Data Processing Addendum (DPA)
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
"Data Controller" means the natural or legal person which determines the purposes and means of the processing of personal data (the Customer).
"Data Processor" means the natural or legal person which processes personal data on behalf of the controller (Contextaify).
"Sub-processor" means any third party appointed by Contextaify to process personal data on behalf of the Customer.
2. Subject Matter and Scope
This Data Processing Addendum ("DPA") supplements the Contextaify Terms of Service and sets out the obligations of the parties regarding the processing of personal data.
This DPA applies to all personal data that Contextaify processes on behalf of the Customer as part of providing the platform services.
3. Duration of Processing
The processing of personal data shall be carried out for the duration of the service agreement between the Customer and Contextaify, and shall cease upon termination, unless legal retention obligations apply.
4. Nature and Purpose of Processing
Contextaify processes personal data exclusively to:
- Provide platform services (context management, MCP distribution, file storage)
- User authentication and session management
- Aggregated and anonymous usage analysis to improve the service
- Operational communications related to the service
5. Types of Personal Data
Personal data processed includes:
| Category | Data |
|---|---|
| Account data | Name, email, avatar, user identifier |
| Usage data | Access logs, timestamps, IP addresses |
| User content | Context files (.md) created by the user |
| Billing data | Processed by Stripe; Contextaify does not store card data |
6. Obligations of Contextaify as Processor
Contextaify commits to:
- Process personal data only on documented instructions from the Customer
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement all security measures required by Article 32 of the GDPR
- Not engage another processor without prior authorization from the Customer
- Assist the Customer in fulfilling obligations regarding data subject rights requests
- Make available all information necessary to demonstrate compliance
- Allow and contribute to audits conducted by the Customer or an authorized auditor
7. Security Measures
Contextaify implements the following technical and organizational measures:
- Encryption in transit: TLS 1.3 for all communications
- Encryption at rest: AES-256 for stored data
- Access control: Multi-factor authentication, principle of least privilege
- Monitoring: Intrusion detection, access logging
- Backups: Encrypted backups with 30-day retention
- Incident management: Documented incident response procedure
8. Sub-processors
Contextaify uses the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, S3 storage | EU (Frankfurt) |
| TiDB Cloud | Database | EU |
| Stripe | Payment processing | USA (with standard contractual clauses) |
| Anthropic | LLM processing (only if activated by user) | USA (with standard contractual clauses) |
Contextaify will notify the Customer at least 30 days in advance of any changes to sub-processors.
9. International Transfers
When personal data is transferred outside the European Economic Area, Contextaify ensures that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:
- Standard contractual clauses approved by the European Commission
- Transfer impact assessments where necessary
- Supplementary measures per EDPB recommendations
10. Data Subject Rights
Contextaify will assist the Customer in responding to data subject rights requests (access, rectification, erasure, portability, objection, restriction) within the timeframes established by the GDPR.
11. Data Breach Notification
In the event of a security breach affecting personal data, Contextaify will:
- Notify the Customer without undue delay and, in any case, within 72 hours of becoming aware of the breach
- Provide all available information about the nature of the breach, categories of data affected, and measures taken
12. Data Return and Deletion
Upon termination of the contractual relationship, Contextaify will:
- Return all personal data to the Customer in a structured, commonly used format
- Delete all copies of personal data within 30 days, unless legal retention obligations apply
- Provide certification of deletion upon Customer request
13. Governing Law
This DPA is governed by the laws of the European Union, in particular the General Data Protection Regulation (GDPR) (EU) 2016/679.
Last updated: April 2026 · Author: Rodrigo Ramos