← Back

Data Processing Agreement

Pursuant to GDPR Article 28 — Version 1.0, effective May 24, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer (data controller) and Horizon Consulting LLC, operator of Auralis AI ("Processor"). By using the Service to process personal data of third parties (e.g., LinkedIn leads), the Customer accepts this DPA.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", "Processor", and "Sub-processor" have the meanings set out in Regulation (EU) 2016/679 ("GDPR").

2. Subject Matter and Duration

The Processor processes Personal Data on behalf of the Customer for the purpose of providing the Auralis AI service (LinkedIn / X / Instagram outreach automation, AI-assisted messaging, lead management). Processing lasts for the duration of the Customer's subscription plus the retention periods set out in §6.

3. Nature, Purpose, Categories

  • Nature: storage, transmission, AI processing, analytics, retrieval, deletion.
  • Purpose: deliver the Service per the Customer's instructions.
  • Categories of data subjects: the Customer's end users, leads, contacts.
  • Categories of personal data: name, profile URL, headline, company, location, email (if provided), messages content, voice samples (opt-in).
  • Special categories (Art. 9): not knowingly processed. The Customer must not upload special-category data unless they have a valid legal basis.

4. Obligations of the Processor

The Processor shall:

  • process Personal Data only on documented instructions of the Controller;
  • ensure persons authorized to process are bound by confidentiality;
  • implement appropriate technical and organizational measures (see §7);
  • assist the Controller in fulfilling data-subject requests;
  • assist the Controller with security, breach notifications, DPIAs;
  • at the Controller's choice, delete or return all Personal Data after the end of the provision of services;
  • make available all information necessary to demonstrate compliance and allow audits (see §9).

5. Sub-processors

The Customer grants general authorization for the Processor to engage the sub-processors listed in the Privacy Policy §6 (Unipile, Anthropic, Resend, Fish Audio, Cloudflare, Hostinger, Stripe). The Processor will inform the Customer of any intended addition or replacement at least 30 days in advance; the Customer may object on reasonable grounds.

All sub-processors are bound by data-protection obligations substantially the same as those in this DPA. Non-EEA transfers rely on the EU Standard Contractual Clauses (2021/914/EU).

6. Retention and Deletion

  • LinkedIn messages and conversations: 4 months, then automatically deleted.
  • Account and lead data: for the duration of the Customer's active account.
  • Upon account deletion: hard delete within 15 days.
  • Backups: rotated within 30 days.

7. Security Measures (Art. 32)

  • Encryption in transit (TLS 1.2+).
  • Passwords hashed with bcrypt cost 12.
  • HttpOnly, Secure, SameSite=Lax session cookies.
  • Role-based access controls; admin actions logged.
  • Isolated database network; restricted SSH access.
  • Rate limiting on auth and write endpoints.
  • Regular security updates of dependencies.

8. Personal Data Breach (Art. 33)

The Processor will notify the Controller without undue delay (and in any case within 48 hours) after becoming aware of a Personal Data Breach, providing the information needed for the Controller to comply with its own notification obligations.

9. Audits

The Controller may, no more than once per 12 months and with at least 30 days' written notice, request information necessary to demonstrate compliance. On-site audits are limited to material breach scenarios and conducted at the Controller's cost under strict confidentiality.

10. International Transfers

Where Personal Data is transferred outside the EEA to a country without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 3 (processor-to-processor) where applicable.

11. Liability and Governing Law

Liability under this DPA is subject to the limits set out in the Terms of Service. The DPA is governed by the law applicable to the Terms of Service.

12. Acceptance & Signed Copy

Use of the Service constitutes acceptance of this DPA. If your organization requires a counter-signed copy, send a request to privacy@auralis.digital specifying your legal entity name and address. We will return a signed PDF within 5 business days.

PrivacyTermsCookie policySign in