Data Processing Agreement
Last updated: April 2026 · Enginious Group S.A.
⚠ Draft — for internal review. Standard contractual clauses (SCCs) and GDPR Art. 28 compliance to be finalised with legal counsel.
1. Scope
This Data Processing Agreement ("DPA") governs the processing of personal data by Enginious Group S.A. ("Processor") on behalf of the customer ("Controller") in connection with the Persona 3.0 service.
2. Subject Matter & Duration
The Processor processes personal data for the purpose of providing AI avatar generation, voice synthesis, and real-time conversation services. Processing continues for the duration of the service agreement.
3. Categories of Data
- Biometric data: facial imagery (photos), voice recordings
- Conversation data: transcripts, audio recordings
- End-user data: data about the Controller's customers who interact with embedded avatars
4. Processor Obligations
- Process data only on documented instructions from the Controller
- Ensure confidentiality of processing personnel
- Implement appropriate technical and organisational security measures
- Assist the Controller in responding to data subject requests
- Delete or return all personal data upon termination
- Make available all information necessary to demonstrate compliance
5. Sub-processors
The Processor uses the sub-processors listed in the Privacy Policy. The Controller will be notified of any changes to sub-processors with 30 days' notice.
6. Data Transfers
All primary data storage is within the EU. Where sub-processors process data outside the EU/EEA, Standard Contractual Clauses (SCCs) or adequacy decisions apply.
7. Security Measures
- Encryption at rest and in transit (TLS 1.3)
- Access controls with principle of least privilege
- Regular security assessments
- Incident response plan with 72-hour breach notification
8. Contact
DPA inquiries: legal@enginious.tech