Iusora
MethodologySubprocessors
Sign in

<!-- ref: /tmp/iusora-seam-map.md §3 Phase 2 step 2.2 (legal pack DPA) + dispatch §3 (SCC clauses + subprocessor list + request signature placeholder). -->

Data Processing Agreement (DPA) — Iusora

Status: Pre-launch template. Last updated 2026-05-29. A signed bilateral copy can be requested from legal@iusora.com.

This page is a publicly-equivalent DPA position for Tier I (Self-Serve) customers, plus a downloadable template for Team+ customers who need a signed copy.

[LAWYER_REVIEW_REQUIRED — every numbered section below must be vetted by counsel before this DPA can be marketed as legally-binding. Current text is a structured placeholder following the 2021/914/EU SCC Module 2 skeleton.]

1. Parties

  • Controller: the entity entering into the Iusora subscription (you).
  • Processor: Floor No. 8 SRL, Romanian limited liability company, registered office București, Sector 1, EU.

2. Scope, nature, and purpose of processing

The processor processes personal data on behalf of the controller solely for the purpose of providing the Iusora service per the Terms of Service [/legal/terms](/legal/terms). Categories of data, data subjects, and processing operations are described in Annex I (see Privacy Policy [/legal/privacy](/legal/privacy)).

3. Duration

This DPA remains in force for as long as the controller maintains an active Iusora subscription, plus the retention window in §11 of [/legal/privacy](/legal/privacy).

4. Subprocessor list and obligations

The processor uses the subprocessors listed at [/subprocessors](/subprocessors) and at [/legal/subprocessors](/legal/subprocessors). The processor agrees to:

  • maintain an up-to-date subprocessor register;
  • notify the controller of any addition or replacement with at least 30 days' notice;
  • impose substantially equivalent data protection obligations on subprocessors via written contract;
  • remain liable for subprocessor performance of GDPR obligations.

5. EU Standard Contractual Clauses Module 2

[LAWYER_REVIEW_REQUIRED — SCC Module 2 (2021/914/EU) is incorporated by reference. The verbatim SCC text + the parties' completion of Annex I, II, III must be vetted by counsel and attached as a signed appendix before this DPA is legally binding for any Annex III scenarios.]

For data transfers from the processor to subprocessors outside the EEA (today: Anthropic in the US — see [/legal/privacy](/legal/privacy) §8), the parties incorporate the EU Standard Contractual Clauses Module 2 by reference. The controller agrees to be a signatory to the Module 2 transfer through its acceptance of this DPA.

6. Audit rights

The controller may, on 30 days' written notice and no more than once per calendar year (more frequently in the case of documented breach), audit the processor's compliance with this DPA. The processor will reasonably cooperate with audits conducted by the controller's nominated auditor at the controller's expense. Audits may not extend to other customers' data.

7. Breach notification SLA

The processor will notify the controller of a personal data breach affecting the controller's data within 72 hours of becoming aware, by email to the designated controller contact. The notification will include: nature of the breach, categories + approximate number of data subjects, likely consequences, and mitigation measures taken or proposed.

8. Return or deletion on termination

On termination of the Iusora subscription, the controller may within 30 days request: (a) a full export of all controller data in machine-readable format, or (b) verified deletion. Absent a written request, the processor will delete the controller's data within 60 days post-termination, excluding billing records retained for tax obligations per [/legal/privacy](/legal/privacy) §11.

9. Liability allocation

[LAWYER_REVIEW_REQUIRED — liability apportionment between processor and controller under SCC Module 2 + Romanian Civil Code must be vetted by counsel.]

Each party is liable for damages caused by its own breach of GDPR obligations. The processor's aggregate liability under this DPA is capped at 12 months of fees paid under the corresponding subscription. This cap does not apply to grossly negligent or intentional violations, or where capping is prohibited by Romanian law.

10. Request a signed copy

To request a bilateral, signed DPA email legal@iusora.com with:

1. Your firm's legal entity name + registered address. 2. The Iusora plan tier you operate. 3. Any specific clauses (e.g. NDA carve-outs, audit windows, deletion timelines) that need negotiation.

We return a signed DPA within 5 business days for standard requests. Bespoke clauses may take longer.

11. Click-to-sign workflow (Phase 2)

A button below will, in a follow-on release, launch a DocuSign-mediated signature flow. Until that ships, please use the email channel above.

<button type="button" disabled aria-disabled="true" style="opacity: 0.5; cursor: not-allowed;"> Request DPA signature (Phase 2 — email legal@iusora.com today) </button>

---

Phase 2 commitment: this page will host a downloadable PDF DPA template + a "Click to sign" workflow via DocuSign integration. Until then, email is the canonical channel.