Data Processing Agreement
Draft — May 2026
DRAFT — Under legal review. The signed PDF is available on request.
1. Parties and Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", acting as the data Controller) and Monafy ("Gurulu", acting as the data Processor). It governs the processing of personal data submitted to Gurulu through the Service. Where a conflict arises, this DPA prevails over the Terms of Service for personal data matters.
2. Subject Matter and Duration
Gurulu processes personal data on behalf of the Customer for the sole purpose of providing analytics, error tracking, and customer data platform services. Processing continues for the duration of the active subscription and the 30-day data retention window after termination, after which all personal data is permanently deleted unless legally required to retain it.
3. Nature and Purpose of Processing
Personal data may include: end-user IP addresses, user agents, identifiers such as cookie IDs or hashed emails, page URLs, click events, error stack traces, session replay snapshots (if enabled), and any other data the Customer voluntarily sends through the Gurulu SDK or APIs. Processing operations include collection, structuring, storage, retrieval, anonymization, aggregation, and erasure on instruction.
4. Sub-Processors
Gurulu uses a minimal set of sub-processors: Hetzner Online GmbH (Falkenstein, Germany — primary infrastructure), Stripe Payments Europe (billing only, no analytics data), Resend (transactional email only), and Amazon Web Services for the Bedrock managed AI service in eu-central-1 (used as a fallback LLM provider for AI features only — no personal data is stored at AWS, only ephemeral inference). The current list is published at /trust/sub-processors. Customer will be notified of changes at least 30 days in advance with a right to object.
5. Security Measures
Gurulu implements appropriate technical and organizational measures, including: encryption in transit (TLS 1.3) and at rest (LUKS at the volume layer), access controls with least-privilege IAM, audit logging via AdminActionAudit, incident response plan with 72-hour notification SLA, secure software development practices, regular vulnerability scanning, and HSTS/CSP/X-Frame headers on all surfaces. Security details: gurulu.io/security.
6. Data Subject Rights
Gurulu will assist the Customer in responding to data subject requests under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection) and the equivalent KVKK rights. The dashboard provides self-serve erasure and export endpoints. Where a Customer-side workflow is insufficient, Gurulu responds to verified requests within 30 days at no additional charge.
7. International Transfers
Personal data is stored exclusively in EU data centers (Hetzner Falkenstein, Germany). Bedrock managed AI inference happens in eu-central-1 (Frankfurt) without persistent storage. No transfers occur outside the EU/EEA except where you explicitly configure outbound destinations (e.g. Meta CAPI, Google Ads CAPI), in which case the relevant Standard Contractual Clauses with each ad platform apply.
8. Audits
Customer may, at most once per calendar year and upon at least 30 days' written notice, audit Gurulu's compliance with this DPA. Audits are at Customer's expense and conducted under reasonable confidentiality terms. Gurulu's published security posture, third-party penetration test reports, and SOC-style attestations (when available) may be used to satisfy this requirement.
9. Liability and Indemnity
Each party's aggregate liability under this DPA is subject to the same limitation of liability set out in Section 7 of the Terms of Service. Where a regulator imposes an administrative fine on the Controller arising from a breach of this DPA caused by the Processor, the Processor will indemnify the Controller subject to the same cap.
10. Contact and Execution
Customer may request a counter-signed PDF of this DPA at any time by emailing legal@gurulu.io with the legal entity name, address, and the email of the authorized signatory. Acceptance of the Terms of Service constitutes acceptance of this DPA without further action.