Data Processing Addendum
Last updated: 14 June 2026
This Data Processing Addendum forms part of the agreement between SUNURA and the Customer where the Customer uses the Services and SUNURA processes Customer Personal Data as processor on behalf of the Customer.
This DPA applies to SUNURA’s provision of AI transparency workflow, disclosure-management, evidence-record, proof-capture, public-verification, export, API, dashboard, integration, support, and related software services.
This DPA does not apply where SUNURA processes personal data as an independent controller. Such processing is described in SUNURA’s Privacy Notice.
SUNURA is not a law firm and does not provide legal advice, regulatory advice, legal representation, certification, conformity assessment, or a guarantee of compliance with the EU AI Act, GDPR, ePrivacy law, consumer-protection law, advertising law, platform rules, or other applicable law.
1. Parties
This DPA is entered into between:
SUNURA, trading under the SUNURA name, as processor; and
Customer, as controller, identified in the applicable account, order form, checkout flow, subscription, invoice, trial registration, or written agreement.
If SUNURA later operates through a registered legal entity, this DPA may be updated to identify that entity.
2. Definitions
Agreement means the applicable SUNURA Terms and Conditions, order form, subscription agreement, checkout terms, master services agreement, statement of work, or other agreement governing the Customer’s use of the Services.
Applicable Data Protection Laws means all privacy and data-protection laws applicable to the processing of Customer Personal Data under this DPA, including, where applicable, Regulation (EU) 2016/679, the Dutch GDPR Implementation Act, the UK GDPR, the Swiss Federal Act on Data Protection, and any national implementing or supplemental data-protection laws.
Customer Data means content, files, records, API payloads, screenshots, DOM snapshots, metadata, disclosure text, evidence records, use-case descriptions, export data, verification records, account data, workspace data, and other data submitted to or generated through the Services by or on behalf of the Customer.
Customer Personal Data means Personal Data contained in Customer Data that SUNURA processes as processor on behalf of the Customer.
Services means the SUNURA website, platform, dashboards, APIs, widgets, integrations, disclosure workflows, proof-capture tools, evidence records, public verification pages, exports, support, documentation, and related services.
Subprocessor means any third party engaged by SUNURA to process Customer Personal Data on behalf of SUNURA in connection with the Services.
Security Measures means the technical and organizational measures described in Schedule 2 and any additional measures agreed in writing.
The terms Controller, Processor, Data Subject, Personal Data, Personal Data Breach, Processing, and Supervisory Authority have the meanings given to them under Applicable Data Protection Laws.
3. Scope and order of precedence
This DPA applies only where SUNURA processes Customer Personal Data as processor on behalf of the Customer.
If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA prevails to the extent of the conflict.
If there is a conflict between this DPA and applicable Standard Contractual Clauses or mandatory data-protection law, the Standard Contractual Clauses or mandatory law prevail.
4. Roles of the parties
The parties acknowledge and agree that, for Customer Personal Data:
- the Customer is the controller;
- SUNURA is the processor;
- the Customer determines the purposes and means of processing;
- SUNURA processes Customer Personal Data only on documented instructions from the Customer.
The Customer is responsible for determining whether Personal Data may lawfully be submitted to the Services, whether AI disclosure workflows are lawful and necessary, whether evidence capture is proportionate, whether screenshots or DOM captures may contain Personal Data, and whether consent, notice, DPIA, legitimate-interest assessment, records of processing, or supervisory-authority consultation are required.
SUNURA shall promptly inform the Customer if, in SUNURA’s reasonable opinion, an instruction infringes Applicable Data Protection Laws, unless prohibited by law. SUNURA is not required to provide legal advice or legal analysis when giving such notice.
5. Customer instructions
The Customer instructs SUNURA to process Customer Personal Data as necessary to:
- provide, operate, secure, maintain, support, and improve the Services;
- create and manage accounts, workspaces, users, roles, permissions, API keys, and configurations;
- generate, store, display, verify, and export disclosure notices and evidence records;
- process API requests, proof captures, verification-page requests, export requests, and integration events;
- provide support, troubleshooting, debugging, abuse prevention, security monitoring, billing support, and service administration;
- comply with legal obligations applicable to SUNURA as a service provider;
- perform other processing expressly instructed through the Services, the Agreement, the Customer’s configuration, API calls, support requests, or written instructions.
- SUNURA shall not sell Customer Personal Data.
- SUNURA shall not use Customer Personal Data for third-party advertising.
- SUNURA shall not use Customer Personal Data to train public AI models unless the Customer has expressly agreed in writing.
- SUNURA may process aggregated, anonymized, or de-identified information for analytics, security, service improvement, benchmarking, and reporting, provided that such information does not identify the Customer, Customer users, or Data Subjects.
6. Details of processing
The subject matter, duration, nature, purpose, categories of Data Subjects, categories of Personal Data, and processing location are described in Schedule 1.
The Customer acknowledges that the Services may be configured to capture evidence that a disclosure notice was created, configured, rendered, verified, exported, or published. Such evidence may include timestamps, rendered notice text, surface URLs, technical metadata, DOM snapshots, screenshots, hashes, user or workspace identifiers, verification identifiers, and export records.
The Customer must configure the Services to avoid capturing unnecessary, excessive, confidential, sensitive, or unlawful Personal Data.
7. Restricted data
Unless expressly agreed in writing, the Customer shall not intentionally submit to the Services:
- special categories of Personal Data;
- criminal-offence data;
- children’s data;
- health data;
- biometric templates;
- government identifiers;
- payment-card numbers;
- passwords, secrets, or private keys;
- highly confidential third-party data;
- data that the Customer is not legally permitted to process or disclose.
- If restricted data is inadvertently submitted, the Customer remains responsible for the lawfulness of the submission and should delete it promptly or contact SUNURA for assistance.
8. Confidentiality
SUNURA shall ensure that persons authorized to process Customer Personal Data are subject to an appropriate duty of confidentiality, whether contractual, statutory, professional, or otherwise.
SUNURA shall restrict access to Customer Personal Data to personnel and Subprocessors who need such access to provide, maintain, secure, support, or improve the Services.
9. Security measures
SUNURA shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
The Security Measures are described in Schedule 2.
SUNURA may update or modify the Security Measures from time to time, provided that such updates do not materially reduce the overall level of protection for Customer Personal Data during the term of the Agreement.
The Customer is responsible for secure configuration of its account, user access, API keys, integrations, evidence-capture settings, public verification pages, export settings, and deletion or retention settings.
10. Subprocessors
The Customer grants SUNURA general written authorization to engage Subprocessors for processing Customer Personal Data.
SUNURA shall maintain a public or customer-accessible list of Subprocessors at /subprocessors or another notified location.
The Subprocessor list shall identify, at an appropriate level, the service category, provider name, processing purpose, data categories, processing region or transfer mechanism, status, and material notes.
SUNURA shall impose data-protection obligations on each Subprocessor that are materially no less protective than those imposed on SUNURA under this DPA, to the extent applicable to the Subprocessor’s services.
SUNURA remains responsible for the acts and omissions of its Subprocessors to the extent required by Applicable Data Protection Laws and the Agreement.
SUNURA shall provide notice of material additions or replacements of Subprocessors through the Subprocessor page, email, dashboard notice, or another commercially reasonable method.
The Customer may object to a new Subprocessor on reasonable data-protection grounds within 30 days after notice.
If the Customer objects to a new Subprocessor, the parties shall work in good faith to address the objection. If the objection cannot reasonably be resolved, the Customer may terminate the affected Services in accordance with the Agreement.
11. Data-subject rights
Taking into account the nature of the processing, SUNURA shall provide reasonable assistance to the Customer, by appropriate technical and organizational measures where possible, to enable the Customer to respond to requests from Data Subjects exercising rights under Applicable Data Protection Laws.
If SUNURA receives a Data Subject request relating to Customer Personal Data, SUNURA shall, where legally permitted and where the request identifies the Customer, either:
- advise the Data Subject to contact the Customer directly; or forward the request to the Customer.
- SUNURA shall not respond substantively to Data Subject requests on the Customer’s behalf unless authorized by the Customer or required by law.
12. Assistance with compliance obligations
Taking into account the nature of the processing and the information available to SUNURA, SUNURA shall provide reasonable assistance to the Customer with obligations relating to:
- security of processing;
- Personal Data Breach notifications;
- Data Protection Impact Assessments;
- prior consultation with Supervisory Authorities;
- records, information, or documentation reasonably required to demonstrate processor compliance.
- SUNURA may charge reasonable fees for assistance that exceeds standard support, unless the assistance is required due to SUNURA’s breach of this DPA.
13. Personal Data Breach
SUNURA shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
The notification shall include, to the extent known and reasonably available:
- the nature of the Personal Data Breach;
- the categories and approximate number of Data Subjects affected;
- the categories and approximate number of Personal Data records affected;
- the likely consequences of the Personal Data Breach;
- the measures taken or proposed to address the Personal Data Breach;
- contact details for follow-up.
- SUNURA’s notification of or response to a Personal Data Breach shall not be construed as an acknowledgement of fault or liability.
- The Customer is responsible for determining whether to notify a Supervisory Authority, Data Subjects, customers, clients, users, regulators, auditors, or other third parties.
14. Audits and information rights
SUNURA shall make available information reasonably necessary to demonstrate compliance with this DPA, including relevant security summaries, Subprocessor information, privacy documentation, support materials, security questionnaires, audit summaries, penetration-test summaries, or trust documentation where available.
The Customer may request an audit no more than once per calendar year unless required by a Supervisory Authority or following a confirmed Personal Data Breach materially affecting Customer Personal Data.
Audits shall be conducted:
- during normal business hours;
- on reasonable prior written notice;
- in a manner that does not disrupt SUNURA’s business, systems, security, confidentiality, or other customers;
- subject to appropriate confidentiality obligations;
- at the Customer’s cost, unless the audit reveals a material breach of this DPA by SUNURA.
- SUNURA may satisfy audit requests by providing independent third-party reports, security questionnaires, documentation, or remote review sessions where such materials reasonably demonstrate compliance.
- The Customer shall not perform penetration tests, vulnerability scans, or security assessments of SUNURA systems without SUNURA’s prior written approval.
15. International transfers
SUNURA shall not transfer Customer Personal Data outside the European Economic Area, United Kingdom, Switzerland, or another jurisdiction recognized as providing adequate protection unless an appropriate transfer mechanism is in place.
Where required, the parties shall rely on an applicable lawful transfer mechanism, such as:
- an adequacy decision;
- the European Commission Standard Contractual Clauses;
- the UK International Data Transfer Agreement or UK Addendum, where applicable;
- the Swiss transfer clauses or adaptations, where applicable;
- another lawful transfer mechanism available under Applicable Data Protection Laws.
Where the European Commission Standard Contractual Clauses are required for international transfers:
- Module Two applies to controller-to-processor transfers where the Customer transfers Personal Data to SUNURA outside the EEA;
- Module Three applies to processor-to-processor onward transfers where SUNURA transfers Personal Data to a non-EEA Subprocessor;
- the information in Schedule 1 and Schedule 2 forms part of the relevant annex information unless the parties execute a separate SCC annex;
- the competent Supervisory Authority and governing-law details shall be determined by the Agreement, the Customer’s establishment, SUNURA’s establishment, or the relevant SCC annex.
- SUNURA shall implement supplementary measures where required by Applicable Data Protection Laws and the circumstances of the transfer.
16. Deletion and return
Upon termination or expiry of the Agreement, SUNURA shall, at the Customer’s choice and subject to the Agreement:
- return Customer Personal Data in a commercially reasonable export format;
- delete Customer Personal Data; or
- permit the Customer to export Customer Personal Data before deletion.
SUNURA may retain Customer Personal Data to the extent required by law, dispute resolution, security logs, backup retention, accounting obligations, fraud prevention, audit records, or legitimate business records, provided that retained data remains protected in accordance with this DPA.
Backup copies shall be deleted or overwritten according to SUNURA’s normal backup-retention cycle unless earlier deletion is technically feasible and commercially reasonable.
17. Public verification pages and evidence exports
The Customer may configure the Services to create public verification pages or shareable evidence exports.
The Customer is responsible for determining whether publication, sharing, export, or retention of evidence records is lawful, appropriate, necessary, and proportionate.
SUNURA shall provide technical controls designed to reduce the risk that public verification pages expose unnecessary Customer Personal Data. The Customer remains responsible for reviewing verification-page content and configuration before public use.
Evidence records and exports document operational events, such as disclosure configuration, rendering, capture, timestamps, hashes, verification identifiers, and export activity. They do not constitute legal advice, legal certification, regulatory approval, or proof of legal compliance.
18. AI-specific and Article 50-specific processing
The Customer may use the Services for AI transparency workflows, including AI interaction notices, synthetic-content disclosures, deepfake-publication review, biometric-categorization notices, emotion-recognition notices, evidence capture, public verification, and evidence exports.
The Customer remains solely responsible for determining:
- whether Article 50 or other EU AI Act obligations apply;
- whether the Customer acts as provider, deployer, importer, distributor, product manufacturer, agency, publisher, employer, or another regulated actor;
- whether a disclosure notice is required;
- whether notice timing, placement, accessibility, prominence, persistence, and content are lawful;
- whether exceptions apply;
- whether the Customer’s use of emotion recognition, biometric categorization, synthetic content, deepfakes, AI-generated public-interest text, or AI interaction systems complies with applicable law;
- whether legal review, DPIA, legitimate-interest assessment, or supervisory-authority consultation is required.
- SUNURA classifications, templates, control matrices, explanations, reports, verification pages, and evidence outputs are operational aids only.
19. Customer warranties
The Customer represents and warrants that:
- it has all rights, permissions, notices, consents, and legal bases required to submit Customer Personal Data to the Services;
- its instructions to SUNURA are lawful;
- it will not use the Services to capture unnecessary or excessive Personal Data;
- it will not use evidence records, exports, or public verification pages in a misleading way;
- it will maintain appropriate notices, policies, legal bases, and customer-facing disclosures;
- it will comply with Applicable Data Protection Laws.
20. Liability
Liability under this DPA is subject to the liability limitations and exclusions in the Agreement, unless prohibited by Applicable Data Protection Laws.
Nothing in this DPA limits liability where such limitation is prohibited by applicable law.
Nothing in this DPA limits the rights of Data Subjects under Applicable Data Protection Laws.
21. Duration
This DPA remains in effect for as long as SUNURA processes Customer Personal Data on behalf of the Customer.
22. Changes to this DPA
SUNURA may update this DPA from time to time.
Material changes shall be notified through the website, dashboard, email, order form, or another commercially reasonable method.
If required by law or contract, the Customer may object to material changes within the applicable notice period.
Continued use of the Services after the effective date of an updated DPA constitutes acceptance of the updated DPA, unless the Agreement provides otherwise.
23. Governing law
This DPA is governed by the laws of the Netherlands, unless the applicable Agreement validly specifies another governing law.
Mandatory provisions of Applicable Data Protection Laws remain unaffected.
Schedule 1 — Details of Processing
| Topic | Details |
|---|---|
| Subject matter | Provision of SUNURA’s AI transparency workflow, disclosure-management, evidence-record, proof-capture, public-verification, export, API, dashboard, integration, support, billing-support, and related software services. |
| Duration | For the term of the Agreement and any post-termination period during which SUNURA processes Customer Personal Data for deletion, return, backup retention, legal compliance, dispute resolution, security, or fraud-prevention purposes. |
| Nature of processing | Collection, receipt, recording, organization, structuring, storage, hosting, retrieval, consultation, use, transmission, disclosure by access, alignment, combination, restriction, erasure, export, hashing, verification, logging, and other processing necessary to provide the Services. |
| Purpose of processing | To provide, secure, maintain, support, troubleshoot, verify, export, and improve the Services, including account management, workspace management, disclosure workflow configuration, AI use-case records, proof capture, evidence records, public verification pages, evidence exports, API automation, support, security monitoring, and contractual compliance. |
| Categories of Data Subjects | Customer administrators and users; Customer employees, contractors, clients, and representatives; end users interacting with Customer AI systems, websites, applications, chatbots, or content surfaces; individuals appearing in screenshots, DOM captures, logs, or evidence records where configured; business contacts; support correspondents. |
| Categories of Personal Data | Names, email addresses, user IDs, account identifiers, role information, workspace membership, login and session metadata, device/browser metadata, IP-derived or hashed technical metadata, audit logs, disclosure text, use-case descriptions, surface URLs, configuration metadata, timestamps, hash values, export logs, screenshot or DOM-capture contents where enabled, support communications, billing-contact information, payment metadata, and other Personal Data submitted by the Customer through the Services. |
| Sensitive data | The Services are not designed for intentional processing of special categories of Personal Data, criminal-offence data, children’s data, biometric templates, health data, government identifiers, payment-card data, passwords, secrets, or private keys unless expressly agreed in writing. |
| Frequency of processing | Continuous or as initiated by the Customer, Customer users, API calls, integrations, scheduled workflows, proof-capture events, exports, support requests, or system operations. |
| Primary processing location | European Economic Area, unless otherwise stated in the Agreement, order form, customer configuration, subprocessor list, or applicable deployment documentation. Transfers outside the EEA are governed by Section 15 of this DPA. |
Schedule 2 — Technical and Organizational Measures
| Topic | Measures |
|---|---|
| Access control | Authentication for administrative and customer access; role-based or permission-based access controls where supported; least-privilege access for personnel; controls for API keys and service credentials; logging of sensitive administrative actions where implemented. |
| Tenant and workspace separation | Logical separation of customer workspaces and records; authorization checks for customer dashboards, API endpoints, evidence records, exports, and verification pages; controls designed to prevent cross-customer access. |
| Encryption and transmission security | HTTPS/TLS for production browser and API traffic; encryption or equivalent safeguards for sensitive storage where supported by the production environment; secure handling of secrets and credentials. |
| Evidence integrity | Hashing of disclosure text, evidence records, DOM captures, screenshots, or export manifests where configured; use of record identifiers and timestamps; public verification pages designed to expose only intended metadata; evidence records documenting operational proof rather than legal certification. |
| Logging and monitoring | Operational logging for authentication, evidence capture, exports, API usage, administrative activity, and security events where supported; monitoring appropriate to the deployment; retention limits according to plan, configuration, and legal requirements. |
| Backup and recovery | Backup and recovery controls appropriate to the production environment; backup-retention and restoration procedures according to the applicable deployment plan; periodic review of recovery practices where commercially reasonable. |
| Personnel security | Confidentiality obligations for personnel with access to Customer Personal Data; access limited to personnel with a business need; revocation of access when no longer required. |
| Subprocessor controls | Due diligence appropriate to the nature of the Subprocessor; written terms imposing data-protection and security obligations; Subprocessor list or notice process; material-change notice where required. |
| Vulnerability and incident management | Reasonable vulnerability-management practices; triage and remediation of confirmed vulnerabilities according to severity; incident-response process for suspected or confirmed Personal Data Breaches; Customer notification where required by law or contract. |
| Customer configuration responsibilities | Customer remains responsible for managing authorized users, API keys, evidence-capture settings, public verification pages, exports, retention, deletion, and legal review for regulated AI workflows. |
Schedule 3 — Subprocessors
SUNURA’s current Subprocessor list is maintained on the public Subprocessors page or provided upon request.
The list should include, where applicable:
- service category;
- provider name;
- processing purpose;
- data categories;
- processing region;
- transfer mechanism;
- status;
- material notes.
- SUNURA shall not publish unnecessary operational architecture, deployment-environment details, server names, IP addresses, internal security configurations, or other sensitive technical implementation details in the public Subprocessor list.
Schedule 4 — Standard Contractual Clauses
Where applicable, the European Commission Standard Contractual Clauses are incorporated by reference into this DPA for international transfers of Customer Personal Data.
Where the SCCs apply:
- Module Two applies to controller-to-processor transfers where appropriate;
- Module Three applies to processor-to-processor onward transfers where appropriate;
Schedule 1 and Schedule 2 provide the relevant processing and security details unless the parties execute a separate SCC annex;
Subprocessor information is provided through Schedule 3 and the Subprocessor list;
mandatory SCC provisions prevail over conflicting provisions of this DPA or the Agreement.