Data Processing Agreement
Last updated: April 2, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Siere Soft Ltd ("Data Processor"), a company registered in the Republic of Bulgaria.
This DPA applies to the processing of personal data by Siere on your behalf when you use the Siere platform. It is intended to ensure compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- Processing: Any operation performed on personal data, including collection, storage, use, transmission, and deletion.
- Subprocessor: A third party engaged by Siere to process personal data on behalf of the Data Controller.
2. Scope and Purpose
Siere processes personal data solely to provide the Service as described in the Terms of Service. This includes:
- Account management and authentication
- Payment processing and subscription management
- Audit scoring and report generation
- Analytics data collection and visualization
- Email delivery for transactional and operational communications
- Content management for AI agent optimization
3. Data Categories
| Category | Data Types | Purpose |
|---|---|---|
| Account Data | Email address, user ID, authentication tokens | Authentication, account management |
| Billing Data | Stripe customer ID, subscription status, plan type | Payment processing, feature gating |
| Usage Data | Audit URLs, scores, agent visit logs, IP addresses | Service delivery, rate limiting, analytics |
| Content Data | Zeus content definitions, site configurations | AI agent content serving |
4. Subprocessors
Siere uses the following subprocessors to provide the Service. We will notify you of any changes to this list with 30 days' notice.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, edge functions | All account, billing, usage, and content data | AWS EU (Frankfurt) |
| Stripe | Payment processing, subscription management | Email, payment method details, billing history | USA / EU |
| Resend | Transactional email delivery | Email addresses, email content | USA |
| Vercel | Application hosting, edge network, cron jobs | Request logs, IP addresses (transient) | Global CDN (nearest edge) |
| Firebase / Google Analytics | Web analytics (with user consent) | Page views, events, device info (anonymized) | USA / EU |
5. Data Retention
- Account data: Retained while your account is active. Deleted within 30 days of account deletion.
- Audit reports: Retained for 30 days after generation, then marked as expired. Expired reports are permanently deleted within 90 days.
- Analytics events: Retained for 12 months, then aggregated and anonymized.
- Email logs: Delivery logs retained for 90 days for debugging purposes.
- Payment records: Retained as required by applicable tax and accounting laws (typically 7 years).
6. Security Measures
Siere implements appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Row-Level Security (RLS) policies on all database tables
- API key authentication with rate limiting
- Ed25519 cryptographic signing for license verification
- Regular security audits and dependency updates
7. Data Subject Rights
You may exercise your rights under GDPR (access, rectification, erasure, portability, restriction, and objection) by contacting us at privacy@siere.ai. We will respond within 30 days.
You can also delete your account directly from your dashboard settings, which triggers deletion of all associated personal data.
8. International Transfers
Some of our subprocessors are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions as applicable.
9. Changes to This DPA
We may update this DPA from time to time. Material changes (including changes to the subprocessor list) will be notified to you via email with 30 days' notice.
10. Contact
For questions about this DPA or to exercise your data rights, contact us at privacy@siere.ai.