Data Processing Agreement
Last updated: April 5, 2026
- Foretide acts as Data Processor. You are the Data Controller.
- We process your data only on your documented instructions — nothing else.
- Your data is encrypted in transit (TLS 1.3) and at rest (AES-256).
- Each organisation's data is fully isolated with quarterly-tested controls.
- We notify you of any data breach within 48 hours and assist with authority notifications.
- You can audit our practices. We delete all data within 30 days of termination.
- Governed by Spanish and EU law. GDPR-compliant throughout.
1. Purpose, scope, and roles
This DPA governs the processing of personal data you upload to or generate through Foretide, in compliance with the GDPR (EU) 2016/679. Roles: (a) You (or your organisation) are the Data Controller — you decide what data is processed and how results are used. (b) Foretide (Maistik Studio) is the Data Processor — we process data only according to your instructions as documented in the Terms of Service and this DPA. (c) Your obligations as Controller: obtaining lawful basis, informing data subjects, fulfilling rights requests, managing retention, and conducting Data Protection Impact Assessments (DPIAs) where required.
2. Types of data processed
Account data (name, email, organisation, role), uploaded content (PDF, Markdown, text documents), simulation data (agent profiles, results, reports, interaction logs), and usage data (credit consumption, feature usage, session metadata).
3. Processor obligations
We process data only on your documented instructions. All personnel are bound by confidentiality obligations. We implement: encryption in transit (TLS 1.3) and at rest (AES-256), encrypted credential storage (Fernet symmetric encryption), multi-tenant data isolation with row-level security, role-based access control with comprehensive audit logging, quarterly internal security assessments, annual independent penetration testing, and continuous automated isolation testing in CI/CD. AI processing providers do NOT use your data to train or improve their models.
4. Sub-processors
We do not engage sub-processors without prior written authorisation. We maintain a current list of sub-processors available on request. You will be notified of any intended changes with at least 30 days' notice, during which you may object. If we cannot accommodate your objection, you may terminate the agreement.
5. Data subject rights
We assist you in fulfilling obligations to respond to data subject requests under GDPR Articles 15-22: access, rectification, erasure, portability, restriction, and objection. We support the right to object to processing based on legitimate interests (Art. 21). If Foretide outputs are used for automated decisions significantly affecting individuals, you must comply with Art. 22 GDPR, including providing human review mechanisms.
6. Data transfers
By default, all personal data is stored within the European Union. We do not transfer personal data outside the EEA without ensuring appropriate safeguards including Standard Contractual Clauses (SCCs), Transfer Impact Assessments, and your prior notification. You have the right to object to new non-EEA transfers.
7. Breach notification
Upon discovering a personal data breach, we notify you within 48 hours via email and in-app notification, including: nature and scope, affected data categories and estimated number of data subjects, likely consequences, mitigation measures, and our point of contact. If the breach likely results in high risk to data subjects, we notify relevant data protection authorities (Spanish AEPD and/or applicable EU DPAs). We provide documentation sufficient for you to meet your own 72-hour notification obligation. We cooperate fully in breach investigations and legal proceedings.
8. Audit rights
We make available all information necessary to demonstrate compliance with this DPA. We allow and contribute to audits, including inspections, conducted by you or a mandated auditor, with reasonable notice during business hours. Annual penetration test results and isolation audit summaries are available upon request under NDA.
9. Data deletion and return
Upon termination, at your choice, we delete or return all personal data within 30 days. Export formats: original documents (PDF, Markdown, TXT), simulation data (JSON), reports (PDF), account data (CSV). Exports generated within 7 business days. Data in backups is removed upon normal backup rotation (up to 60 days). Deletion is confirmed in writing upon request.
10. Liability
Each party's liability under this DPA is subject to the limitations in the Terms of Service. Nothing limits either party's liability for breaches of data protection law that cannot be limited by contract, including GDPR administrative fines arising from a party's own non-compliance.
11. Governing law
This DPA is governed by the laws of Spain and the European Union. Disputes shall be submitted to the courts of Barcelona, Spain. For data protection complaints, you may also contact the Spanish Data Protection Authority (AEPD) at www.aepd.es.