Buronia
English ▾

← GDPR & data protection

Data Processing Agreement (Art. 28)

For most users Buronia is a controller of your data — you give us your data so we can deliver our service. For users who deploy Buronia inside an organisation (a social-services NGO, a city office helping residents apply), Buronia acts as a processor on your behalf, and the GDPR Art. 28 terms below apply.

Effective 2026-04-30. This page is also available as a signable PDF on request.

1. Roles

The customer is the data controller. Buronia is the data processor and processes personal data only on documented instructions from the controller — typically the wizard answers and uploads submitted through the platform.

2. Subject-matter and duration

Subject-matter: Buronia drafting of EU benefit applications. Duration: as long as the customer's contract is active, plus the retention windows in Data retention.

3. Nature, purpose, and types of processing

Collection, storage, OCR, AI-driven drafting, e-mail delivery of magic links and receipts, payment authorisation. Special categories of data may be processed where the controller has an Art. 9 lawful basis for the underlying benefit.

4. Categories of data subjects

EU residents seeking benefits; their household members where named on a draft (e.g. children listed on a Pflegegrad application); the controller's own staff with platform access.

5. Obligations of the processor (Art. 28(3))

  1. Process personal data only on documented instructions, including transfers, unless required by EU/Member-State law (in which case we inform the controller before processing).
  2. Ensure persons authorised to process data are bound by confidentiality.
  3. Implement the technical and organisational measures listed in Compliance & security (encryption at rest with AES-256-GCM, TLS 1.3 in transit, role-based access, audit logging, incident response).
  4. Engage sub-processors only with prior general authorisation; the current list is at Sub-processors; we give 30 days' notice of changes.
  5. Assist the controller in fulfilling data-subject rights (Art. 15–22).
  6. Assist the controller in meeting Art. 32–36 obligations (security, breach notification, DPIA, prior consultation).
  7. Delete or return all data at the controller's choice when the contract ends, and delete existing copies unless EU/Member-State law requires retention.
  8. Make available all information necessary to demonstrate compliance and allow audits, including inspections by the controller or an auditor mandated by it.

6. Sub-processing

The controller authorises Buronia's existing sub-processors (see Sub-processors). New sub-processors are added on 30-day notice; the controller may object and terminate the contract if the objection cannot be reasonably resolved.

7. International transfers

Where personal data is transferred outside the EEA, transfers are governed by the International transfers page, including SCCs and supplementary measures.

8. Audits

The controller may audit Buronia's compliance once per calendar year, at the controller's expense, with 30 days' notice. Buronia provides the controller's external auditors with reasonable access to documentation and personnel, subject to confidentiality.

9. Liability

Each party is liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to it, or where it has acted outside or contrary to lawful instructions of the controller, per Art. 82.

10. Term & termination

This DPA terminates with the underlying service contract. Upon termination, Buronia returns or deletes all personal data at the controller's choice, except where retention is required by Union or Member-State law.

How to execute this DPA

Email dpo@buronia.com with the subject line "DPA execution" and your organisation details. We return a counter-signed copy within 5 working days.