What is included
- Art. 28 GDPR data processor undertakings: instruction-only processing, confidentiality, technical and organisational measures, sub-processor obligations, audit rights, deletion and return of data on termination.
- EU Standard Contractual Clauses (Commission Decision 2021/914), modules 2 (controller-to-processor) and 3 (processor-to-processor), pre-signed for transfers to sub-processors outside the EEA.
- UK International Data Transfer Addendum (ICO) for customers with UK data subjects.
- An annex listing all current sub-processors and their roles — see /sub-processors.
- Technical and organisational measures annex (TOMs): sandbox isolation, encryption in transit and at rest, audit-log hashing, access controls, backup posture, incident response process.
- Personal-data breach notification commitment: notice to the controller without undue delay, in any event within 48 hours of becoming aware.
How to put it in place
- Mail legal@acuvis.dev with subject "DPA request" and your organisation name as registered in Acuvis.
- We send you a copy of our standard DPA pre-filled with your entity details. The document is signed electronically (DocuSign or equivalent).
- Counter-signed copy returns within two business days. You receive a PDF for your compliance file, and we mark the org account as "DPA in force" in our records.
Custom redlines
Enterprise customers may negotiate specific clauses. For self-serve and indie tiers, redlines are accepted only on a best-effort basis — the standard DPA covers Art. 28 GDPR in full and is sufficient for most controllers. Material deviations require an enterprise contract and are priced accordingly.
What this DPA does not cover
The DPA addresses Acuvis's role as processor. The general commercial relationship — pricing, service availability, liability cap — is governed by the Terms of Service. Privacy practices that apply to all users with or without a signed DPA are in the Privacy Policy.