Anyrow
Log InGet Started

Data Processing Agreement

Last updated: 2026-04-13

Data Processing Agreement (DPA)

This DPA forms part of the agreement between the Customer ("Controller") and Anyrow ("Processor") and governs the processing of personal data in connection with the Anyrow service. It is drafted to satisfy Art. 28 GDPR.

If a conflict exists, this DPA prevails over the Terms of Service for matters concerning personal data processing.

1. Definitions

Terms capitalized here have the meanings assigned in the GDPR (e.g. "personal data", "processing", "data subject", "supervisory authority"). "Customer Data" means personal data that Controller uploads or submits to the service.

2. Roles and When This DPA Applies

  • Controller determines the purposes and means of processing Customer Data.
  • Anyrow processes Customer Data on Controller's documented instructions, as set out in this DPA and the Customer's account configuration.

This DPA applies automatically whenever Customer uploads documents containing personal data of third parties (e.g. end users, employees, clients, suppliers). Where Customer uses Anyrow only to process personal data relating to themselves, this DPA is dormant and the Privacy Policy alone governs.

3. Subject Matter and Duration

Subject matter: AI-assisted extraction of structured data from Customer-uploaded documents, storage, and making extraction results available to Controller via dashboard and API.

Duration: until the agreement is terminated and Customer Data is deleted per Section 10.

Nature and purpose: collection, storage, retrieval, transformation, and erasure as required to deliver the service.

Categories of data subjects: end users, employees, customers, vendors, or other individuals whose personal data appears in Controller's uploaded documents.

Categories of personal data: may include names, contact details, identifiers, financial data, and any other categories present in uploaded documents. Customer is solely responsible for the types of data submitted.

Special category data (Art. 9 GDPR): only if Customer expressly determines to submit such data and on Customer's explicit documented instructions.

4. Processor Obligations

Anyrow will:

  • Process Customer Data only on Controller's documented instructions, including regarding international transfers
  • Ensure persons authorized to process the data are bound by confidentiality
  • Implement appropriate technical and organizational measures per Section 6
  • Assist Controller with data-subject requests per Section 7
  • Notify Controller of breaches without undue delay per Section 8
  • Delete or return Customer Data at end of service per Section 10
  • Make available information necessary to demonstrate compliance and submit to audits per Section 11

5. Subprocessors

Controller grants general authorization for Anyrow to engage the subprocessors listed below. Anyrow will notify Controller of additions or changes with at least 30 days' notice; Controller may object within 14 days on reasonable grounds.

Current subprocessors — authoritative list maintained at https://anyrow.ai/legal/subprocessors. The list details each subprocessor's purpose, processing location, and transfer mechanism. Summary at time of publication: Cloudflare, Stripe, Google (Gemini). Microsoft is listed as a planned subprocessor and will activate when the Azure AI Document Intelligence extraction path is deployed. Check the subprocessors page for the current state; it takes precedence over any snapshot in this DPA.

Anyrow imposes equivalent data-protection obligations on each subprocessor by written contract.

6. Security Measures (Art. 32 GDPR)

Anyrow implements at minimum:

  • TLS 1.3 in transit
  • Encryption at rest (Cloudflare-default encryption)
  • Role-based access control with minimum-privilege defaults
  • Audit logging for administrative actions
  • Separation of production environments from development
  • Regular vulnerability scans and dependency updates
  • Incident response plan with defined roles and timelines
  • Secure software development practices (code review, no secrets in source)

A detailed Technical and Organizational Measures (TOM) document is available on request.

7. Assistance with Data-Subject Rights

Anyrow supports Controller in fulfilling access, rectification, erasure, restriction, portability, and objection requests from Controller's data subjects. Where equivalent functionality is available in the Customer dashboard (for example, workspace data export or deletion), Controller can act directly; otherwise Controller submits a written request to privacy@anyrow.ai and Anyrow responds within 10 business days.

8. Breach Notification

Anyrow notifies Controller of a personal data breach affecting Customer Data without undue delay, and in any event within 72 hours of becoming aware, aligned with the GDPR Art. 33 notification timeline. Notification includes:

  • Nature of the breach, categories + approximate numbers of data subjects and records affected
  • Likely consequences
  • Measures taken or proposed to address the breach
  • A contact point for further information

Controller is responsible for notifying the supervisory authority and affected data subjects as required under Art. 33/34 GDPR.

9. International Transfers

Where Customer Data is transferred outside the EEA/UK to a country without an adequacy decision, Anyrow relies on Standard Contractual Clauses (2021/914) between Anyrow and the subprocessor, and where applicable between Controller and subprocessor via a back-to-back arrangement. Supplementary measures (encryption, access controls) are applied per EDPB guidance.

10. Deletion and Return of Data

Upon termination of the service agreement, at Controller's choice, Anyrow will either:

  • Delete all Customer Data within 30 days; or
  • Return a machine-readable export (JSON/CSV, depending on data type) within 30 days and then delete.

Backups containing Customer Data are rotated out within 30 days of primary deletion. Anyrow confirms deletion in writing on request.

Retention longer than 30 days applies only where required by applicable law (e.g. 11-year retention of tax-related data under Croatian General Tax Act). Such data is access-restricted and not further processed.

11. Audit Rights

Anyrow makes available the information necessary to demonstrate compliance and allows audits, including inspections, conducted by Controller or an auditor mandated by Controller. Audits:

  • Must be reasonable in scope and frequency (not more than annually, except following a breach)
  • Require 30 days' written notice
  • May be satisfied by Anyrow providing a recent SOC 2 Type II or ISO 27001 report when available
  • Costs are borne by Controller unless material non-compliance is found

12. Liability

Liability under this DPA is governed by the Limitation of Liability section of the Terms of Service, except where Art. 82 GDPR provides otherwise.

13. Term and Order of Precedence

This DPA is effective from the date the Customer accepts the Terms of Service and remains in effect for the duration of the agreement. If the main agreement conflicts with this DPA on data-protection matters, this DPA prevails.

14. Governing Law

This DPA is governed by the laws of the Republic of Croatia. Disputes follow the jurisdiction clause in the Terms of Service.

15. Execution

For most customers, acceptance of the Terms of Service on signup constitutes acceptance of this DPA. Enterprise customers may request a signed version of this DPA at legal@anyrow.ai.