Data Processing Agreement v1.0 — Effective date: November 19, 2023 · Last updated: 2026-05-08 — Machine-readable: oracron.json

Data Processing Agreement

Between Global Link Ventures LLC dba Oracron ("Processor") and the Customer identified below ("Controller")

Version: 1.0 Effective date: November 19, 2023 Last updated: 2026-05-08 Framework: GDPR Article 28 Policy version: v1.0.0

1. Parties and Context

This Data Processing Agreement ("DPA") is entered into between Global Link Ventures LLC, a Wyoming limited liability company operating under the trade name Oracron, with registered address in the State of Wyoming, United States ("Processor"), and the legal entity identified in the signature block below ("Controller").

This DPA supplements the Oracron Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller in connection with the Oracron platform — an AI-powered freight invoice audit and logistics management service.

2. Subject Matter and Nature of Processing

The Processor provides the following services involving personal data:

Personal data processed may include: names of senders/consignees, addresses (commercial and potentially residential), contact persons, driver or courier identifiers appearing on invoices, and user account credentials of the Controller's employees who access the platform.

3. Duration

This DPA is effective from the Controller's account creation date and remains in force for the duration of the service agreement. Upon termination, the Processor retains Customer Data for an export window of up to 90 days, after which it is permanently deleted from production systems; backup copies are purged within a further 30 days, unless longer retention is required by law.

4. Instructions and Purpose Limitation

The Processor processes personal data solely on the documented instructions of the Controller, for the purpose of providing the Oracron platform services. The Processor shall not process personal data for any other purpose, including but not limited to: training AI models, resale to third parties, advertising, or profiling unrelated to freight audit.

No AI training: Personal data and invoice content processed via the Anthropic Claude API is never used to train machine learning models — by Oracron or Anthropic. This is contractually guaranteed by Anthropic's commercial API terms.

5. Confidentiality

The Processor ensures that persons authorised to process personal data are bound by confidentiality obligations. Access to personal data is restricted on a need-to-know basis, enforced by Row-Level Security (RLS) policies at the database level. Oracron employees and contractors are subject to confidentiality agreements.

6. Security Measures (Article 32 GDPR)

Measure Implementation Status
Encryption at rest AES-256 (Supabase managed) ✓ Active
Encryption in transit TLS 1.3 enforced ✓ Active
Access control Row-Level Security (RLS) per organisation; RBAC (member / admin / superadmin) ✓ Active
Authentication OTP + password; business email enforcement ✓ Active
Audit logging Per-call AI audit log (ai_audit_log); SHA-256 hash of request/response ✓ Active
Tenant isolation Every query scoped by organization_id; no cross-tenant data access ✓ Active
Backup Continuous Supabase managed backups; point-in-time recovery available ✓ Active
Penetration testing Annual (roadmap — target: 2026 Q4) Planned
SOC 2 Type I Roadmap — target: 2027 Q1 Planned

7. Sub-processors

The Controller grants general authorisation to use the sub-processors listed below. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor, as specified in the Terms of Service §7.7.

Sub-processor Purpose Data location Retention
Supabase Inc.
supabase.com
Database, file storage, edge functions, authentication EU (eu-central-1, Frankfurt) or US — per customer region Duration of contract + up to 90-day export window post-termination, then permanently deleted; backups purged within a further 30 days
Anthropic PBC
anthropic.com
AI inference — invoice text extraction, enrichment, dispute letter generation US (inference only); EU SCCs in place Up to 30 days (abuse monitoring); then auto-deleted. No training use.
OpenAI, L.L.C.
openai.com
AI inference — semantic embeddings for fee-code and shipment-reference matching US (inference only); EU SCCs in place Up to 30 days (abuse monitoring); then auto-deleted. No training use.
Resend Inc.
resend.com
Transactional email delivery (upload confirmations, invoices, auth emails) US; EU SCCs in place 30 days log retention
Cloudflare Inc.
cloudflare.com
CDN, DNS, DDoS protection, static asset delivery Global edge (no personal data stored) Transient only

8. International Transfers

Invoice data and personal data are stored in the customer's selected region — the EU (eu-central-1, Frankfurt, Germany) or the US — chosen at onboarding. AI inference via Anthropic (Claude API) and OpenAI (Embeddings API) involves transfer to the United States; these transfers are governed by Standard Contractual Clauses (SCCs — EU Commission Decision 2021/914) and each provider's commercial DPA, supplemented by EU–US Data Privacy Framework certification where the provider is certified. Anthropic's and OpenAI's SOC 2 Type II certifications are available on request.

Transactional email via Resend and CDN services via Cloudflare involve US transfers governed by SCCs. No personal data is stored on CDN edge nodes.

9. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests within the timeframes required by GDPR. Specifically:

10. Breach Notification

In the event of a personal data breach (as defined in GDPR Article 4(12)), the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, at the email address registered on the Controller's account. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects concerned, likely consequences, and measures taken or proposed.

The Processor maintains an incident response procedure. Security incidents should be reported to security@oracron.app.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA upon 30 days' written notice. The Processor may satisfy audit requests by providing: (a) current third-party security certifications or audit reports (SOC 2, ISO 27001 when available); (b) answers to a reasonable security questionnaire; or (c) for Enterprise customers, on-site or virtual audit by the Controller's designated representative.

The Controller's AI audit log (Settings → Privacy) provides a per-call record of all AI processing performed on their behalf, exportable as CSV at any time without notice.

12. Deletion and Return of Data

Upon termination of the service agreement, the Processor will: (a) retain Customer Data for an export window of up to 90 days following termination, after which it is permanently deleted from production systems; (b) purge all backup copies within a further 30 days; (c) provide written confirmation of deletion upon request. The Controller may request a full data export at any time before or during the 90-day export window at no additional cost.

13. Governing Law and Jurisdiction

This DPA is governed by the laws of the State of Wyoming, United States; provided that, where the GDPR applies, its mandatory provisions and the data-protection law of the Controller's EU/EEA member state of establishment prevail to the extent of any conflict. Disputes shall be resolved in accordance with the jurisdiction clause in the Oracron Terms of Service. This DPA shall in all cases be interpreted consistently with the GDPR.

14. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to data processing matters. The Standard Contractual Clauses, where applicable, take precedence over this DPA.

Annex I — Description of Processing Activities

Field Details
Categories of data subjects Controller's employees; senders/consignees named on freight invoices (may be individuals or businesses)
Categories of personal data Names, business addresses, potentially residential addresses of consignees, contact persons, user account data (email, role)
Special categories None processed
Frequency of processing Continuous — triggered by invoice upload events and user actions
Nature of processing Collection, structuring, storage, retrieval, use (AI analysis), disclosure (to Controller's users only), erasure
Purpose of processing Freight invoice audit — extraction, rate validation, dispute generation, compliance reporting
Retention period Duration of contract plus a 90-day export window, then permanently deleted; backups purged within a further 30 days. AI audit log: 365 days (configurable by org admin)
Transfers to third countries Anthropic (US, inference only, SCCs); OpenAI (US, embeddings only, SCCs); Resend (US, email, SCCs)

Annex II — Technical and Organisational Measures

See Section 6 of this DPA. The complete security posture is published at oracron.app/security.html. The AI data governance policy is published at oracron.app/data-governance.html.

Processor

Global Link Ventures LLC dba Oracron
Wyoming, USA
privacy@oracron.app

Authorised signature & date

Name & title

Controller

Company name: ___________________
Address: ___________________
Contact email: ___________________

Authorised signature & date

Name & title

DPA v1.0 — Oracron — global link ventures LLC — privacy@oracron.app — oracron.app/dpa.html