Data Processing Agreement
Data Processing Agreement (DPA)
Last updated: 15 March 2026 Effective date: 15 March 2026
Parties
Data Controller: The customer (“Customer”) who has accepted the Soragai Terms of Service.
Data Processor: Soragai (“Processor”), sorag.ai. Full legal entity details are available upon request at hello@sorag.ai.
1. Purpose and Scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Soragai and the Customer and applies where the Customer uses the Service in the context of a business or professional activity and where Soragai processes personal data on behalf of the Customer as a data processor under GDPR.
This DPA applies to the processing of personal data that the Customer submits to the Service, including personal data contained in prompts, reference images, or other Input submitted to generate content.
2. Definitions
Terms used in this DPA have the meanings given to them in the GDPR (Regulation (EU) 2016/679).
- “Personal Data” means any information relating to an identified or identifiable natural person included in Customer’s Input or otherwise submitted to the Service.
- “Processing” has the meaning set out in the GDPR.
- “Sub-processor” means any third party engaged by Soragai to process Personal Data on behalf of the Customer.
3. Roles
For the purposes of this DPA:
- The Customer is the Data Controller of any personal data contained in Input submitted to the Service.
- Soragai is the Data Processor, processing such data on behalf of the Customer solely to provide the Service.
Where Soragai processes data for its own legitimate purposes (e.g. account data, billing records, server logs), Soragai acts as an independent Data Controller and the Customer’s DPA does not apply.
4. Processing Instructions
Soragai shall process Personal Data only in accordance with the Customer’s documented instructions, which are set out in the Terms of Service and this DPA. The primary instruction is: process Personal Data to the extent necessary to generate the requested AI video and image outputs and to store and deliver those outputs to the Customer.
If Soragai is required by EU or Member State law to process Personal Data otherwise than in accordance with these instructions, Soragai shall inform the Customer before processing, unless prohibited by law.
5. Confidentiality
Soragai ensures that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
6. Security
Soragai implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption in transit (TLS/HTTPS)
- Passwords hashed with bcrypt
- Database access restricted to private network (Tailscale)
- API credentials stored in HashiCorp Vault
- Access tokens with short expiry
- Regular security reviews
7. Sub-processors
The Customer grants Soragai general authorisation to engage the following sub-processors to process Personal Data for the purposes set out in this DPA:
| Sub-processor | Role | Location |
|---|---|---|
| Hetzner Online GmbH | Server infrastructure | Germany, EU |
| Stripe Inc. | Payment processing | USA |
| Brevo (Sendinblue) | Transactional email | EU |
| PiAPI | AI generation pipeline | USA |
| Kuaishou Technology | Kling AI model provider | China |
| ByteDance Ltd. | Seedance model provider | China |
| OpenAI, Inc. | Sora 2 model provider | USA |
| Google LLC | Nano Banana Pro model provider | USA |
| Plausible Analytics | Cookieless analytics | EU |
Soragai shall notify the Customer of any intended addition or replacement of sub-processors by updating this DPA and providing at least 14 days’ notice. The Customer may object to a change by notifying Soragai within that period. If no resolution is reached, either party may terminate the relevant services upon reasonable notice.
Soragai imposes data protection obligations on sub-processors by contract equivalent to those in this DPA.
International Transfers
Several sub-processors are located outside the EU/EEA. Soragai relies on the following transfer mechanisms:
- USA (Stripe, OpenAI, Google, PiAPI): Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914.
- China (Kuaishou, ByteDance): Transfer is necessary for performance of the contract (Art. 49(1)(b) GDPR). The Customer acknowledges that China does not benefit from an EU adequacy decision and that these transfers carry inherent data protection risks. The Customer accepts these risks by selecting Kling or Seedance as generation models.
8. Data Subject Rights
Soragai shall assist the Customer in responding to requests from data subjects exercising their rights under GDPR, to the extent technically feasible. The Customer shall be responsible for managing data subject requests relating to data for which it is Controller.
9. Data Breach Notification
Soragai shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include the information required by Article 33(3) GDPR to the extent available.
10. Deletion and Return of Data
Upon termination of the Terms of Service or upon the Customer’s request, Soragai shall delete or return all Personal Data processed under this DPA, and delete existing copies, unless storage is required by applicable EU or Member State law.
Account data is deleted within 30 days of a deletion request. Billing records are retained for 10 years as required by Romanian accounting law.
11. Audit and Compliance
Soragai shall provide the Customer with all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Customer or an auditor mandated by the Customer. The Customer shall give reasonable prior notice of any audit and shall bear its own costs.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
13. Governing Law
This DPA is governed by the laws of Romania. Any disputes shall be subject to the jurisdiction set out in the Terms of Service.
14. Contact
For data processing queries under this DPA:
Soragai Email: hello@sorag.ai