and into Annex II of the Standard Contractual Clauses by reference. The summary below lists the measures by category; the Security page is the controlling description.
| Category | Measure |
|---|---|
| Encryption | TLS 1.2 or higher in transit; AES-256 at rest across database, object storage, and edge database; secrets sealed in a managed secret store |
| Access control | Least privilege by role, reviewed quarterly; default read-only; time-boxed and logged write access to customer data; separation of duties across code, review, and secrets |
| Authentication | MFA available to all users and enforced on Enterprise; SSO with hardware-backed MFA for the team; short-lived service credentials |
| Pseudonymisation and minimisation | Analytics events pseudonymised; only safe display fields retained for payments; data collected limited to what the service needs |
| Resilience | Stateless application tier; daily encrypted backups retained thirty days; quarterly restore tests; documented recovery objectives |
| Vulnerability management | Continuous dependency and image scanning; severity-based remediation windows; external researcher reporting channel |
| Logging and monitoring | Administrative actions on production data logged with actor, action, target, and time; anomaly detection on auth, access failures, and data egress |
| Secure development | Mandatory peer review, CI checks, static analysis, and a locked, audited build pipeline |
| Incident response | Documented runbook; breach notification aligned to GDPR Articles 33 and 34; post-incident review |
| Supplier risk | Security and privacy review before onboarding a subprocessor; at least annual re-review |
Annex 3: Subprocessors
This annex populates Annex III of the Standard Contractual Clauses.
The authorised subprocessors engaged to process Customer Personal Data, their location, the categories of data they touch, and the function they perform are listed in full on the Subprocessors page, which is incorporated into this DPA and into Annex III of the Standard Contractual Clauses by reference. The customer authorises these subprocessors under Clause 9 of the EU SCCs (option 2, general written authorisation), with the notice period and objection right set out in the Subprocessors section above.