Our DPA, in public

• Controller — you (or your organization). You decide why and how personal data is processed
• Processor — Norcube, operated by Jetlio, s.r.o., IČO 09967231, Voroněžská 2547/1, 616 00 Brno, Czech Republic, registered in the Commercial Register kept by the Regional Court in Brno, file C 121887. We process the data only on your instructions
• Data subjects — your end users / customers / employees whose personal data flows through Norcube
• Personal data — anything that identifies a living person, defined per Article 4 of GDPR

This DPA implements Article 28 of GDPR. Where Norcube processes data of EU residents, GDPR applies. Where data subjects are in other jurisdictions, equivalent local laws apply and the protections in this DPA still hold.

We process personal data only on your documented instructions. Those instructions are:

1. The terms of our Terms of Service and this DPA
2. The product features you use (storing translations, running backups, classifying domains, etc.)
3. Any specific written instructions you send us

The categories of personal data we process on your behalf depend on which product you use. Typically:

• Identity — user IDs, email addresses, names (when you store them in our products)
• Content — whatever you upload (translation strings, backup contents, domains, prompts)
• Activity — when actions were taken in your account, by whom

We do not use the data for any purpose other than delivering the service. We do not use it for our own marketing, analytics, AI training, or sale.

For the duration of your subscription, plus a brief grace period afterwards:

• Active data — stored as long as your account is active
• After account deletion — deleted within 30 days, except where law requires longer retention (billing records: 10 years per Czech tax law)
• Backups — encrypted infrastructure backups age out within 90 days

Primary hosting: AWS Frankfurt (eu-central-1), EU.

Some subprocessors (notably OpenAI, Stripe, Mailgun) operate from the United States. Cross-border transfers are protected by:

• EU-US Data Privacy Framework certification (where applicable)
• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for any transfer not covered by an adequacy decision

The EU SCCs are incorporated into this DPA by reference as Module Two (Controller-to-Processor) for direct transfers to us, and as Module Three (Processor-to-Processor) for our onward transfers to subprocessors. A countersigned hardcopy is available on request.

We maintain reasonable technical and organizational security measures to protect personal data, including:

• Encryption at rest — AWS-managed AES-256 for all stored data
• Encryption in transit — TLS 1.2+ for client connections; mutual TLS for inter-service communication
• Access control — role-based access; only authorized staff can access production data; access is audit-logged
• Network isolation — services run in private VPC subnets; ingress restricted via security groups
• Secret management — secrets stored in AWS KMS / SSM Parameter Store; credentials encrypted with AES-256-GCM; API keys hashed with HMAC-SHA256
• Logging and monitoring — security-relevant events are logged and retained for at least 1 year
• Backups — automated, encrypted, periodically tested
• Incident response — documented runbook; 72-hour notification commitment (see below)

Specifics evolve. The current state is documented on our security page and we will keep that page accurate.

We use a small number of third parties to deliver the service. The current list is on our subprocessors page. At the time of writing, it includes:

• AWS — hosting (EU region)
• Stripe — payment processing
• OpenAI — AI features
• Mailgun — transactional email
• PostHog — EU-hosted product analytics

You grant general written authorization for us to use these subprocessors. Per Article 28(4) GDPR, we accept each subprocessor under their own published, GDPR-compliant Data Processing Agreement (we cannot meaningfully negotiate the DPA of a large cloud provider — we accept theirs as-is or we do not use them). We have reviewed each subprocessor's DPA to confirm that it meets the standards required by Article 28(3) — including the controller's audit rights, sub-processor change notifications, and breach reporting obligations — and that it imposes obligations on the subprocessor at least as protective of personal data as those we owe to you. Where a subprocessor's DPA is materially weaker than ours, we do not use them.

We will:

• Provide, on request, a copy of the published DPA we hold with each subprocessor (links on the subprocessors page)
• Notify you in advance when we add or change a subprocessor (by updating the subprocessors page; we email enterprise customers with email-notification clauses)
• Allow you a reasonable period to object on legitimate grounds. If we cannot resolve the objection, you may terminate the affected portion of the service
• Remain liable to you under Article 28(4) GDPR for any failure by a subprocessor to comply with its data-protection obligations

Every staff member with access to personal data is bound by confidentiality obligations (in their employment contract or equivalent) that survive termination of their relationship with us.

If a data subject contacts you to exercise their rights (access, deletion, portability, etc.), we will help. Specifically:

• We provide tools so you can serve most requests directly (account deletion, data export)
• For requests we need to handle on our side (e.g., deletion across all backups), we will act within 14 days of your written instruction
• We charge no fee for reasonable assistance; we may charge a reasonable fee for excessive or repetitive requests

If we become aware of a personal data breach affecting your data:

• We will notify you without undue delay, and in any event within 72 hours of becoming aware
• The notification will describe the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed
• We will help you fulfill your own notification obligations to supervisory authorities and to data subjects

Notifications go to the security contact you designate. If none is designated, we email the account owner.

You may audit our compliance with this DPA, subject to:

• 30 days' notice in writing
• Up to once per year unless triggered by a confirmed security incident
• Conducted during normal business hours and in a way that does not disrupt our service
• At your cost, except where the audit reveals material non-compliance (in which case we cover reasonable costs)
• Auditors are bound by confidentiality and may not be our competitors

In place of an on-site audit, we will accept current SOC 2 / ISO 27001 reports from our subprocessors (and our own, when we have them) as fulfilling audit obligations.

When this DPA terminates or you cancel your account:

• You can export your data at any time before deletion
• 30 days after termination, we delete or return all personal data, except where law requires retention
• We confirm deletion in writing on request

Each party's liability under this DPA is governed by the Terms of Service liability section. Nothing in this DPA limits liability that cannot be limited under applicable data-protection law (especially the joint-and-several liability framework of GDPR Article 82).

If anything in this DPA conflicts with:

1. The Standard Contractual Clauses (where applicable to a cross-border transfer) — the SCCs win
2. Mandatory data-protection law — the law wins
3. The Terms of Service — this DPA wins for data-protection matters; the ToS wins for everything else

This DPA forms part of our contract with you. You accept it when you accept the Terms of Service. No separate signature is required.

If your procurement team requires a wet-signed or e-signed copy:

• Email [email protected] with the request and your company details
• We will return a countersigned PDF within 5 business days
• We do not charge for this

Bespoke amendments to this DPA are available for enterprise customers; ask.

Where this DPA uses GDPR terms (Controller, Processor, Personal Data, Processing, Data Subject, Breach, Supervisory Authority), they have the meanings given in Article 4 of GDPR.

[email protected]