Legal

Data Processing Addendum

Version: 1.1 / March 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Master Service Agreement or Terms of Service ("Agreement") between Michał Majka Neurogrine, established in Poland ("Processor"), and the entity purchasing the Services ("Controller").

1. Scope and Nature of Processing

1.1 Limited Scope: The parties acknowledge and agree that the Conscriba Service is designed to provide infrastructure for AI Agents (WebMCP) and to analyze non-human (machine) traffic.

1.2 No End-Customer Data: The Processor does not process personal data of the Controller's end-customers. Any IP addresses or technical identifiers used for bot/human classification are immediately anonymized or hashed.

1.3 Authorized Personnel: This DPA applies exclusively to the personal data of the Controller's employees, contractors, or authorized representatives ("Authorized Personnel") necessary to manage the account and utilize the Services.

2. Compliance (Art. 28 GDPR)

The parties agree to comply with:

  • EU/EEA: Regulation (EU) 2016/679 (GDPR).
  • United Kingdom: UK Data Protection Act 2018 and UK GDPR.
  • USA: California Consumer Privacy Act (CCPA/CPRA) and other applicable state privacy laws.

3. Data Processing Terms

The Processor shall:

  • Instructions: Process personal data only on documented instructions from the Controller.
  • Confidentiality: Ensure that all persons authorized to process the personal data have committed themselves to confidentiality.
  • Security: Implement technical and organizational measures (TOMs) as specified in Appendix B.
  • Assistance: Assist the Controller in responding to data subjects' rights requests and compliance obligations under Art. 32-36 GDPR.
  • Audit Rights: Provide information necessary to demonstrate compliance and allow for reasonable audits or inspections.

4. International Data Transfers

  • EEA Transfers: As the Processor is based in Poland, transfers within the EEA are governed by Art. 28 GDPR.
  • Third Countries: For onward transfers to sub-processors outside the EEA (e.g., USA), the Processor utilizes Standard Contractual Clauses (SCCs) or relies on the EU-U.S. Data Privacy Framework.
  • UK Addendum: For UK-based Controllers, the International Data Transfer Addendum to the EU Commission SCCs is hereby incorporated by reference.

5. Sub-processors

The Controller grants a general written authorization for the engagement of sub-processors. The current list is provided below and at conscriba.com/subprocessors.

Entity NameLocationPurpose of ProcessingTransfer Mechanism
Creem (Creem OÜ)Estonia (EU)Merchant of Record, billing, and tax compliance.GDPR Compliance
Amazon Web Services (AWS)Germany / USACloud infrastructure and data hosting.SCCs / DPF
Google Cloud PlatformBelgium / USABackup storage and failover infrastructure.SCCs / DPF
PostHog, Inc.USA / EUProduct analytics (internal use on Conscriba.com).SCCs
SendGrid (Twilio)USATransactional emails (e.g., password resets).SCCs
Plausible InsightsEstonia (EU)Privacy-friendly website analytics.GDPR Compliance

6. Data Retention and Deletion

Upon termination of the Services, the Processor shall, at the choice of the Controller, delete or return all personal data of Authorized Personnel, unless applicable law (e.g., Polish tax law regarding billing records) requires further storage.

Appendix A: Details of Processing

  • Subject Matter: Provision of WebMCP infrastructure and management of the Conscriba Platform account.
  • Nature and Purpose: To enable the Controller's team to configure AI Agent interfaces, manage subscriptions, and access technical support.
  • Categories of Data Subjects: Authorized Personnel of the Controller (employees, contractors, administrators). End-customers of the Controller are explicitly excluded.
  • Type of Personal Data: Names, professional email addresses, account login credentials, technical logs of actions taken within the dashboard, and billing contact details.

Appendix B: Technical and Organizational Measures (TOMs)

1. Confidentiality (Art. 32(1)(b) GDPR)

  • Physical Access: Data is hosted in ISO 27001 certified data centers (AWS/Google) with 24/7 security.
  • System Access: Access to systems is protected by strong password policies and Multi-Factor Authentication (MFA).
  • Data Access: Internal access is restricted based on the Principle of Least Privilege.

2. Integrity (Art. 32(1)(b) GDPR)

  • Encryption: All data in transit is encrypted via TLS 1.3.
  • Logging: All modifications to personal data are logged in an audit trail.

3. Availability and Resilience (Art. 32(1)(b) and (c) GDPR)

  • Backups: Automated daily backups are stored in geographically redundant locations within the EEA.
  • DDoS Protection: Usage of advanced filtering (AWS Shield) to ensure service uptime.

4. Testing and Evaluation (Art. 32(1)(d) GDPR)

  • Vulnerability Management: Regular automated infrastructure scanning.
  • Breach Notification: A formal process is in place to notify the Controller of any data breach within 72 hours of discovery.
Conscriba

Editorial-grade telemetry for AI-era websites.

PrivacyTermsCookies

© 2026 Conscriba.com. All rights reserved. Payments and invoicing are processed by Creem (Estonia), our authorized Merchant of Record. By using this site, you agree to our Terms and Conditions and Privacy Policy. Conscriba collects anonymized AI Agent interaction metadata for analytical and Business Intelligence purposes.

support@conscriba.com