Data Processing Agreement
Summary of how Aura processes customer data under GDPR, including data categories, retention, sub-processors, and security measures.
This page summarises the key terms of our Data Processing Agreement. Full DPAs are provided to all customers on Growth and Enterprise plans and are typically executed within 5 business days of request. To request a copy, contact hello@trackvision.app.
Parties
- Data Controller: The customer (your organisation)
- Data Processor: Trackvision AI Ltd, registered in England and Wales (Company No. 15051218)
Data categories processed
| Category | Examples |
|---|---|
| Product data | SKUs, descriptions, composition, materials, environmental impact |
| Supplier data | Company names, contact details, certifications, compliance documents |
| User data | Names, email addresses, roles (platform users only) |
| Scan analytics | QR code scan events, geolocation (country-level), device type |
Purpose limitation
Data is processed solely for the purpose of providing the Aura platform and enabling DPP compliance. Customer data is never used for marketing, profiling, or AI model training.
Data retention
- DPP compliance data: Retained for a minimum of 10 years, aligned with ESPR retention requirements
- User account data: Retained for the duration of the subscription, deleted within 30 days of account closure
- Scan analytics: Retained for the duration of the subscription
Sub-processors
Aura uses the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, compute, storage, encryption | EU (Frankfurt, eu-west3) or US, depending on plan |
| Anthropic | AI document extraction and research (zero-retention API) | US |
| Google (Vertex AI) | AI document extraction and research (zero-retention API) | EU |
| Netlify | Static website hosting for DPP pages | Global CDN |
All sub-processors operate under data processing agreements with zero-retention policies where applicable. No sub-processor retains or trains on customer data.
Customers are notified at least 30 days before any new sub-processor is added. If a customer objects to a new sub-processor, they may terminate the affected service without penalty.
Security measures
- AES-256 encryption at rest with per-tenant keys (Google Cloud KMS)
- TLS 1.2+ encryption in transit for all connections
- Dedicated, isolated infrastructure per customer (no shared databases)
- Role-based access control and audit logging
- Monthly third-party penetration testing
- Automated backups with cross-region replication
Data subject rights
Trackvision AI supports customers in fulfilling data subject requests under GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to data portability (Article 20)
Requests are acknowledged within 48 hours and processed within 30 days.
International transfers
Where data is processed outside the EU/EEA, transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission. EU data residency (Frankfurt, eu-west3) is available on Enterprise plans.
Breach notification
In the event of a personal data breach, Trackvision AI will notify the customer without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.
Contact
For DPA requests, data protection enquiries, or to exercise data subject rights:
Email: hello@trackvision.app
Data Controller contact: Trackvision AI Ltd 319 Watford Road, St Albans, AL2 3DA United Kingdom