Legal

Data Processing Agreement

Last updated: [● date] · Version: 0.1 (draft)

Draft for legal review — not legal advice. This document is a working draft prepared to enable platform onboarding and initial operations. It will be reviewed and finalised by qualified counsel before it is relied upon. Items marked [● like this] are to be confirmed before publishing.

1. Parties and scope

1.1. This Data Processing Agreement ("DPA") is entered into between:

  • Plenvar Labs SRL ("Contwave", "Processor"), a company incorporated in Romania, registered office at Str. Anghelești nr. 5, Curtea de Argeș, Argeș County, Romania, Trade Register no. J2026042747008, CUI 55123337, operating the Contwave platform; and
  • the Client ("Controller"), the broker or business entity identified in the order or in Annex I, who uses the Platform under the Contwave Terms & Conditions (the "Terms").

1.2. This DPA forms part of, and is incorporated into, the Terms (see Terms §14 and §22.3). It governs the processing by Contwave of personal data on behalf of the Client in the course of providing the Platform.

1.3. Roles. With respect to personal data of the Client's own leads, prospects and end customers that the Client submits to or generates through the Platform ("Client Personal Data"), the Client is the controller and Contwave is the processor. (Where Contwave determines the purposes and means of processing for its own account — e.g. its own account holders and prospects — Contwave acts as an independent controller under its Privacy Policy; that processing is outside this DPA.)

1.4. In case of conflict between this DPA and the Terms on data-protection matters, this DPA prevails. In case of conflict between this DPA and the EU Standard Contractual Clauses incorporated by reference, those clauses prevail.


2. Subject matter, duration, nature and purpose

2.1. The subject matter, duration, nature and purpose of the processing, the types of personal data and the categories of data subjects are described in Annex II.

2.2. The processing lasts for the duration of the Client's use of the Platform and until deletion or return of Client Personal Data in accordance with Clause 11.


3. Processing only on documented instructions

3.1. Contwave shall process Client Personal Data only on documented instructions from the Client, including with regard to international transfers, unless required to do so by EU or Member State law to which Contwave is subject; in such a case Contwave shall inform the Client of that legal requirement before processing, unless the law prohibits this on important grounds of public interest.

3.2. The Client's instructions are set out in this DPA, the Terms, and the configuration and use of the Platform by the Client. The Client may issue further documented instructions consistent with the Platform's functionality.

3.3. Contwave shall inform the Client without undue delay if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.


4. Purpose limitation — no own-purpose use; no AI training on Client data

4.1. Contwave shall process Client Personal Data solely to provide the Platform and the contracted services, and for no purpose of its own.

4.2. In particular, Contwave shall not use Client Personal Data to train, fine-tune or improve any artificial-intelligence or machine-learning model for its own account, nor for profiling, benchmarking, resale, or any other independent commercial purpose.

4.3. Contwave shall ensure, through its agreements with sub-processors (Clause 7 and Annex IV), that AI sub-processors do not use Client Personal Data to train or improve their models (e.g. via business/enterprise terms, no-training commitments and, where available, zero-data-retention settings).

4.4. Permitted analytics. Nothing in this Clause prevents Contwave from generating and using aggregated and anonymised data that does not identify, and cannot reasonably be used to identify, any data subject (for example, statistics on which types of content perform well), for the purpose of operating, securing and improving the Platform. Such data, once truly anonymised, is no longer personal data.


5. Confidentiality

5.1. Contwave shall ensure that persons authorised to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to those who need it to provide the Platform.


6. Security of processing

6.1. Contwave shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account Article 32 GDPR. The measures are described in Annex III and may be updated provided the level of protection is not diminished.


7. Sub-processors

7.1. The Client grants Contwave general authorisation to engage sub-processors to provide the Platform. The sub-processors engaged at the date of this DPA are listed in Annex IV.

7.2. Where Contwave engages a sub-processor, it shall do so under a written contract imposing the same data-protection obligations as set out in this DPA (the "flow-down" required by Article 28(4) GDPR), in particular sufficient guarantees to implement appropriate technical and organisational measures. Contwave remains fully liable to the Client for the performance of each sub-processor's obligations.

7.3. Changes. Contwave shall inform the Client of any intended addition or replacement of a sub-processor, giving the Client the opportunity to object on reasonable data-protection grounds within a reasonable period. If the Client objects and the parties cannot agree a solution, the Client may terminate the affected part of the Platform.


8. International transfers

8.1. Contwave shall not transfer Client Personal Data outside the EEA except in compliance with Chapter V GDPR.

8.2. Where a sub-processor is located outside the EEA, transfers are made on the basis of an adequacy decision where available (including, for certified US providers, the EU-US Data Privacy Framework) and/or the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), together with any supplementary measures required following a transfer impact assessment. The applicable transfer mechanism for each sub-processor is indicated in Annex IV.


9. Assistance to the Client

9.1. Taking into account the nature of the processing, Contwave shall assist the Client by appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligation to respond to requests for exercising data-subject rights (Articles 12–23 GDPR), such as access, rectification, erasure, restriction, portability and objection. Where a data subject contacts Contwave directly, Contwave shall forward the request to the Client without undue delay and shall not respond itself except on the Client's instructions.

9.2. Contwave shall also assist the Client, taking into account the nature of processing and the information available to it, in ensuring compliance with the obligations relating to security (Article 32), breach notification (Articles 33–34), data protection impact assessments (Article 35) and prior consultation (Article 36).


10. Personal data breach

10.1. Contwave shall notify the Client of a personal data breach affecting Client Personal Data without undue delay after becoming aware of it, and in any event no later than 48 hours after becoming aware, to enable the Client to meet its own obligations under Articles 33–34 GDPR.

10.2. The notification shall describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed. Contwave shall cooperate with the Client and take reasonable steps to mitigate the breach.


11. Deletion or return on termination

11.1. On termination or expiry of the provision of the Platform, Contwave shall, at the Client's choice, delete or return all Client Personal Data, and delete existing copies, unless EU or Member State law requires storage (e.g. mandatory accounting or audit-trail retention, as reflected in the Privacy Policy §9 and Terms §6.6).

11.2. Where data must be retained by law, Contwave shall protect it and process it only for the purpose and duration required by that law.


12. Audit and inspection

12.1. Contwave shall make available to the Client all information necessary to demonstrate compliance with Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Client or an auditor mandated by the Client.

12.2. To balance assurance with operational security, audits shall take place on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a personal data breach), during business hours, subject to confidentiality. Contwave may satisfy audit requests in whole or in part by providing third-party certifications or audit reports where these reasonably address the Client's request.


13. Liability and relationship to the Terms

13.1. Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms, except where such limitation is not permitted by applicable data-protection law.

13.2. Nothing in this DPA limits any liability that cannot be limited under applicable mandatory law.


14. Duration, governing law and miscellaneous

14.1. This DPA takes effect when the Client accepts the Terms (or signs this DPA) and remains in force for as long as Contwave processes Client Personal Data.

14.2. This DPA is governed by Romanian law; the competent court is the Tribunalul Argeș, consistent with the Terms.

14.3. This DPA is provided in English; a Romanian courtesy translation may be made available. In case of conflict, the English version prevails.

14.4. If any provision is unenforceable, the remainder stays in effect.


Annexes

Annex I — Parties

  • Controller / Client: [● Client legal name, registered office, registration number, contact person, contact email].
  • Processor: Plenvar Labs SRL (Contwave), Str. Anghelești nr. 5, Curtea de Argeș, Argeș County, Romania, Trade Register no. J2026042747008, CUI 55123337. Contact: privacy@contwave.com.

Annex II — Description of the processing

  • Subject matter: provision of the Contwave marketing-content platform (generation, scheduling, compliance pre-screening, distribution and analytics of marketing content) to the Client.
  • Duration: for the term of the Client's use of the Platform, until deletion/return under Clause 11.
  • Nature and purpose: hosting, storage, generation, transformation, scheduling, publishing (via partner access to the Client's own channels) and analytics, solely to deliver the service on the Client's instructions.
  • Types of personal data: business contact and identification data of the Client's leads, prospects and end customers as submitted or generated by the Client through the Platform (e.g. names, business contact details, and any personal data contained in content the Client provides). The Client shall not submit special-category data unless separately agreed.
  • Categories of data subjects: the Client's leads, prospects, customers and other individuals whose data the Client chooses to process through the Platform.
  • Frequency: continuous, for the duration of the service.

Annex III — Technical and organisational security measures (Article 32)

Indicative measures (to be confirmed against the actual implementation before signing):

  • Access control: role-based access, least-privilege, individual accounts, strong authentication for administrative access.
  • Encryption: in transit (TLS) and at rest for stored personal data, where supported by the infrastructure.
  • Tenant separation: logical separation of each Client's data in the multi-tenant environment.
  • Logging and monitoring: audit trail of relevant actions (consistent with Terms §6.6), security monitoring and alerting.
  • Confidentiality commitments for all personnel with access.
  • Backup and recovery procedures; resilience of hosting infrastructure.
  • Sub-processor due diligence and contractual flow-down.
  • Vulnerability management and timely patching.
  • Personal-data-breach detection and response procedures (Clause 10).

Annex IV — Sub-processors

Sub-processors engaged to provide the Platform (process Client Personal Data on Contwave's behalf). Each is engaged under a written contract with Article 28 flow-down and, where applicable, an appropriate international-transfer mechanism. No-training / data-use restrictions apply to AI sub-processors (Clause 4.3).

Sub-processor Role / processing DPA No-training basis Transfer / region
Supabase Hosting, database, authentication supabase.com/legal/dpa (sign via PandaDoc) n/a (infrastructure) Host in EU region (e.g. Frankfurt/Ireland); SCCs + TIA
Railway Back-end application hosting railway DPA (confirm current URL on their legal page) n/a (infrastructure) US-incorporated; deploy in EU region; SCCs
Vercel Front-end / dashboard hosting, serverless functions vercel.com/legal/dpa n/a (infrastructure) US-incorporated; DPF + SCCs; pin functions to EU region (fra1/dublin)
Anthropic Text/AI generation (API) incorporated into Commercial Terms (no separate signing) API inputs/outputs never used for training (contractual, by default) US; DPF / SCCs; 7-day default retention, ZDR on request
OpenAI Text/AI generation (API) execute via OpenAI DPA form API/business not used for training by default US; DPF / SCCs; 30-day default retention, ZDR on request; EU residency configurable
HeyGen Video / avatar generation heygen.com/data-processing-addendum enterprise excluded by default; non-enterprise must opt out of training US (AWS); DPF certified + SCCs
ElevenLabs Voice generation elevenlabs.io/dpa enterprise no-training by default; self-serve must turn OFF "Improve the models for everyone" US; SCCs; EU data residency (Enterprise); Zero Retention Mode optional
Resend Transactional / email delivery resend.com/legal/dpa (via dashboard) n/a (email delivery, no training) US; SCCs (2021/914) + UK addendum
[● Stripe — if/when enabled] Payment administration stripe.com/legal/dpa n/a US/EU; largely independent controller for payment data