Aurisgen
English / Spanish

Data Processing Addendum (Base Form)

Legal notice document and fountain pen

Data Processing Addendum (Base Form)

Last updated: May 8, 2026

This Data Processing Addendum (“DPA”) is Aurisgen’s base data-processing framework for business customers that purchase software, hosted services or remote services involving the processing of personal data on behalf of the customer. This page is provided for transparency and contracting efficiency. If Aurisgen and a customer execute an order, master agreement or other written contract that incorporates this DPA or references it, that written contract controls together with this DPA.

1. Roles

For personal data processed by Aurisgen on behalf of a business customer, the customer acts as the controller or business, and Aurisgen acts as the processor or service provider, except to the extent Aurisgen independently determines the purposes and means of processing for its own operational, legal, security, accounting or service-administration purposes.

2. Scope and duration

This DPA applies only to personal data processed by Aurisgen on behalf of the customer in connection with the contracted software, hosted services or remote services. It remains in effect for as long as Aurisgen processes such customer personal data under the applicable commercial relationship, unless replaced by a signed DPA or other written amendment.

3. Processing instructions

Aurisgen will process customer personal data only:

  • to provide, secure, support and maintain the contracted services;
  • on the customer’s documented instructions as reflected in the relevant agreement, order, support request, implementation scope or authorized written direction;
  • as necessary to prevent abuse, investigate incidents, preserve evidence, defend legal claims or comply with applicable law; and
  • as otherwise permitted for a processor or service provider under applicable data protection law.

If Aurisgen believes an instruction violates applicable law, it may inform the customer and may suspend the affected processing until the issue is clarified.

4. Nature of the processing

Processing may include collection, access, storage, organization, review, transmission, troubleshooting, hosting, support, deletion or other operations reasonably necessary to deliver the services. The categories of data subjects and personal data depend on the customer’s actual use of the services and the information the customer chooses to provide.

5. Confidentiality

Aurisgen will ensure that personnel authorized to process customer personal data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

6. Security measures

Aurisgen will maintain reasonable administrative, technical and physical safeguards designed to protect customer personal data against unauthorized access, disclosure, alteration and destruction, taking into account the nature of the data, the risks presented by the processing and the nature of the services provided. These measures may include access controls, credential protections, logging, malware monitoring, backups, secure communications where appropriate and vendor review.

7. Subprocessors

Aurisgen may use subprocessors, hosting providers, infrastructure vendors, support tools, communication platforms, security tools or other service providers to support delivery of the services. Aurisgen remains responsible for the performance of its subprocessors to the extent required by applicable law and will require them to protect personal data through contractual or other appropriate obligations.

Customers may request information about material subprocessors reasonably relevant to the contracted service by contacting info@aurisgen.com.

8. Assistance to the customer

Taking into account the nature of the processing and the information available to Aurisgen, Aurisgen will provide reasonable assistance to the customer in responding to legally valid requests involving customer personal data, such as requests for access, deletion, correction or restriction, where the customer cannot reasonably fulfill the request without Aurisgen’s help. Aurisgen may charge reasonable fees for extraordinary or repetitive assistance where permitted by the commercial agreement or applicable law.

9. Security incidents

If Aurisgen becomes aware of a confirmed security incident affecting customer personal data processed on behalf of the customer, Aurisgen will notify the customer without undue delay after confirmation, taking into account the need to verify the incident, contain it and avoid compromising remediation or legal obligations. Aurisgen will provide information reasonably available at the time and may supplement it as investigation continues.

10. Deletion and return

Upon termination of the relevant services and upon written request, Aurisgen will delete or return customer personal data in its possession or control, unless retention is required by law, necessary to preserve security logs or backups for a limited period, or necessary to establish, exercise or defend legal claims. Backup copies may persist for a limited retention cycle before deletion through ordinary system processes.

11. Audits and information rights

Where required by applicable law, Aurisgen will make available information reasonably necessary to demonstrate compliance with this DPA. Any audit or inspection right must be exercised in a manner that is reasonable, proportionate, limited in scope, subject to confidentiality obligations, and not disruptive to Aurisgen or other customers. Aurisgen may satisfy audit requests through existing documentation, questionnaires, certifications, summaries or other reasonable alternative means where appropriate.

12. International processing

Aurisgen operates primarily from the United States and may process personal data in the United States and other jurisdictions where its providers operate. Customers are responsible for determining whether international transfers are permitted for their use case and for requesting any additional contractual mechanisms they require. Where necessary and appropriate, Aurisgen may discuss additional transfer terms in a separate written agreement.

13. U.S. state privacy concepts

To the extent applicable U.S. state privacy law uses terms such as service provider, contractor or processor, Aurisgen will process customer personal data on behalf of the customer for the limited and specified business purposes described in the parties’ agreement and this DPA, and will not retain, use or disclose such personal data outside that scope except as permitted by applicable law. Aurisgen does not acquire rights to sell customer personal data supplied for processing on the customer’s behalf merely by providing the contracted services.

14. Contact and execution

Business customers that need a signed DPA, customer-specific security addendum or procurement review may contact info@aurisgen.com. This page by itself is not a signature block, but it is intended to serve as Aurisgen’s base DPA form for incorporation into customer contracting.