Back to home

Data Processing Agreement (DPA)

Effective date: 2026-05-15Version: 1.0

Preamble

This Data Processing Agreement (the "DPA") is entered into pursuant to Article 28 GDPR between:

  • Controller: the Customer who subscribes to the Civora Service and installs the Civora bot on its Discord server(s);
  • Processor: Tibor Levente Székely, Hungarian sole trader (egyéni vállalkozó), registered seat: Domaháza utca 46., 1154 Budapest, Hungary; sole-trader registration number: 59845982; tax number: 90586961-1-42; EU VAT: HU90586961; VAT status: small-business VAT-exempt (alanyi adómentes, Áfa tv. Chapter XIII) ("Processor" or "Civora").

This DPA forms an integral part of the Civora Terms of Service and governs the parties' mutual GDPR obligations for the duration of the processing.

1.Definitions

Terms defined in Article 4 GDPR (personal data, processing, controller, processor, data subject, personal data breach, etc.) have the same meaning here.

2.Subject matter, nature, purpose (GDPR Art. 28(3))

ItemDetails
Subject matterProvision of the Civora Discord moderation SaaS to the Controller.
NatureAI-driven automated message analysis, action execution (delete, mute, flag), audit logging.
PurposeModeration of the Controller's Discord community per the Controller's configured policies.
DurationThe term of the ToS contract, plus the post-termination deletion/return period.
Categories of data subjectsMembers of the Controller's Discord server (End Users); some moderators.
Categories of personal dataDiscord display name and handle; Discord user ID; role memberships; message content and metadata (timestamp, channel); moderation action logs.
Special categoriesCivora does not intend to process special category data (Art. 9). Where End Users post such content ad hoc, the Controller remains responsible for avoiding targeted ingestion.

3.Processor's obligations (GDPR Art. 28(3))

3.1. Documented instructions. Civora processes personal data only on the Controller's documented instructions, including for transfers to third countries, unless required by EU or Member State law to which Civora is subject; in such case Civora informs the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. This DPA, the ToS, and the Controller's configuration in the dashboard constitute documented instructions.

3.2. Confidentiality. Civora ensures that persons authorised to process personal data are bound by confidentiality obligations.

3.3. Security (GDPR Art. 32). Civora implements technical and organisational measures appropriate to the risk, as set out in Annex II.

3.4. Sub-processors (GDPR Art. 28(2) and (4))

  • The Controller grants general written authorisation for the sub-processors listed in Annex I.
  • Civora notifies the Controller at least 30 days in advance of any intended addition or replacement (via dashboard or email).
  • The Controller may reasonably object on data-protection grounds. If no agreement is reached, the Controller may terminate the affected part of the contract for cause.
  • Civora imposes the same data-protection obligations on sub-processors by written contract and remains fully liable for their performance.

3.5. Assistance with data subject rights (Art. 28(3)(e)). Taking into account the nature of processing, Civora assists the Controller by appropriate technical and organisational measures (data export and deletion in the dashboard) in responding to Art. 15–22 requests.

3.6. Assistance with security, DPIA, prior consultation (Art. 28(3)(f)). Civora assists the Controller in meeting Art. 32–36 obligations, taking into account the nature of processing and the information available to Civora.

3.7. Deletion or return. At the end of the services, Civora — at the Controller's choice — deletes or returns the personal data and deletes existing copies, unless EU or Member State law requires storage. Default deadline: 30 days from termination.

3.8. Audit (Art. 28(3)(h)). Civora makes available to the Controller all information necessary to demonstrate compliance with Art. 28, and contributes to audits/inspections by the Controller (or a third-party auditor mandated by the Controller). Civora primarily relies on up-to-date independent certifications and audit reports (e.g. ISO 27001, SOC 2). On-site audits may take place at most once per year, with at least 30 days' written notice, during business hours, respecting operational continuity and the confidentiality of other customers. Civora immediately informs the Controller if, in its opinion, an instruction infringes the GDPR.

4.Personal data breach

4.1. GDPR Art. 33(2) requires processors to notify "without undue delay." This DPA tightens that: Civora notifies the Controller within 24 hours of becoming aware of a breach, at hello@civora.hu and via the dashboard.

4.2. Notification includes at minimum the information set out in Art. 33(3): nature of the breach, approximate number of data subjects and records concerned, likely consequences, measures taken or proposed, and a contact point.

4.3. Notification to the supervisory authority (Art. 33) and to data subjects (Art. 34) is the Controller's responsibility; Civora provides reasonable assistance.

5.International transfers

Civora stores and processes personal data primarily within the EU (OVH, Gravelines). Where a non-EU sub-processor is engaged (currently Stripe Payments Europe Ltd. transferring to Stripe, Inc., USA), the parties rely on:

  • Commission Implementing Decision (EU) 2023/1795 (EU–US Data Privacy Framework), where the recipient is certified; or
  • Commission Standard Contractual Clauses approved by Implementing Decision (EU) 2021/914Module 2 (controller-to-processor) between Controller and Civora and Module 3 (processor-to-processor) for the sub-processor chain — incorporated by reference. Annex I and Annex II of this DPA fill in the corresponding SCC annexes.

6.Liability and indemnification

The parties are liable under GDPR Art. 82. Otherwise the liability limitations in clause 10 of the ToS apply, save where they conflict with mandatory law (in particular GDPR and Ptk. § 6:152).

7.Governing law and disputes

Governing law: Hungarian law (without prejudice to the direct applicability of the GDPR). Dispute resolution per clause 14 of the ToS.

8.Term and termination

This DPA enters into force with the underlying ToS contract and remains effective until its termination. Retention, deletion and confidentiality obligations survive termination.

9.Signatures

Acceptance of this DPA may validly take place via express electronic signature in the Civora dashboard ("I accept the DPA" click-through), per Ptk. § 6:7.

Controller (Customer)
Név / Name: ____________________
Pozíció / Title: ____________________
Dátum / Date: ____________________
Aláírás / Signed: ____________________
Processor (Civora)
Name: Tibor Levente Székely
Capacity: Sole trader (HU reg. no.: 59845982)
Date: 2026-05-15
Signed: ____________________

I.ANNEX — Sub-processors

Sub-processorLocationProcessing activity
OVH SASFrance (EU)Hosting, compute and network infrastructure (Gravelines DC)
Third-party AI inference providerEU or covered by EU adequacyAI analysis of messages
Stripe Payments Europe Ltd.Ireland (EU)Payment processing
Stripe, Inc.USAIntra-group support (under DPF / SCCs)
Transactional email providerEUSending transactional emails

The up-to-date list is published by Civora in the dashboard and/or on its public website.

II.ANNEX — Technical and organisational measures (GDPR Art. 32)

Encryption

  • Data in transit: TLS 1.2+ for all external communication; mTLS between internal services.
  • Data at rest: AES-256 for stored data; secrets stored in an HSM or equivalent secrets manager.

Access control

  • Role-based access control (RBAC), least-privilege principle;
  • Multi-factor authentication (MFA) for all internal operator access;
  • Logged quarterly access reviews.

Logging and monitoring

  • Centralised audit log capturing accesses and changes;
  • Anomaly detection and alerting.

System integrity

  • Vendor security patches applied within risk-appropriate windows;
  • Configuration management as infrastructure-as-code with code review;
  • Business continuity: regular encrypted backups with restore testing.

Organisational measures

  • Confidentiality undertaking signed by all employees;
  • Mandatory data-protection and security training on onboarding and annually;
  • Incident response plan (IRP) with tabletop exercises;
  • Vendor risk management.

Testing and evaluation (GDPR Art. 32(1)(d))

  • At least one independent penetration test per year;
  • Continuous vulnerability scanning;
  • Annual internal compliance review.