GDPR Article 28

Data Processing Agreement

A Data Processing Agreement is available for business customers and prospects before customer personal data is uploaded or production access is enabled.

Last updated 20 February 2026

When it applies

When a business customer uses dotgrey AI to process personal data about leads, buyers, sellers, employees, suppliers, or other third parties, the customer is usually the controller and ULTIMATE KLOUD UNIPESSOAL LDA acts as processor for that customer data.

What the DPA covers

Documented customer instructions and processor role boundaries
Confidentiality obligations for personnel and authorized support access
Technical and organizational measures, including encryption, access control, audit logging, and backup controls
Subprocessor authorization, published subprocessor list, and material-change notices
Assistance with data subject requests, security incidents, DPIAs, and supervisory-authority communications where applicable
Return, deletion, anonymization, or retention of customer personal data after termination, subject to legal obligations

Technical measures summary

Encryption

TLS is required in transit. Supabase-managed database and storage encryption protect data at rest. Application secrets and integration credentials use dedicated encryption keys.

Access control

Supabase Auth, row-level security, role-based permissions, platform-admin scoping, optional two-factor authentication, and audit logs limit access to authorized users.

Data minimization

AI and automation flows are designed to send only the operational context needed for the requested task, with redaction, tokenization, or local/manual processing for sensitive document flows where appropriate.

Auditability

Privacy, consent, AI processing, GDPR request, security, and business action events are logged to support accountability and review.

View sub-processors Privacy Policy