Data Processing Agreement

Last updated: 29.05.2026

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Localesy Terms of Service (the "Agreement") between DRK Solutions Daniel Szczepanik, NIP 9372723082 ("Localesy", "Processor") and the Client ("Controller"). It applies where, and to the extent that, Localesy processes personal data contained in Customer Content on the Client's behalf. Capitalised terms not defined here have the meaning given in the Agreement. "Controller", "processor", "personal data", "processing", "data subject", and "personal data breach" have the meanings given in the GDPR (Regulation (EU) 2016/679).

If there is a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA prevails.

Section 1: Roles and Scope

  1. The Client is the controller and Localesy is the processor in respect of any personal data contained in Customer Content ("Customer Personal Data").
  2. Localesy processes Customer Personal Data only to provide the Service and only on the Client's documented instructions, which are given through the Client's use of the Service and the Agreement. Localesy will inform the Client if, in its opinion, an instruction infringes applicable data protection law.

Section 2: Details of Processing

  • Subject matter: provision of the localization Service (translation, quality assessment, glossary, and related features).
  • Duration: for the term of the Agreement and until deletion or return under Section 8.
  • Nature and purpose: storage, transmission, and automated processing of Customer Content to produce and manage translations and quality assessments.
  • Type of personal data: not predetermined by Localesy; consists of whatever personal data the Client includes in Customer Content. As the Service is intended for application strings, personal data is expected to be incidental and limited.
  • Categories of data subjects: not predetermined by Localesy; determined by the content the Client submits.

Section 3: Processor Obligations

Localesy will:

  1. process Customer Personal Data only on the Client's documented instructions, unless required otherwise by law (in which case it will notify the Client in advance unless the law prohibits this);
  2. ensure persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations;
  3. implement the technical and organisational security measures described in Section 6;
  4. respect the conditions in Section 4 for engaging sub-processors;
  5. assist the Client, by appropriate measures and insofar as possible, in responding to data-subject rights requests;
  6. assist the Client in ensuring compliance with security, breach-notification, impact-assessment, and prior-consultation obligations, taking into account the information available to Localesy;
  7. delete or return Customer Personal Data as set out in Section 8; and
  8. make available the information reasonably necessary to demonstrate compliance and allow for audits as set out in Section 7.

Section 4: Sub-processors

  1. The Client grants Localesy general authorisation to engage sub-processors to provide the Service. Localesy imposes data-protection obligations on each sub-processor no less protective than those in this DPA and remains responsible for their performance.
  2. The current sub-processors are:
Sub-processorPurposeLocation
Vercel / Amazon Web Services (incl. CloudFront)Hosting / edge / CDNEU/EEA and global edge
SupabaseDatabase / authenticationEU (Frankfurt)
OpenRouter (gateway) - routing to Anthropic, OpenAI, xAI (Grok), and Google (Gemini)AI translation & quality assessmentUS / global
DeepLMachine translationEU (Germany)
  1. Routing among already-disclosed providers may vary without constituting a new sub-processor: where Localesy varies which AI model or provider within the set disclosed above handles a request (for example through model A/B testing), this is use of an already-authorised sub-processor and does not trigger the notice in Section 4.4. Only the addition of a new provider company that receives Customer Personal Data is a new sub-processor.
  2. Localesy will give the Client at least fourteen (14) days' prior notice of adding a new sub-processor (by posting an updated list and/or by e-mail). The Client may object on reasonable data-protection grounds within that period; the parties will work in good faith to resolve the objection, and if it cannot be resolved, the Client's remedy is to terminate the affected part of the Service - objection is not a veto over Localesy's choice of provider.
  3. All sub-processors providing AI processing operate under agreements that do not permit the use of Customer Content to train AI models and that apply limited, time-bound retention for abuse monitoring only.

Section 5: International Transfers

  1. Localesy hosts Customer Personal Data primarily within the European Economic Area (EEA). Localesy will not transfer Customer Personal Data outside the EEA unless a lawful transfer mechanism under the GDPR is in place (such as an adequacy decision or Standard Contractual Clauses), and will inform the Client of the mechanism on request.

Section 6: Security

  1. Taking into account the state of the art and the nature of processing, Localesy implements appropriate technical and organisational measures, including: encryption of data in transit; access controls and authentication; restriction of access to authorised personnel; logging configured to avoid capturing Customer Content payloads; and regular review of its security measures. Localesy may update these measures provided the level of protection is not materially reduced.

Section 7: Audits

  1. Localesy will make available, on reasonable written request and no more than once per year (unless required by a supervisory authority or following a personal data breach), the information reasonably necessary to demonstrate compliance with this DPA. The parties will agree the scope, timing, and conditions of any audit, with appropriate confidentiality protections, to minimise disruption.

Section 8: Deletion and Return

  1. On termination of the Service, or earlier on the Client's written request, Localesy will delete or return Customer Personal Data in accordance with the Agreement and delete existing copies unless retention is required by law. Where the Client has an export window under the Agreement, deletion takes effect after that window.

Section 9: Personal Data Breach

  1. Localesy will notify the Client without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide the information reasonably available to assist the Client in meeting its own notification obligations.

Section 10: AI Output - Not a Compliance or Redaction Tool

  1. Nature of the features. Localesy's translation and quality-assessment features are AI-assisted tools that generate suggested outputs to support a human workflow. They are not data-protection, redaction, or compliance instruments.
  2. NOT A COMPLIANCE TOOL. These features are NOT designed, tested, or certified for: detecting, removing, redacting, or anonymising personal data; ensuring GDPR, CCPA, HIPAA, or other regulatory compliance; or making any legal or compliance determination about personal data.
  3. Client responsibilities. The Client must not rely on AI output to identify, protect, redact, or remove personal data; must implement its own measures to keep personal data out of, or appropriately protected within, Customer Content; and must apply human review where the handling of personal data matters.
  4. Limitation. Localesy expressly disclaims all liability for any data exposure, privacy breach, or compliance failure resulting from reliance on AI-generated output for data-protection, redaction, or compliance purposes. This is in addition to, and does not narrow, the limitations of liability in the Agreement.

Section 11: Liability and Governing Law

  1. Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA is governed by the laws of Poland, and the dispute-resolution provisions of the Agreement apply.