Data Processing Agreement
DPA — Last updated: April 24, 2026
1. Parties & Scope
This Data Processing Agreement ("DPA") is entered into between Aurora AI Solutions Studio UG (haftungsbeschränkt), a German company ("Aurora," "Controller," "we"), and our users and customers ("Data Subjects," "you"). It governs how Aurora processes personal data in the course of providing its products in compliance with the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG), and applicable national data protection laws.
This DPA is supplementary to and should be read in conjunction with our Privacy Policy and Terms of Service. It becomes effective the moment you accept the Terms of Service of the relevant Aurora product and remains in force for the duration of the service relationship.
2. Products Covered
This DPA applies to all Aurora products. Because each product has a different processing footprint (different sub-processors, data categories, and retention rules), product-specific details are consolidated under Section 4 below. General obligations that apply across all products live in Sections 5–13.
- ContentPulse — AI content repurposing studio. contentpulse.helloaurora.ai
- ClientPulse — client relationship signal platform. (in development)
3. Definitions
For the purposes of this DPA, the following terms shall have the meanings set forth below:
- Controller: Aurora AI Solutions Studio UG, the entity that determines the purposes and means of personal data processing.
- Processor (Sub-Processor): Any entity that processes personal data on behalf of the Controller (e.g., Supabase, Anthropic, Vercel, Sentry, Inngest, Deepgram, AssemblyAI, Stripe).
- Data Subject: Any individual to whom personal data relates — including Aurora users, and individuals whose data is processed through an Aurora product (e.g., audience members, meeting participants, customer contacts).
- Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to name, email, IP address, content data, usage logs, and metadata.
- Processing: Any operation performed on personal data — collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.
- Special Categories of Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation.
4. Product-Specific Processing
4.1 ContentPulse
Categories of Data Subjects
- ContentPulse account holders and their users
- Employees, contractors, and representatives of account holders
- End-users and audiences of users' published content (social-media followers, website visitors)
- Individuals referenced in — or whose voices appear in — source content uploaded to ContentPulse
Categories of Personal Data
- Account information: email, name, profile data, authentication credentials
- Content data: blog posts, articles, transcripts, scripts, and other long-form content provided by users
- Audio & video uploads for transcription (see §4.1a below for the consent-specific rules)
- Generated outputs: AI-generated social posts, captions, scripts, and repurposed content
- Connected-account data: OAuth identifiers and tokens for X/Twitter, LinkedIn, WordPress (encrypted at rest)
- Voice-profile data: text-only writing-style fingerprints (not biometric voiceprints)
- Usage data: interaction logs, timestamps, device/browser type, IP address, feature usage
- Payment data: billing address, payment-method identifiers (processed by Stripe)
- Communication data: support messages, feedback, service correspondence
Purposes of Processing
- Provision of the ContentPulse service and AI-powered content generation
- Audio/video transcription via Deepgram (primary) or AssemblyAI (legacy fallback)
- Account management, authentication, customer support
- Payment processing and billing administration
- Service improvement, analytics, usage monitoring
- Security, fraud detection, incident investigation
- Legal compliance and contractual fulfilment
ContentPulse Sub-Processors
| Sub-Processor |
Location |
Purpose |
| Supabase Inc. |
EU (AWS eu-central-1, Frankfurt) |
Database, authentication, storage (media bucket for uploads), row-level security |
| Vercel Inc. |
Compute: Frankfurt (fra1); CDN edge: global anycast |
Application hosting, edge functions, CDN |
| Anthropic PBC (Claude API) |
United States (SCCs) |
AI content processing and generation |
| Deepgram, Inc. |
United States (SCCs) |
Audio/video transcription (primary provider) |
| AssemblyAI, Inc. |
United States (SCCs) |
Audio transcription (legacy fallback only) |
| Inngest, Inc. |
United States (SCCs) |
Background job orchestration, workflow management |
| Sentry (Functional Software, Inc.) |
United States (SCCs) |
Error tracking, performance monitoring |
| Stripe, Inc. |
United States (SCCs) / Stripe Payments Europe (Ireland) |
Payment processing and billing |
The Controller may add or remove ContentPulse sub-processors with 30 days' prior notice. Users may object to the addition of a new sub-processor by writing to privacy@helloaurora.ai within 14 days of notification.
4.1a Audio & Video Uploads — Multi-Party Consent
ContentPulse lets users upload audio and video files for transcription. Uploaded recordings are sent to our transcription sub-processor (Deepgram, or AssemblyAI as fallback) and are stored in the "media" bucket of Supabase's EU Frankfurt region.
User acknowledgement. Because audio recordings often contain voices of people other than the uploading user (interview guests, meeting participants, podcast co-hosts), ContentPulse requires an explicit consent acknowledgement before every upload. By ticking the consent box and initiating an upload, the user confirms that:
- they own the rights to the recording, or have explicit permission from the rights holder;
- every identifiable person whose voice appears in the recording has consented to the recording being transcribed by a third-party service; and
- they agree to the processing of the recording by our transcription sub-processor under the terms of this DPA and the applicable Standard Contractual Clauses.
Audit trail. For each upload, ContentPulse records the consent-acknowledgement timestamp and the version of the consent text the user agreed to. The record is retained alongside the upload for the lifetime of the account and is produced on request in response to a Data Subject Access Request (Art. 15 GDPR).
User responsibility. The uploading user is the controller with respect to any third parties whose voices appear in the recording. ContentPulse acts as a processor on behalf of the uploading user for transcription purposes. Users remain responsible for securing any consents required under applicable law in the jurisdiction of recording (including but not limited to two-party and all-party consent jurisdictions in the United States).
Retention. Uploaded media files and their transcripts are retained for the duration of the user's account. On account deletion (Art. 17 GDPR), the corresponding blobs and transcripts are removed from Supabase storage and database within 30 days, subject to overriding legal retention obligations.
4.1b ContentPulse Retention
- Account data: retained while the account is active; personal identifiers deleted within 30 days of account deletion.
- User-generated content: free accounts — content deleted 30 days after inactivity; paid accounts — retained until user deletion or subscription termination.
- Uploaded media & transcripts: as described in §4.1a.
- Billing records: 7 years (German HGB / VAT).
- Log data and metadata: 90 days.
4.2 ClientPulse
ClientPulse is in development. The ClientPulse-specific sub-processor list, data categories, and retention rules will be published in this section before the product becomes generally available. In the interim, the general obligations in §§5–13 and the cross-product sub-processors (Supabase, Vercel, Stripe, Sentry) apply.
5. International Data Transfers
Transfer mechanisms.
- EU-to-US transfers: Personal data transferred to sub-processors located in the United States are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission, and — where the sub-processor participates — the EU-US Data Privacy Framework (DPF).
- EU data residency: User account data, generated content, and backups for ContentPulse and ClientPulse are stored in Supabase's EU Frankfurt region and served from Vercel's Frankfurt compute region, ensuring data remains within the European Economic Area where possible.
- The Controller has conducted Transfer Impact Assessments (TIAs) and Data Protection Impact Assessments (DPIAs) for international transfers and maintains appropriate safeguards as required by Art. 46 GDPR.
Supplementary safeguards.
- Encryption of data in transit (TLS) and at rest.
- Contractual obligations on sub-processors to maintain GDPR-equivalent protections.
- Regular audit and compliance assessments of sub-processors.
- Ability to request data return or deletion upon contract termination.
6. Security Measures
The Controller implements technical and organisational measures appropriate to the risk, including:
- Encryption: TLS/HTTPS in transit; industry-standard encryption at rest.
- Access controls: role-based access (RBAC), principle of least privilege, multi-factor authentication for administrative access.
- Row-Level Security (RLS): database-level access policies so users can only access their own data.
- Authentication: bcrypt-hashed passwords via Supabase Auth, session management, optional 2FA.
- Audit logging: access to sensitive data is logged and retained for security and compliance purposes.
- Vulnerability management: regular security audits, dependency scanning, timely patching.
- Backups: encrypted backups performed regularly.
- Personnel: all persons handling personal data receive data-protection and security training.
While we implement industry-standard security measures, no system is entirely secure. The Controller cannot guarantee absolute security and is not liable for unauthorised third-party access resulting from causes beyond its reasonable control.
7. Data Subject Rights
The Controller shall provide reasonable assistance to Data Subjects in exercising their rights under the GDPR:
- Right to access (Art. 15): we will provide a copy of your personal data in a portable, machine-readable format within 30 days.
- Right to rectification (Art. 16): correct inaccurate data via the product dashboard or by contacting support.
- Right to erasure (Art. 17): we will delete account data within 30 days, subject to legal retention obligations (e.g. 7-year HGB retention for billing records).
- Right to restrict processing (Art. 18): request suspension of processing pending resolution of a dispute.
- Right to data portability (Art. 20): receive your data in a structured, commonly-used, machine-readable format (CSV, JSON).
- Right to object (Art. 21): object to processing for direct marketing or other non-essential purposes.
- Right to lodge a complaint: you may complain to your local data-protection authority — see §12.
To exercise any of these rights, contact privacy@helloaurora.ai. We will respond within 30 days or as required by law.
8. Data-Breach Notification
- The Controller will notify affected Data Subjects without undue delay and no later than 72 hours after becoming aware of a personal-data breach, as required by Art. 33 GDPR.
- Notifications include details of the breach, likely consequences, and measures taken to mitigate harm.
- Relevant supervisory authorities will be notified as required by law.
- Sub-processors are contractually required to notify the Controller within 24 hours of discovering a breach affecting personal data.
9. Audit Rights
- Supervisory authorities may audit the Controller's data-processing activities as part of their statutory duties.
- The Controller periodically audits sub-processors to ensure compliance with data-protection obligations, and may request evidence of compliance from sub-processors.
- Data Subjects may request information about how their data is being processed by writing to privacy@helloaurora.ai.
10. Term & Termination
- This DPA is effective on acceptance of the relevant product Terms of Service and remains in effect for the duration of the service relationship.
- On account deletion or service termination, the Controller shall cease processing personal data, except where legally required to retain.
- The Controller will delete or return personal data within 60 days of termination at the Data Subject's request, unless longer retention is legally required.
- Sub-processors will be instructed to delete or securely destroy personal data per the Controller's instructions.
- Obligations related to data security, breach notification, and legal compliance survive termination.
11. Amendments
The Controller may amend this DPA to reflect changes in data-protection law, business practice, or sub-processors. Material changes (e.g. addition of a sub-processor, change of region) will be communicated with at least 30 days' prior notice. Users may object to a change by writing to privacy@helloaurora.ai within 14 days of notification.
12. Right to Lodge a Complaint
You may lodge a complaint with a supervisory authority. The competent authority for Aurora is:
13. Governing Law
This DPA is governed by the laws of the Federal Republic of Germany and the GDPR (EU) 2016/679. Disputes concerning data processing or data-subject rights are subject to German law and the jurisdiction of German courts. Data Subjects may also lodge complaints with the supervisory authority in their own jurisdiction.
Contact. For questions about this DPA or to exercise data-subject rights, write to privacy@helloaurora.ai. This DPA is supplementary to our Privacy Policy and should be read in conjunction with it.