Aquariusly

Data Processing Agreement

Effective Date: January 5, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Aquariusly Technologies ("Aquariusly," "we," "us," or "our") and governs the processing of personal data in connection with our SaaS platform services.

GDPR Compliance: This DPA ensures compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. It establishes the legal framework for processing personal data on behalf of our customers.

1. Definitions and Interpretation

1.1 Key Definitions

Controller

The Customer who determines the purposes and means of processing personal data.

Processor

Aquariusly, who processes personal data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal data, including collection, storage, use, and deletion.

2. Scope and Application

2.1 Agreement Scope

This DPA applies to all processing of personal data by Aquariusly on behalf of the Customer in connection with the provision of our SaaS platform services, including:

  • User account information and authentication data
  • Content and data uploaded or created through our platform
  • Usage analytics and platform interaction data
  • Communication and support interaction records

2.2 Relationship to Main Agreement

This DPA supplements and forms an integral part of our Terms of Service. In case of conflict between this DPA and the main agreement, this DPA shall prevail with respect to data protection matters.

3. Processing Details

3.1 Nature and Purpose of Processing

Service Provision

  • • Providing access to AI models and platform features
  • • Processing user requests and delivering AI responses
  • • Maintaining user accounts and authentication
  • • Managing subscriptions and billing

Platform Operation

  • • System monitoring and performance optimization
  • • Security monitoring and threat detection
  • • Technical support and troubleshooting
  • • Platform analytics and improvement

3.2 Categories of Data Subjects

  • Customer employees, contractors, and authorized users
  • End users of Customer's services (where applicable)
  • Customer contacts and representatives
  • Individuals mentioned in content processed through our platform

3.3 Types of Personal Data

  • Identity Data: Names, email addresses, user IDs
  • Account Data: Login credentials, preferences, settings
  • Usage Data: Platform interactions, feature usage, session data
  • Content Data: User-generated content, AI conversations, uploaded files
  • Technical Data: IP addresses, device information, browser data

4. Processor Obligations

4.1 Processing Instructions

Aquariusly shall process personal data only on documented instructions from the Customer, including:

  • Instructions set out in this DPA and the main service agreement
  • Additional written instructions provided by the Customer
  • Instructions necessary for compliance with applicable law

4.2 Confidentiality

Aquariusly ensures that persons authorized to process personal data:

  • Have committed themselves to confidentiality or are under statutory confidentiality obligations
  • Receive appropriate training on data protection requirements
  • Have access only to personal data necessary for their role
  • Are subject to disciplinary action for unauthorized disclosure

5. Security Measures

5.1 Technical Safeguards

Encryption

  • • Data encryption in transit using TLS 1.3
  • • Data encryption at rest using AES-256
  • • Encrypted database storage and backups

Access Controls

  • • Multi-factor authentication for administrative access
  • • Role-based access control (RBAC)
  • • Regular access reviews and deprovisioning

Infrastructure Security

  • • Secure cloud infrastructure with certified providers
  • • Network segmentation and firewall protection
  • • Intrusion detection and prevention systems

5.2 Organizational Measures

  • Regular security training for all personnel
  • Incident response procedures and breach notification protocols
  • Regular security audits and vulnerability assessments
  • Data protection impact assessments for high-risk processing

6. Sub-processors

6.1 Authorization

The Customer provides general authorization for Aquariusly to engage sub-processors, subject to the conditions set out in this section.

6.2 Current Sub-processors

Cloud Infrastructure

  • • Amazon Web Services (AWS) - Hosting and data storage
  • • Cloudflare - Content delivery and security

AI Services

  • • OpenAI - AI model processing
  • • Anthropic - AI model processing
  • • Google - AI model processing

Support Services

  • • Stripe - Payment processing
  • • SendGrid - Email delivery

6.3 Sub-processor Requirements

All sub-processors are bound by data protection obligations equivalent to those in this DPA, including:

  • Appropriate technical and organizational security measures
  • Confidentiality commitments from authorized personnel
  • Assistance with data subject rights and breach notifications
  • Deletion or return of personal data upon termination

7. Data Subject Rights

7.1 Assistance with Rights Requests

Aquariusly shall assist the Customer in fulfilling data subject rights requests, including:

  • Access: Providing copies of personal data
  • Rectification: Correcting inaccurate personal data
  • Erasure: Deleting personal data upon request
  • Portability: Providing data in structured formats
  • Restriction: Limiting processing activities
  • Objection: Stopping specific processing activities

7.2 Response Procedures

  • Aquariusly will notify the Customer of any direct data subject requests within 48 hours
  • Technical assistance will be provided within 30 days of Customer request
  • Reasonable cooperation will be provided for complex or urgent requests
  • Additional fees may apply for extensive assistance beyond standard support

8. Data Breach Notification

8.1 Notification Requirements

In the event of a personal data breach, Aquariusly shall:

  • Notify the Customer without undue delay and within 72 hours of becoming aware
  • Provide all available information about the nature and scope of the breach
  • Describe the likely consequences and measures taken to address the breach
  • Provide contact information for further inquiries

8.2 Breach Response

  • Immediate containment and investigation of the breach
  • Assessment of risks to data subjects and potential harm
  • Implementation of measures to prevent future breaches
  • Cooperation with Customer's breach response activities

9. International Data Transfers

9.1 Transfer Mechanisms

When personal data is transferred outside the European Economic Area, Aquariusly ensures appropriate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection
  • Binding Corporate Rules for intra-group transfers
  • Certification schemes and approved codes of conduct

9.2 Transfer Impact Assessment

Aquariusly conducts transfer impact assessments to evaluate the level of protection in destination countries and implements additional safeguards where necessary.

10. Data Retention and Deletion

10.1 Retention Periods

Personal data is retained only for as long as necessary for the purposes outlined in this DPA:

  • Active Accounts: Duration of service agreement plus 30 days
  • Conversation Data: Duration of subscription plus 90 days
  • Billing Records: 7 years for legal and tax compliance
  • Security Logs: 2 years for security monitoring

10.2 Data Return and Deletion

Upon termination of services or Customer request, Aquariusly shall:

  • Return or securely delete all personal data within 30 days
  • Provide certification of deletion upon Customer request
  • Retain data only where required by applicable law
  • Ensure sub-processors also delete or return personal data

11. Contact Information

For questions about this Data Processing Agreement or data protection matters:

Data Protection Officer: privacy@aquariusly.pro
Legal Inquiries: legal@aquariusly.pro
Technical Support: support@aquariusly.pro

12. Amendments and Termination

12.1 Amendments

This DPA may be amended only by written agreement between the parties or as required by changes in applicable data protection law.

12.2 Termination

This DPA shall remain in effect for the duration of the main service agreement and shall automatically terminate upon termination of the main agreement, subject to data retention and deletion obligations.

Agreement Acceptance

By using Aquariusly services, the Customer acknowledges that they have read, understood, and agree to the terms of this Data Processing Agreement. This DPA forms an integral part of the service agreement between the parties.