๐ Data Processing Agreement
Effective date: March 24, 2026
1. Definitions
- "User" โ a person using ComIO.Studio, acting as data controller within the meaning of the GDPR (determining the purposes and means of processing their data).
- "Operator" โ Sebastian Pietrasiak, trading as ComIO.Studio, acting as data processor within the meaning of the GDPR.
- "GDPR" โ Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Personal Data" โ any information relating to an identified or identifiable natural person, processed in connection with the use of ComIO.Studio.
- "Sub-processor" โ a third party engaged by the Operator to process personal data on behalf of the User.
2. Subject Matter and Scope of Processing
This DPA applies only to the extent that the Operator processes personal data on behalf of the User as a processor. This includes AI query content processed in Managed Mode and strictly necessary transient technical metadata. Installation Data (PP ยง3.0) and Operational Data (PP ยง3.1) are processed by the Operator as an independent controller and are not subject to this DPA.
| Element | Description |
|---|---|
| Scope | AI query processing in Managed Mode (processor capacity only) |
| Duration | Transit only; temporary diagnostic logs deleted without undue delay |
| Nature | Automated processing; transit (AI queries and strictly necessary metadata) |
| Purpose | Forwarding AI queries to model providers, returning responses, billing reconciliation, diagnostics |
| Data subjects | Users submitting AI queries in Managed Mode; individuals whose data may appear in query content |
| Data types | AI query content (transit), AI query metadata (timestamp, model, token usage, status) |
| Out of scope | Installation Data (ยง3.0 PP), Operational Data (ยง3.1 PP) โ processed by Operator as independent controller per Privacy Policy |
3. Operator Obligations
The Operator undertakes to:
- Process personal data only on documented instructions from the User (acceptance of Terms of Service and Privacy Policy constitutes such instructions).
- Ensure that persons authorised to process personal data have committed themselves to confidentiality.
- Implement appropriate technical and organisational measures to ensure the security of processing (Art. 32 GDPR).
- Comply with the conditions for engaging sub-processors (ยง5).
- Assist the User in fulfilling obligations under Art. 32โ36 GDPR.
- After the end of service provision โ delete or return personal data in accordance with retention periods defined in the Privacy Policy.
- Make available to the User all information necessary to demonstrate compliance with Art. 28 GDPR.
4. Security Measures
The Operator implements and maintains appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS/HTTPS).
- Access controls and the principle of least privilege.
- Regular security reviews of infrastructure.
- Access monitoring and logging.
5. Sub-processors
The User grants general authorisation for the Operator to use sub-processors. Current list:
| Sub-processor | Role | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure (Worker, KV, D1), CDN, DNS, DDoS protection | USA / EU (configurable) |
| Lemon Squeezy (Lemonsqueezy, Inc.) | Merchant of Record โ payments, taxes, invoices | USA |
| AI model providers (OpenRouter, Anthropic, OpenAI, etc.) | AI query processing in Managed Mode (in transit) | USA / EU |
The Operator will notify the User with reasonable advance notice of any material changes to the list of sub-processors. The User may raise a reasoned objection to a new sub-processor.
6. Data Subject Rights
The Operator assists the User in fulfilling data subject requests under Art. 15โ22 GDPR, to the extent technically and organisationally feasible.
7. Data Breach Notification
In the event of a personal data breach, the Operator will notify the User without undue delay after becoming aware of the breach, providing available information necessary for risk assessment and fulfilment of notification obligations under Art. 33โ34 GDPR.
8. Audit and Compliance Verification
The Operator makes available to the User all information necessary to demonstrate compliance with Art. 28 GDPR and allows for and contributes to audits and inspections on reasonable request, subject to reasonable notice, confidentiality, and proportionality of scope.
9. Term and Termination
This Agreement remains in effect for the duration of the use of ComIO.Studio services. After termination of services, the Operator will delete or anonymise personal data in accordance with retention periods defined in the Privacy Policy, except for data whose continued storage is required by law.
10. Liability
The Operator's liability under this Agreement is subject to the limitations set out in the Terms of Service (ยง12). The Operator is liable only for damages caused by processing that violates the obligations imposed on the processor by the GDPR or this Agreement.
11. CCPA/CPRA Provisions
To the extent the Operator processes personal data subject to the California Consumer Privacy Act (CCPA) or California Privacy Rights Act (CPRA):
- The Operator does not sell or share personal data as defined under CCPA/CPRA.
- The Operator processes personal data solely for the purposes specified in this Agreement, the Terms of Service, and the Privacy Policy.
- The Operator does not combine personal data received from the User with data from other sources, except for purposes permitted by CCPA/CPRA.
12. General Provisions
- This Agreement forms an integral part of the ComIO.Studio Terms of Service.
- In the event of a conflict between this Agreement and the Terms of Service, this Agreement shall prevail with respect to data protection matters.
- This Agreement is governed by the laws of the Republic of Poland.
- Acceptance of the ComIO.Studio Terms of Service constitutes acceptance of this Agreement.
13. Entire Agreement
This Agreement, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding data processing and supersedes all prior arrangements in this regard.
Appendix 1 โ Processing Details (Processor Scope Only)
This Appendix describes only the processing carried out by the Operator as a processor. Processing as independent controller (Installation Data, Operational Data) is described in the Privacy Policy.
| Element | Description |
|---|---|
| Subject matter | AI query content processing in Managed Mode on behalf of the User |
| Duration | Transit only; temporary diagnostic logs deleted without undue delay |
| Nature and purpose | Forwarding AI queries to model providers, returning responses, transient metadata processing for billing reconciliation and diagnostics |
| Data types | AI query content (transit), AI query metadata (timestamp, model, token usage, status) |
| Data subjects | Users submitting AI queries in Managed Mode; individuals whose data may appear in query content |