Data Processing Agreement (DPA)
Effective date: 19th November 2025
This DPA forms part of the agreement between Aneo B.V. and the Customer for the use of Aneo products and services. It is incorporated into the Terms of Service and applies to aneo.io and all subdomains and aliases, for example app.aneo.io, api.aneo.io, docs.aneo.io, status.aneo.io, and any future subdomains under *.aneo.io.
Need a countersigned copy or custom terms? Email legal@aneo.io.
1. Parties and roles
Customer is the controller (or business under US state laws) for Customer Personal Data.
Aneo B.V. is the processor (or service provider/processor) for Customer Personal Data.
Aneo is an independent controller for account administration data, billing, product security telemetry, and fraud prevention as described in the Privacy Policy.
2. Definitions
Offerings: Aneo software products and services, including cloud apps, APIs, downloadable plugins if provided, and related support.
Customer Personal Data: personal data that Customer submits to or generates in the Offerings.
Applicable Data Protection Law: laws that apply to the processing of Customer Personal Data, including GDPR, UK GDPR, Swiss FADP, CCPA/CPRA and similar US state laws, LGPD, PDPA, and others as applicable.
Sub-processor: a third party engaged by Aneo to process Customer Personal Data.
SCCs: EU Standard Contractual Clauses (EU 2021/914).
UK Addendum: UK International Data Transfer Addendum to the EU SCCs.
Zero-retention: an optional mode where certain AI prompts and outputs are not retained beyond transient processing.
3. Scope, nature, and purpose
Aneo processes Customer Personal Data only on Customer’s documented instructions and as necessary to provide, secure, and support the Offerings. Processing includes account setup, authentication, contract analysis, incident response workflows, framework and control selection, AI-assisted guidance, storage, backup, logging, monitoring, support, and billing.
Illustrative product purposes
Clause-Review: analyze uploaded legal documents, identify clauses and risks, create summaries and suggested edits.
Incident AI: create and triage tickets, suggest likely cause and next steps, summarize threads, draft root cause analyses.
Framework-Pro: run questionnaires to select a framework (ISO 27001 or NIST CSF), shortlist controls, generate policy drafts and scope documents.
4. Categories of data and data subjects
Data subjects: Customer employees, contractors, administrators, end users, and counterparties named in documents or tickets.
Categories: identification data, authentication data and tokens, role and permissions, usage logs and device data, content of uploaded documents and tickets, policy drafts, and AI outputs. Customer should avoid special category data unless there is a lawful basis and a written agreement. Payment card data should not be submitted.
5. Data regions and transfers
Primary region: core product processing is configured in EU regions. Aneo deploys on Google Cloud Platform (EU) and uses Supabase (EU) for the application database.
International transfers: if Customer Personal Data is transferred outside the EEA, UK, or Switzerland, Aneo will ensure a valid transfer mechanism. The SCCs and, where applicable, the UK Addendum and Swiss addendum apply as set out in Annex I.
6. Confidentiality
Aneo ensures persons authorized to process Customer Personal Data are under appropriate confidentiality obligations and receive security and privacy training.
7. Security
Aneo implements appropriate technical and organizational measures, including encryption in transit and at rest, access controls, MFA for admin access, least privilege, logging and monitoring, vulnerability management, secure development, incident response, and regular testing. See Security Overview and Annex II for details.
8. AI-specific safeguards
Guidance only: AI outputs are informational. They are not legal advice, security guarantees, or certification. Human review is required.
Model providers: Aneo may use vetted model providers to perform inference. Customer Personal Data is not used to train foundation models unless Customer opts in.
Zero-retention: on supported plans Customer may enable zero-retention for certain AI prompts and outputs. Logs and security telemetry may be retained for security and billing.
9. Sub-processors
Authorization: Customer authorizes Aneo to engage Sub-processors to support the Offerings.
List and notice: current Sub-processors and purposes are listed at https://www.aneo.io/subprocessors/. Aneo provides at least 15 days advance notice of changes by updating that page and notifying Customer admins by email.
Objection: Customer may object within the notice period. The parties will discuss in good faith. If unresolved, Customer may suspend the affected features or terminate the affected order for convenience with a prorated refund for unused fees.
Flow-down: Aneo contracts with Sub-processors under data protection terms no less protective than this DPA.
10. Assistance and data subject requests
Aneo provides reasonable assistance to help Customer respond to data subject requests, regulator inquiries, and privacy impact assessments related to the Offerings. Aneo will promptly notify Customer of requests received directly and will not respond except on Customer’s documented instructions, unless required by law.
11. Incident notification
Aneo will notify Customer without undue delay, and in any case within 72 hours of becoming aware of a personal data breach that affects Customer Personal Data. The notification will describe known details, likely consequences, remediation steps, and a contact point.
12. Audit and verification
Aneo makes available information to demonstrate compliance, including security and privacy documentation and third-party audit reports where available. On written request, and no more than once per 12 months, Customer or its independent auditor may conduct a reasonable audit, subject to confidentiality, with at least 30 days prior notice and without disrupting operations. Remote audits and report reviews will be used before any on-site visit.
13. Return and deletion
Upon termination or expiry of the Agreement, Customer can export Customer Personal Data using available tools. After termination Aneo will delete or de-identify Customer Personal Data within 30 days from active systems and within 90 days from backups, unless retention is required by law or for legal claims.
14. US state privacy laws
Where CPRA or similar US laws apply, Aneo acts as a service provider or processor. Aneo will not sell or share personal information, will not combine personal information except as permitted for service provider purposes, and will provide required assistance.
15. Government and third-party requests
Aneo will notify Customer of any binding request for disclosure of Customer Personal Data by a government or law enforcement authority unless legally prohibited. Aneo will challenge unlawful or overbroad requests to the extent reasonable.
16. Liability and precedence
The limitations and exclusions of liability in the Agreement apply to this DPA. If there is a conflict between this DPA and the Agreement, this DPA controls for processing of Customer Personal Data. If there is a conflict between this DPA and the SCCs, the SCCs control for transfers governed by the SCCs.
17. Changes
Aneo may update this DPA to reflect changes in law or product features. Material changes will be notified to Customer. Continued use after the effective date of an updated DPA constitutes acceptance.
18. Contact
For privacy and data protection matters, contact legal@aneo.io.
Annex I: International transfers
SCCs: the EU Standard Contractual Clauses (Module 2, Controller to Processor) are incorporated by reference. Execution of the Agreement is deemed execution of the SCCs.
UK Addendum: the UK International Data Transfer Addendum to the EU SCCs is incorporated for transfers subject to UK GDPR.
Swiss addendum: references to GDPR in the SCCs shall be read as references to the Swiss FADP where appropriate.
Exporter: Customer (controller). Address and contact as per order or account profile.
Importer: Aneo B.V., Thomas Morelaan 104, 2135 WC Hoofddorp, Netherlands. Contact: legal@aneo.io.
Description of transfer: categories of data subjects and data, frequency, nature, purpose, and retention as described in Sections 3, 4, and 13 of this DPA.
Sub-processors: listed at /legal/subprocessors.
Technical and organizational measures: see Annex II.
Annex II: Security measures (summary)
Organization and governance: security policies, defined roles, confidentiality, and regular training.
Access control: unique IDs, strong authentication, MFA for admin access, least privilege, timely provisioning.
Data protection: encryption in transit and at rest, key management, logical isolation.
Application security: secure SDLC, code review, dependency scanning, secret management, vulnerability remediation SLAs, change control, periodic penetration testing.
Logging and monitoring: centralized logging of security events, alerting for anomalies, time synchronization.
Availability and resilience: redundant infrastructure, EU regions for core data, regular backups and restore tests, capacity monitoring, disaster recovery with defined RPO and RTO.
Incident response: documented plan, breach assessment and notification, post-incident review.
Vendor management: security review before onboarding, contractual protections, regular review.
Privacy by design: data minimization, pseudonymization where possible, configurable retention and region options, customer controls for access, export, and deletion.
Annex III: Stack and Sub-processors (informative)
Current providers are listed at https://www.aneo.io/subprocessors/ and include:
Google Cloud Platform (EU) for hosting, Supabase (EU) for database, Firebase Authentication for auth, OAuth via Google, Microsoft, LinkedIn as identity providers, OpenAI for model inference, Hostinger for website hosting and DNS, HubSpot for CRM, Google Workspace for email and collaboration, and Google Analytics (GA4) for analytics subject to consent.