Data Processing Agreement (DPA)
Annex to the service contract between Customer and pibiCo Compañía de Inteligencia de Negocio y Control SL for compliance with Regulation (EU) 2016/679 (GDPR).
1. Parties
- Data Controller ("Customer"): the entity or organization that has contracted the Service.
- Data Processor: pibiCo Compañía de Inteligencia de Negocio y Control SL, VAT ES B52567831, Avenida de La Costa 35-6T, 33201 Gijón, Asturias, Spain.
2. Subject matter
The Processor will process personal data on behalf of the Controller only to provide the contracted services (ScriptorIA) per documented instructions of the Controller.
3. Data processed
- Identidad y contacto: email y nombre (vía SSO pibiCo)
- Organización/tenant y rol del usuario
- Plantillas y artículos generados (DOCX, PDF, PPTX, XLSX, CSV, JSON)
- Los documentos ORIGINALES del cliente NO se almacenan (modelo connect-only); solo se cachean artefactos derivados
- Metadatos de uso y consumo de créditos pibiCash
- Registros de auditoría: acciones, dirección IP y marca temporal
4. Categories of data subjects
- Employees, collaborators and members of the Customer
- End-clients of the Customer whose data is managed within the Service
5. Processor obligations
The Processor undertakes to:
- Process data only per Controller's documented instructions
- Ensure confidentiality by authorized personnel
- Apply appropriate technical and organizational measures (encryption at rest and in transit, access control, audit logs, backups)
- Assist the Controller in handling data subject rights
- Notify security breaches without undue delay, max 72 hours
- Delete or return data at end of service
- Allow reasonable audits by the Controller or independent auditor
6. Sub-processors
The Processor uses the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Talk2Doc (pibiCo) | Búsqueda documental y recuperación RAG sobre las bibliotecas conectadas | España (UE) — infraestructura pibiCo |
| api_chat / Ollama (pibiCo) | Generación de texto con modelos LLM en local | España (UE) — servidores propios |
| api_convert (pibiCo) | Conversión de documentos a formato indexable | España (UE) — servidores propios |
| api_auth (pibiCo) | Identidad, SSO y facturación de créditos | España (UE) — infraestructura pibiCo |
| MinIO (pibiCo) | Almacenamiento de plantillas y artefactos derivados | España (UE) — servidores propios |
| Anthropic / OpenAI | LLM text generation (only if the User explicitly selects one of these providers) | USA — transfer under Standard Contractual Clauses |
Any change of sub-processors will be notified 30 days in advance. The Controller may object with reasoning; otherwise the change is deemed accepted.
7. International transfers
Where sub-processors are located outside the EEA, transfers are made under Standard Contractual Clauses (SCC) approved by the European Commission or Adequacy Decisions.
8. Security measures
The Processor applies among others:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Passwordless authentication (email OTP) and optional TOTP second factor
- Role-based access control (RBAC)
- Immutable audit logs
- Encrypted backups with recovery plan
- Regular security testing and dependency review
9. Security breach
In case of breach affecting Controller's personal data, the Processor will notify the Controller without undue delay, within 72 hours of becoming aware, including:
- Nature of the breach
- Categories and approximate number of affected data subjects
- Measures taken or proposed
- Processor contact point to coordinate response
10. Audit rights
The Controller may request documentary evidence of compliance (audit reports, certifications, technical descriptions) up to once a year or after any relevant breach. On-site audits require prior agreement and are performed during business hours without interrupting the Service.
11. Term and termination
This DPA enters into force upon Service subscription and remains in force while the Customer maintains an active account. Upon termination, the Processor will delete or return personal data per Controller's documented instruction, except for legal retention obligation (billing data: 6 years).
12. Liability
Each party is liable for its own GDPR breaches. Processor liability is limited per the Service Terms.
Last updated: 2026-06-15 · Version 1.1.0