Back to home

Data Processing Agreement

Last updated: March 2026

1. Scope

This Data Processing Agreement ("DPA") forms part of the agreement between the customer ("Data Controller") and Amphelyx ("Data Processor") and applies to the processing of personal data in connection with the Service.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR).

2. Data Processing Details

  • Purpose: providing the AI platform services as described in the service agreement.
  • Nature of processing: storage, retrieval, embedding, and AI inference on uploaded documents and chat interactions.
  • Categories of data subjects: employees and authorized users of the Data Controller.
  • Types of personal data: names, email addresses, user-uploaded documents, chat messages, and AI-generated outputs.
  • Duration: for the term of the service agreement plus the data retention period.

3. Security Measures

Amphelyx implements the following technical and organizational measures:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3).
  • Role-based access control with principle of least privilege.
  • LLM inference on our own European servers by default — data is only sent to third-party AI providers if explicitly configured by the Data Controller.
  • Regular security assessments and vulnerability scanning.
  • Audit logging of all data access and processing activities.
  • Physical security controls at data center facilities (EU and Switzerland).

If the Data Controller configures a third-party AI provider (e.g. OpenAI, Anthropic, Google), prompts and AI-generated outputs may be processed by that provider. In this case, the provider acts as an additional sub-processor and the Data Controller is responsible for ensuring an adequate legal basis for the transfer.

4. Sub-processors

For our cloud-hosted offering, we use the following sub-processors, all located within the European Union or Switzerland:

  • Infrastructure provider: European cloud hosting for servers and databases (EU and Switzerland).
  • Supabase: Authentication services (EU region).

For self-hosted deployments, no sub-processors are involved — all data remains on the Data Controller's infrastructure.

5. Data Subject Rights

Amphelyx will assist the Data Controller in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, portability, restriction, and objection).

6. Data Breach Notification

In the event of a personal data breach, Amphelyx will notify the Data Controller without undue delay, and in any case within 48 hours of becoming aware of the breach, providing all information necessary for the Controller to meet its notification obligations under Article 33 GDPR.

7. Data Deletion

Upon termination of the service agreement, Amphelyx will delete or return all personal data to the Data Controller within 30 days, unless retention is required by applicable law.

8. Contact

To request a signed copy of this DPA or to discuss data processing questions, please use our contact form.