This Data Processing Agreement ("DPA") forms part of the Terms of Service between Stazion ApS, CVR no. 46244028, Husumgade 31, 4. 15, 2200 København N, Denmark ("Processor" or "Stazion") and the customer organization that accepts the Terms of Service (the "Customer" or "Controller") and governs the processing of personal data by Stazion on behalf of the Customer.
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Danish Data Protection Act.
1. Definitions
In this DPA:
- "Controller": The Customer entity that determines the purposes and means of processing personal data
- "Data Subject": An identified or identifiable natural person whose personal data is processed
- "Personal Data": Any information relating to a Data Subject as defined in GDPR Article 4(1)
- "Processing": Any operation performed on Personal Data as defined in GDPR Article 4(2)
- "Processor": Stazion, which processes Personal Data on behalf of the Controller
- "Subprocessor": A third party engaged by the Processor to process Personal Data
- "Data Protection Laws": GDPR and applicable Danish data protection legislation
- "Security Incident": A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
- "SCCs": Standard Contractual Clauses adopted by the European Commission
- "TOMs": Technical and Organizational Measures
- "Service": The Stazion.ai AI sales platform, including document management, the Sales Engineer workspace, and the RFQ/RFx workflow
2. Scope and Purpose
2.1 Subject Matter
This DPA governs the processing of Personal Data by the Processor when providing the Stazion.ai Service to the Controller.
2.2 Duration
This DPA remains in effect for the duration of the Service agreement between the parties, plus any period during which Personal Data is retained.
2.3 Nature and Purpose of Processing
The Processor processes Personal Data to:
- Authenticate users and manage organization accounts and roles
- Store, organize, and index documents uploaded by the Controller
- Extract text, products, and requirements from uploaded documents
- Generate vector embeddings to power semantic search over the Controller's documents
- Provide AI-assisted question answering, proposal drafting, and RFQ/RFx response generation grounded in the Controller's documents
- Run the RFQ/RFx workflow: extract line items, draft compliant responses, manage teammate questions, and process buyer feedback
- Send emails on behalf of the Controller's representatives and capture replies via Microsoft Graph and Microsoft Teams
- Provide usage analytics and reporting features
- Maintain, secure, and improve the Service
2.4 Types of Personal Data
The categories of Personal Data processed depend in part on the content the Controller chooses to upload to the Service. The following categories are processed:
| Category | Data Elements |
|---|---|
| Identity Data | Name, email address, user ID, profile photo |
| Account Data | Organization name, organization membership, role (owner / admin / member) |
| Authentication Data | Hashed passwords, OAuth tokens (encrypted), session identifiers |
| Document Content | Any Personal Data contained within documents the Controller uploads (for example product documentation, RFQ/RFP files, specifications, and attachments) |
| Communication Data | Content of emails sent and received through the Service, and Microsoft Teams messages exchanged when asking teammates questions |
| Business Contact Data | Names and contact details of the Controller's customers, buyers, and their representatives appearing in documents, RFQs, or correspondence |
| Activity Data | Sign-in timestamps, IP addresses, device and browser information |
| Usage Data | Page views, feature interactions, and product analytics (including a sampled session replay) |
2.5 Categories of Data Subjects
Personal Data relates to the following categories of Data Subjects:
- The Controller's employees, contractors, and authorized users of the Service
- The Controller's customers, buyers, and their representatives named in uploaded documents, RFQs, or correspondence
- Teammates contacted through the Service's question-and-answer features
- Any other individuals whose Personal Data appears in content the Controller uploads to the Service
3. Controller Obligations
The Controller shall:
3.1 Lawful Basis
Ensure it has a valid legal basis under GDPR Article 6 for the processing of Personal Data by the Processor, including:
- Legitimate interest for sales operations and document management
- Contract performance for providing services to its own customers
- Compliance with legal obligations where applicable
3.2 Data Subject Notification
Inform Data Subjects about the processing of their Personal Data, including:
- The use of third-party processors such as Stazion
- The purposes of processing
- Their rights under Data Protection Laws
3.3 Instructions
Provide documented instructions for the processing of Personal Data. The Service agreement and this DPA constitute the Controller's documented instructions.
3.4 Compliance
Ensure that its instructions, and the content it uploads to the Service, comply with Data Protection Laws and do not cause the Processor to violate applicable laws.
4. Processor Obligations
4.1 Processing on Instructions (Article 28(3)(a))
The Processor shall:
- Process Personal Data only on documented instructions from the Controller
- Inform the Controller if an instruction infringes Data Protection Laws
- Not process Personal Data for any purpose other than providing the Service
Exception: Processing required by EU or Member State law, in which case the Processor shall inform the Controller before processing (unless prohibited by law).
The Processor does not use Personal Data, including document content or queries submitted to the Service, to train its own or any third party's general-purpose AI models. AI subprocessors are engaged only to process Personal Data on the Controller's behalf in order to provide the Service, and under terms that prohibit using that data to train their models.
4.2 Confidentiality (Article 28(3)(b))
The Processor shall ensure that persons authorized to process Personal Data:
- Have committed themselves to confidentiality or are under statutory confidentiality obligations
- Process Personal Data only as instructed
- Receive appropriate guidance on data protection obligations
4.3 Security Measures (Article 28(3)(c))
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data at rest and in transit
- Measures to ensure ongoing confidentiality, integrity, and availability
- Multi-tenant data isolation
- Regular review of security measures
See Annex A: Technical and Organizational Measures (TOMs)
4.4 Subprocessors (Article 28(3)(d))
The Processor shall:
- Not engage another processor without prior specific or general written authorization
- Maintain a list of approved Subprocessors (see Annex B)
- Inform the Controller of intended changes to Subprocessors
- Impose data protection obligations on Subprocessors equivalent to those in this DPA
Authorization: The Controller provides general authorization for the Processor to engage the Subprocessors listed in Annex B, subject to:
- Advance notice of at least 14 days before engaging a new Subprocessor
- The Controller's right to object on reasonable data protection grounds within 14 days of notification
- Resolution of objections in good faith; if an objection cannot be resolved, the Controller may terminate the affected part of the Service
4.5 Data Subject Requests (Article 28(3)(e))
The Processor shall:
- Assist the Controller in responding to Data Subject requests
- Notify the Controller promptly of any requests received directly
- Not respond to Data Subject requests without Controller authorization (except to direct them to the Controller)
The Processor assists the Controller with Data Subject requests as set out below. Document deletion is available directly in the Service; the remaining requests are fulfilled on request, within the timelines in this DPA, by contacting vb@stazion.ai:
| Right | Processor Assistance |
|---|---|
| Access | A copy of the Data Subject's personal data, provided on request |
| Rectification | Correction of personal data, via in-product profile editing or on request |
| Erasure | Document deletion in the Service; account and associated data deletion on request |
| Restriction | Processing restricted, or the account suspended, on request |
| Portability | Personal data exported in a structured, machine-readable format on request |
4.6 Security Assistance (Article 28(3)(f))
The Processor shall assist the Controller in ensuring compliance with:
- Article 32: Security of processing
- Article 33: Notification of Security Incidents to the supervisory authority
- Article 34: Communication of Security Incidents to Data Subjects
- Article 35: Data protection impact assessments (upon request)
- Article 36: Prior consultation with the supervisory authority (upon request)
4.7 Deletion and Return (Article 28(3)(g))
At the end of the Service agreement, the Processor shall, at the Controller's choice:
- Delete: Permanently delete all Personal Data within 30 days
- Return: Provide a Personal Data export in a structured format within 30 days
The Controller must request return or export within 30 days of termination. After this period, the Processor will delete all Personal Data.
Exceptions: Retention required by EU or Member State law, in which case the Processor shall inform the Controller.
4.8 Audit Rights (Article 28(3)(h))
The Processor shall:
- Make available all information necessary to demonstrate compliance
- Allow for and contribute to audits and inspections
Audit Conditions:
- Reasonable advance notice (minimum 30 days, except for urgent security matters)
- Audits conducted during normal business hours
- The auditor bound by confidentiality obligations
- The Controller bears the costs of the audit
- A maximum of one audit per 12-month period (unless required by a regulatory authority)
The Controller may request:
- Security assessment reports (where available)
- Completed security questionnaires
- Evidence of Subprocessor compliance
5. Security Incident Notification
5.1 Notification Timing
The Processor shall notify the Controller of any Security Incident without undue delay and no later than 48 hours after becoming aware of the incident.
5.2 Notification Content
The notification shall include, to the extent known:
- Description of the nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Name and contact details of the data protection point of contact
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
5.3 Cooperation
The Processor shall:
- Cooperate with the Controller's investigation
- Take reasonable steps to mitigate effects and prevent recurrence
- Maintain records of Security Incidents
- Assist with notifications to supervisory authorities and Data Subjects
5.4 Contact
Security Incident notifications shall be sent to the Controller's designated contact (as provided during account setup) and to: vb@stazion.ai
6. International Data Transfers
6.1 Primary Data Location
The Controller's core Personal Data (account data, documents, and embeddings) is hosted within the European Economic Area (EEA).
6.2 Transfer Mechanisms
Where Personal Data is transferred outside the EEA, for example to AI processing Subprocessors located in the United States, the Processor ensures appropriate safeguards:
- Standard Contractual Clauses: Applied to transfers to Subprocessors outside the EEA without an adequacy decision
- Adequacy Decisions: Relied upon where applicable (for example the EU-US Data Privacy Framework where the Subprocessor is certified)
- Supplementary Measures: Encryption and data minimization applied where appropriate
6.3 Transfer Impact Assessments
The Processor maintains, and reviews upon any material change to Subprocessors or data flows, an assessment of the safeguards applied to transfers of Personal Data outside the EEA, in line with the EDPB Recommendations 01/2020 and the CJEU Schrems II ruling.
6.4 Subprocessor Locations
See Annex B for Subprocessor processing locations and transfer mechanisms.
7. Liability
7.1 Compliance
Each party is liable for its own compliance with Data Protection Laws.
7.2 Allocation
Liability for breaches shall be allocated in accordance with GDPR Article 82 and the liability provisions in the Terms of Service.
7.3 Indemnification
The parties' indemnification obligations are set forth in the Terms of Service.
8. Term and Termination
8.1 Effective Date
This DPA is effective upon the Controller's acceptance of the Terms of Service.
8.2 Duration
This DPA remains in effect until all Personal Data is deleted or returned.
8.3 Survival
Provisions regarding data deletion, confidentiality, and liability survive termination.
9. General Provisions
9.1 Governing Law
This DPA is governed by the laws of Denmark.
9.2 Amendments
This DPA may be amended by the Processor with 30 days' notice. Material changes affecting Controller rights require Controller consent.
9.3 Conflict
In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters concerning Personal Data processing.
9.4 Severability
If any provision is found unenforceable, the remaining provisions remain in effect.
9.5 Acceptance and Signed Copies
This DPA applies to every Customer upon acceptance of the Terms of Service, without a separate signature. A Customer that requires a countersigned copy naming both parties may request one from vb@stazion.ai; the signed copy incorporates this DPA without altering its substance.
10. Contact Information
Data Protection, Legal, and Security Contact: Email: vb@stazion.ai
Annex A: Technical and Organizational Measures (TOMs)
The Processor implements the following security measures pursuant to GDPR Article 32:
A.1 Encryption
| Measure | Implementation |
|---|---|
| Encryption at Rest | AES-256-GCM for sensitive secrets (such as OAuth tokens); database and storage encryption at rest |
| Encryption in Transit | TLS for all network communications |
| Key Management | Encryption keys managed separately from the data they protect |
A.2 Access Controls
| Measure | Implementation |
|---|---|
| Authentication | Email and password authentication, and Microsoft OAuth 2.0 for integrations |
| Session Management | Secure session cookies with expiry |
| Authorization | Role-based access control (owner / admin / member) |
| Tenant Isolation | Row-level security enforcing per-organization data isolation |
| Principle of Least Privilege | Users and services access only the data they need |
| Administrative Access | Limited to authorized personnel |
A.3 Infrastructure Security
| Measure | Implementation |
|---|---|
| Database and Storage | Supabase (PostgreSQL), hosted in the EEA |
| Application Hosting | Vercel (serverless), hosted in the EEA (Stockholm, Sweden) |
| Document Extraction | Google Cloud Document AI |
| Network Security | Managed cloud network controls and firewalling |
| Platform Patching | Managed, regularly patched cloud platforms |
A.4 Data Protection
| Measure | Implementation |
|---|---|
| Data Minimization | Only the data necessary to provide the Service is collected and processed |
| No Model Training | Personal Data is not used to train general-purpose AI models |
| Multi-Tenant Isolation | Per-organization isolation enforced at the database level |
| Pseudonymization | Internal identifiers used where possible |
A.5 Monitoring and Logging
| Measure | Implementation |
|---|---|
| Audit Logging | Sensitive actions logged (for example RFQ lifecycle events) |
| Error Monitoring | Production error tracking and alerting, hosted in the EEA |
| Activity Records | Records maintained to support investigation of incidents |
A.6 Incident Response
| Measure | Implementation |
|---|---|
| Detection | Monitoring and alerting |
| Response | Documented incident response approach |
| Notification | 48-hour notification to the Controller |
| Post-Incident Review | Root cause analysis and remediation |
A.7 Personnel Security
| Measure | Implementation |
|---|---|
| Confidentiality | Personnel bound by confidentiality obligations |
| Awareness | Data protection and security guidance for staff |
| Access Termination | Prompt access revocation upon termination |
A.8 Business Continuity
| Measure | Implementation |
|---|---|
| Backups | Automated database backups |
| Recovery | Documented recovery procedures |
| Availability | Cloud-native high-availability architecture |
Annex B: Approved Subprocessors
The Processor engages the following Subprocessors to process Personal Data in connection with the Service. Some Subprocessors (noted below) process Personal Data only where the Controller enables the relevant feature.
| Subprocessor | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase | Database, authentication, and file storage (primary data store) | All categories | EEA | Within EEA |
| Vercel | Application hosting and serverless compute | All categories in transit | EEA (Stockholm, Sweden) | Within EEA |
| Anthropic | AI model (Claude) for extraction, question answering, and drafting | Document content, RFQ data, queries | United States | SCCs / Data Privacy Framework |
| OpenAI | Vector embeddings and query preprocessing | Document text, queries | United States (EEA contracting via OpenAI Ireland) | SCCs |
| Cohere | Search result reranking | Document snippets, queries | United States / Canada | SCCs / Adequacy (Canada) |
| Google Cloud (Document AI and Cloud Storage) | PDF text extraction and temporary processing storage | Document content | EEA region | Within EEA |
| Microsoft (Graph, Teams, 365) | Sending emails on behalf of representatives and capturing teammate replies | Communication data, identity data | EEA / Global | SCCs where applicable |
| Amplitude | Product usage analytics | Usage data, activity data, identity data | EU server zone | Within EEA |
| Resend | Inbound and transactional email handling | Communication data, identity data | United States | SCCs / Data Privacy Framework |
| Merge.dev (only if the Controller connects an integration) | Unified API for CRM, file storage, and knowledge base sync | Account data, business contact data, document content | United States | SCCs (Module 3) |
Note: Supabase, Vercel, Google Cloud, and Amplitude are EEA-hosted. The US-based AI and integration Subprocessors (Anthropic, OpenAI, Cohere, Resend, and Merge.dev) rely on Standard Contractual Clauses and/or the EU-US Data Privacy Framework. Confirm each US provider's current transfer mechanism before sharing this DPA externally.