Data Processing Agreement
DPA — Last updated: 11 June 2026
1. Parties & Scope
This Data Processing Agreement ("DPA") is entered into between the customer using Aurora CapacityOS (the "Customer," "Controller," "you") and Aurora AI Solutions Studio UG (haftungsbeschränkt), a German company ("Aurora," "Processor," "we"). It governs how Aurora processes personal data on the Customer's behalf in the course of providing Aurora CapacityOS, in compliance with the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG), and applicable national data protection laws. For personal data Aurora processes for its own purposes — account administration, billing, security, and the Aurora website — Aurora acts as an independent controller as described in our Privacy Policy.
This DPA is supplementary to and should be read in conjunction with our Privacy Policy and Terms of Service. It becomes effective the moment you accept the Terms of Service of the relevant Aurora product and remains in force for the duration of the service relationship.
2. Service Covered
This DPA applies to Aurora CapacityOS — Aurora's managed service in which software agents perform operational work under human approval — where Aurora processes personal data on behalf of the customer as a processor in an ongoing service relationship. Service-specific details (data categories, sub-processors, retention rules) are consolidated under Section 4 below. General obligations live in Sections 5–13.
- Aurora CapacityOS — managed operational capacity for service firms, delivered through the Campaign Desk (campaign and marketing operations), the Retention Desk (renewal, client-health, and reporting operations), and the Flight Deck (supervision and approval view). The customer directs the work; the customer's clients grant delegated access to their own systems; outward actions pass a human approval gate; the work is evidence-logged.
Out of scope: This DPA does not apply to Aurora's KI-Beratung product line (German consulting business under helloaurora.ai/consulting). KI-Beratung downloadable products (e.g., Sector AI Act-Readiness Packs, AI-Sicherheits-Toolkit, AI Governance Framework Pack, DPIA-Vorlagenbibliothek, AI Vendor Risk Assessment Toolkit, Aurora Skills, Online courses) are one-time digital product sales in which Aurora does not act as a processor for the customer; the customer uses the delivered files independently. The applicable terms are set out in the separate AGB Digitale Produkte and the Datenschutzerklärung Aurora KI-Beratung. KI-Beratung consulting engagements (e.g., AI-Quickstart, AI-Strategie-Tag, AI-Sicherheits-Audit, POC-Sprint, AI-Implementierung, AI-Ops Retainer, AI-Sicherheits-Retainer, Regulatory Watch Service, Fractional CAIO) are covered by the separate AGB Beratungsleistungen; where Aurora processes personal data on behalf of a consulting mandator, a separate Auftragsverarbeitungsvertrag (AVV) gemäß Art. 28 DSGVO is concluded under § 7 of those AGB before processing begins.
3. Definitions
For the purposes of this DPA, the following terms shall have the meanings set forth below:
- Controller: the Customer — the entity that determines the purposes and means of the processing of the personal data handled in its Aurora CapacityOS workspace. (For Aurora's own account, billing, security, and website data, Aurora acts as controller — see the Privacy Policy.)
- Processor: Aurora, processing personal data on the Customer's behalf to deliver the contracted service.
- Sub-Processor: Any entity engaged by Aurora that processes personal data on Aurora's behalf (e.g., Supabase, Anthropic, Vercel, Sentry, Inngest, Deepgram, AssemblyAI, Stripe).
- Data Subject: Any individual to whom personal data relates — including Aurora users, and individuals whose data is processed through an Aurora product (e.g., audience members, meeting participants, customer contacts).
- Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to name, email, IP address, content data, usage logs, and metadata.
- Processing: Any operation performed on personal data — collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.
- Special Categories of Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation.
4. Processing under Aurora CapacityOS
What Aurora processes, and why. Aurora processes the customer's and the customer's clients' business data — advertising-account metrics, CRM records, policy records, and communications content and metadata — under delegated access, for the purpose of performing the contracted operations. Approval decisions and evidence logs documenting that work are retained as part of the service. Delegated access is granted by the customer or the customer's client through platform-native methods (manager or partner account links, user roles, OAuth); the granting party can revoke it at any time.
4.1 Aurora CapacityOS
Categories of Data Subjects
- Aurora CapacityOS account holders, their team members, and their authorised contractors
- The customer's end-clients and their representatives (names, business email addresses, meeting participants, communication metadata)
- Individuals appearing in source data accessed through authorised connectors and delegated grants (email senders/recipients, calendar invitees, meeting attendees, channel members, payers, CRM contacts)
- End-users and audiences of published content (social-media followers, website visitors)
- Individuals referenced in — or whose voices appear in — source content uploaded for processing
Categories of Personal Data
- Account information: email, name, firm name, profile data, authentication credentials
- Content data: blog posts, articles, transcripts, scripts, and other long-form content provided by users
- Audio & video uploads for transcription (see §4.2 below for the consent-specific rules)
- Advertising-account and analytics metrics from delegated ad/analytics accounts (campaign performance, spend, pacing) — accessed under the granting party's delegation
- CRM records and client/contact records (including deal or policy records where the customer's business involves them), where a CRM connection is granted
- Email content and metadata from user-authorised mailboxes (subject, sender/recipient, timestamp, body for downstream analysis; raw bodies purged after 180 days)
- Calendar event metadata and content from user-authorised calendars (full bodies retained for a rolling 90-day context window, then purged)
- Meeting transcripts derived from Zoom cloud recordings (retained 365 days; raw audio discarded immediately after transcription)
- Payment/billing data from Stripe Connect (invoice status, recurring-revenue figures, payment-failure events — no card or bank account numbers)
- Workspace messages from Slack channels the user explicitly connects (direct messages are never ingested)
- Generated outputs: AI-generated content derivatives, campaign briefs, ad-copy variants, health scores, save plays, renewal pitches, client reports, brief summaries
- Derived signals (20+ kinds, e.g. client_amber/red transitions, renewal_window_60d/30d/14d, payment_cadence_drift, save_play_in_flight) carrying client/contact references and a numeric score or boolean state
- Approval decisions and evidence logs: who approved or rejected an outward action, when, and the supporting evidence shown to the reviewer
- Agent run metadata (skill id, version, timestamps, status, USD cost, output reference)
- Connected-account and delegated-access data: OAuth identifiers and tokens (encrypted at rest), grant scope and permission level
- Voice-profile data: text-only writing-style fingerprints (not biometric voiceprints)
- Usage data: interaction logs, timestamps, device/browser type, IP address, feature usage
- Payment data: billing address, payment-method identifiers (processed by Stripe)
- Communication data: support messages, feedback, service correspondence
Purposes of Processing
- Performing the contracted operations: campaign and marketing work (Campaign Desk) and renewal, client-health, and reporting work (Retention Desk), each subject to human approval gates on outward actions
- Recording approval decisions and evidence logs, and maintaining the capacity ledger that documents the work delivered
- Audio/video transcription via Deepgram (primary) or AssemblyAI / OpenAI Whisper (fallback)
- Signal generation and exchange between the Campaign Desk and Retention Desk within the customer's workspace
- Account management, authentication, customer support
- Payment processing and billing administration (once billing is enabled)
- Service improvement, analytics, usage monitoring
- Security, fraud detection, incident investigation
- Legal compliance and contractual fulfilment
Aurora CapacityOS Sub-Processors
| Sub-Processor |
Location |
Purpose |
| Supabase Inc. |
EU (AWS eu-central-1, Frankfurt) |
Database, authentication, storage (media bucket for uploads), row-level security, encrypted vault for OAuth and legacy BYOK credentials |
| Vercel Inc. |
Compute: Frankfurt (fra1); CDN edge: global anycast |
Application hosting, edge functions, CDN |
| Anthropic PBC (Claude API) |
United States (SCCs) |
Primary LLM provider: AI content processing and generation, health scoring, signal classification, learning agent |
| OpenAI L.L.C. |
United States (SCCs) |
LLM fallback provider; text embeddings (text-embedding-3-small) for semantic signal search; Whisper transcription for Zoom cloud recordings |
| Deepgram, Inc. |
United States (SCCs) |
Audio/video transcription (primary provider) |
| AssemblyAI, Inc. |
United States (SCCs) |
Audio transcription (legacy fallback only) |
| Inngest, Inc. |
United States (SCCs) |
Background job orchestration, workflow management, signal fan-out, agent skill run dispatch |
| Resend Inc. (sub-processor: AWS EMEA SARL / SES eu-west-1) |
EU (Ireland) |
Transactional email delivery (account notifications, publishing notifications, brief and report sends, agent-output email drafts) |
| Sentry (Functional Software, Inc.) |
United States (SCCs) |
Error tracking, performance monitoring |
| Upstash, Inc. |
EU (Frankfurt) |
Distributed rate limiting (Redis) for abuse protection and API throttling |
| Stripe, Inc. |
United States (SCCs) / Stripe Payments Europe (Ireland — Frankfurt acquirer) |
Payment processing and billing (once billing is enabled); Stripe Connect for ingesting the customer's invoicing data where connected |
Aurora may add or remove Aurora CapacityOS sub-processors with 30 days' prior notice. Users may object to the addition of a new sub-processor by writing to privacy@helloaurora.ai within 14 days of notification. The canonical, always-current list is published at helloaurora.ai/sub-processors.
4.1a Legacy bring-your-own-key (BYOK) model providers
Some workspaces carried over from Aurora's earlier product line run AI processing under the customer's own LLM API key. Where such a configuration is active, the chosen provider becomes an additional sub-processor for the duration of skill execution. The customer's choice of provider determines which sub-processor applies. Three options exist:
| BYOK Provider (selected by customer) |
Location |
Purpose |
| Anthropic PBC (Claude Opus / Sonnet / Haiku) |
United States (SCCs); see Anthropic DPA at privacy.claude.com |
Operator skill LLM execution under customer's own Anthropic API key |
| OpenAI L.L.C. (GPT-5 family) |
United States (SCCs); see OpenAI DPA at openai.com |
Operator skill LLM execution under customer's own OpenAI API key |
| Google LLC (Gemini 2.x) |
United States (DPF / SCCs); see Google Cloud DPA |
Operator skill LLM execution under customer's own Google API key |
Aurora stores the customer's BYOK credential pgsodium-encrypted on the profiles.operator_credential column. The plaintext API key is never persisted; it is decrypted just-in-time per invocation and discarded. The raw prompt and raw completion are not retained — only structured skill metadata (skill id, version, timestamps, status, cost, output reference) is logged to operator_runs for billing transparency and audit.
4.2 Audio & Video Uploads — Multi-Party Consent
Aurora CapacityOS lets users upload audio and video files for transcription. Uploaded recordings are sent to our transcription sub-processor (Deepgram, or AssemblyAI as fallback) and are stored in the "media" bucket of Supabase's EU Frankfurt region.
User acknowledgement. Because audio recordings often contain voices of people other than the uploading user (interview guests, meeting participants, podcast co-hosts), the upload flow requires an explicit consent acknowledgement before every upload. By ticking the consent box and initiating an upload, the user confirms that:
- they own the rights to the recording, or have explicit permission from the rights holder;
- every identifiable person whose voice appears in the recording has consented to the recording being transcribed by a third-party service; and
- they agree to the processing of the recording by our transcription sub-processor under the terms of this DPA and the applicable Standard Contractual Clauses.
Audit trail. For each upload, Aurora CapacityOS records the consent-acknowledgement timestamp and the version of the consent text the user agreed to. The record is retained alongside the upload for the lifetime of the account and is produced on request in response to a Data Subject Access Request (Art. 15 GDPR).
User responsibility. The uploading user is the controller with respect to any third parties whose voices appear in the recording. Aurora acts as a processor on behalf of the uploading user for transcription purposes. Users remain responsible for securing any consents required under applicable law in the jurisdiction of recording (including but not limited to two-party and all-party consent jurisdictions in the United States).
Retention. Uploaded media files and their transcripts are retained for the duration of the user's account. On account deletion (Art. 17 GDPR), the corresponding blobs and transcripts are removed from Supabase storage and database within 30 days, subject to overriding legal retention obligations.
4.3 Customer-Connected & Client-Delegated Platforms — controller-to-controller relationships
Gmail, Google Calendar, Zoom, Slack, Google Ads, Meta, Google Analytics 4, Search Console, and the customer's CRM, PM, email, and ecommerce platforms are NOT Aurora sub-processors. These are customer-connected or client-delegated sources: the customer (the service firm) — or the customer's end-client, for client-owned systems such as advertising and analytics accounts — holds the controller relationship with the platform via its own account and its own access grant (manager or partner account links, user roles, OAuth). Aurora acts as a processor of the data pulled through these connections into Aurora CapacityOS; the underlying account, scope, retention, and revocation remain governed by the granting party's own contract with the platform. This distinction matters for GDPR Art 28 (only Aurora sub-processors require Art 28 contracts with us) versus Art 4(7) controller relationships (which are the granting party's responsibility).
4.4 Aurora CapacityOS Retention
- Account data: retained while the account is active; personal identifiers deleted within 30 days of account deletion.
- User-generated content and generated outputs: retained until user deletion or termination of the engagement.
- Uploaded media & transcripts: as described in §4.2.
- OAuth and delegated-access tokens (Gmail / Google Calendar / Zoom / Stripe / Slack / advertising and analytics grants): deleted within 30 days when the integration is disconnected or the account is deleted. Revocation is propagated to the provider via their OAuth revocation endpoint where supported.
- Raw email bodies: 180 days then purged. Derived signals (health scores, sentiment deltas) retained for the duration of the workspace.
- Calendar event full bodies: rolling 90-day context window then purged. Event metadata used for trend analysis retained for the workspace lifetime.
- Zoom meeting transcripts: 365 days. Raw audio: discarded immediately after transcription.
- Agent run audit rows (
operator_runs): retained 365 days for billing-transparency / audit, then archived.
- Approval decisions and evidence logs: retained for the duration of the workspace as part of the contracted service record, then deleted with the account (subject to statutory retention obligations).
- Billing records: 10 years (German HGB / VAT).
- Log data and metadata: 90 days.
5. International Data Transfers
Transfer mechanisms.
- EU-to-US transfers: Personal data transferred to sub-processors located in the United States are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, and — where the sub-processor participates — the EU-US Data Privacy Framework (DPF).
- EU data residency: User account data, generated content, and backups for Aurora CapacityOS are stored in Supabase's EU Frankfurt region and served from Vercel's Frankfurt compute region, ensuring data remains within the European Economic Area where possible.
- Aurora has conducted Transfer Impact Assessments (TIAs) and Data Protection Impact Assessments (DPIAs) for international transfers and maintains appropriate safeguards as required by Art. 46 GDPR.
Supplementary safeguards.
- Encryption of data in transit (TLS) and at rest.
- Contractual obligations on sub-processors to maintain GDPR-equivalent protections.
- Regular audit and compliance assessments of sub-processors.
- Ability to request data return or deletion upon contract termination.
6. Security Measures
Aurora implements technical and organisational measures appropriate to the risk, including:
- Encryption: TLS/HTTPS in transit; industry-standard encryption at rest.
- Access controls: role-based access (RBAC), principle of least privilege, multi-factor authentication for administrative access.
- Row-Level Security (RLS): database-level access policies so users can only access their own data.
- Authentication: bcrypt-hashed passwords via Supabase Auth, session management, optional 2FA.
- Audit logging: access to sensitive data is logged and retained for security and compliance purposes.
- Vulnerability management: regular security audits, dependency scanning, timely patching.
- Backups: encrypted backups performed regularly.
- Personnel: all persons handling personal data receive data-protection and security training.
While we implement industry-standard security measures, no system is entirely secure. Aurora cannot guarantee absolute security and is not liable for unauthorised third-party access resulting from causes beyond its reasonable control.
7. Data Subject Rights
Aurora shall provide reasonable assistance to Data Subjects in exercising their rights under the GDPR:
- Right to access (Art. 15): we will provide a copy of your personal data in a portable, machine-readable format within 30 days.
- Right to rectification (Art. 16): correct inaccurate data via the product dashboard or by contacting support.
- Right to erasure (Art. 17): we will delete account data within 30 days, subject to legal retention obligations (e.g. the 10-year retention for billing records under § 147 AO / § 257 HGB).
- Right to restrict processing (Art. 18): request suspension of processing pending resolution of a dispute.
- Right to data portability (Art. 20): receive your data in a structured, commonly-used, machine-readable format (CSV, JSON).
- Right to object (Art. 21): object to processing for direct marketing or other non-essential purposes.
- Right to lodge a complaint: you may complain to your local data-protection authority — see §12.
To exercise any of these rights, contact privacy@helloaurora.ai. We will respond within 30 days or as required by law.
8. Data-Breach Notification
- Aurora will notify affected Data Subjects without undue delay and no later than 72 hours after becoming aware of a personal-data breach, as required by Art. 33 GDPR.
- Notifications include details of the breach, likely consequences, and measures taken to mitigate harm.
- Relevant supervisory authorities will be notified as required by law.
- Sub-processors are contractually required to notify Aurora within 24 hours of discovering a breach affecting personal data.
9. Audit Rights
- Supervisory authorities may audit Aurora's data-processing activities as part of their statutory duties.
- Aurora periodically audits sub-processors to ensure compliance with data-protection obligations, and may request evidence of compliance from sub-processors.
- Data Subjects may request information about how their data is being processed by writing to privacy@helloaurora.ai.
10. Term & Termination
- This DPA is effective on acceptance of the relevant product Terms of Service and remains in effect for the duration of the service relationship.
- On account deletion or service termination, Aurora shall cease processing personal data on the Customer's behalf, except where legally required to retain.
- Aurora will delete or return personal data within 30 days of termination at the Data Subject's request, unless longer retention is legally required (e.g. § 147 AO / HGB billing-record retention).
- Sub-processors will be instructed to delete or securely destroy personal data per Aurora's instructions.
- Obligations related to data security, breach notification, and legal compliance survive termination.
11. Amendments
Aurora may amend this DPA to reflect changes in data-protection law, business practice, or sub-processors. Material changes (e.g. addition of a sub-processor, change of region) will be communicated with at least 30 days' prior notice. Users may object to a change by writing to privacy@helloaurora.ai within 14 days of notification.
12. Right to Lodge a Complaint
You may lodge a complaint with a supervisory authority. The competent authority for Aurora is:
13. Governing Law
This DPA is governed by the laws of the Federal Republic of Germany and the GDPR (EU) 2016/679. Disputes concerning data processing or data-subject rights are subject to German law and the jurisdiction of German courts. Data Subjects may also lodge complaints with the supervisory authority in their own jurisdiction.
Contact. For questions about this DPA or to exercise data-subject rights, write to privacy@helloaurora.ai. This DPA is supplementary to our Privacy Policy and should be read in conjunction with it.
Change note (11 June 2026): Updated to reflect the consolidation of our offerings into Aurora CapacityOS.