LEGAL
Data Processing Agreement (Summary)
Effective 2026-05-01
STRATEGIA's Data Processing Agreement (DPA) governs the processing of personal data by STRATEGIA SAS as Processor on behalf of subscribing organisations acting as Controllers, in accordance with Article 28 GDPR. This page summarises the principal commitments; the full executable DPA is available on request and supersedes any conflict with this summary.
1. Subject matter and duration
Processing of Customer personal data necessary for STRATEGIA to provide the Service throughout the Subscription Term and any agreed export window.
2. Categories of data and data subjects
Categories of personal data: business contact information (name, work email, role), authentication data, usage telemetry, commercial correspondence. Categories of data subjects: Customer's authorised users and named contacts.
3. Processor obligations
STRATEGIA agrees to: • Process personal data only on documented instructions from Customer (including transfers to a third country except where required by EU/MS law) • Ensure persons authorised to process personal data are bound by confidentiality • Implement appropriate technical and organisational measures (Article 32 GDPR) • Assist Customer in fulfilling data-subject rights requests • Notify Customer without undue delay of any personal data breach (within 48 hours of discovery) • At the end of the Subscription Term, delete or return all personal data as instructed by Customer
4. Sub-processors
Customer authorises the engagement of sub-processors. A current sub-processor list is maintained and available on request, and STRATEGIA gives at least 30 days' notice of new sub-processors. Customer may object to a new sub-processor for legitimate reasons; if the objection cannot be resolved, Customer may terminate the affected Order Form.
5. International transfers
Transfers of personal data outside the EEA are made on the basis of: (i) an adequacy decision; (ii) Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) executed between STRATEGIA and the relevant sub-processor; and (iii) supplementary measures including encryption and access controls.
6. Audit rights
Customer may, no more than once per twelve-month period, audit STRATEGIA's compliance with this DPA, on reasonable advance notice and during normal business hours, subject to confidentiality and non-interference with operations. STRATEGIA may satisfy audit rights by providing summaries of independent third-party audits (e.g. SOC 2 Type II, ISO 27001) where available.
7. Security incident notification
STRATEGIA will notify Customer without undue delay (and in any event within 48 hours of discovery) of any incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer personal data.
8. Execution
The full DPA — including Schedule 1 (description of processing), Schedule 2 (security measures), Schedule 3 (sub-processor list) and the EU SCCs — is provided in PDF on request. Most Customers prefer to execute STRATEGIA's standard DPA without modification; bespoke negotiation is available for Enterprise customers.
Questions? Email compliance@strategia.ai or our DPO at dpo@strategia.ai. Our DPA template is available on request.