Data Processing Agreement under the General Terms and Conditions of Cloud Automation Solutions EOOD
Preamble
This Data Processing Agreement ("DPA") is an appendix to the Terms of Service ("Terms") of Cloud Automation Solutions EOOD and forms an integral part thereof.
The Customer ("Controller") engages Cloud Automation Solutions EOOD ("Processor", "we", "us") to provide the Bugzy AI platform and related services as described in the Terms. In the course of providing these services, the Processor may process personal data on behalf of and under the instructions of the Controller.
This DPA governs the rights and obligations of the parties in relation to the processing of personal data by the Processor on behalf of the Controller, in accordance with the EU General Data Protection Regulation (GDPR) and the Bulgarian Personal Data Protection Act (PDPA).
By accepting the Terms, the Controller also accepts this DPA. The categories of personal data processed are described in Appendix 1 to this DPA.
In the event of any conflict between the Terms and this DPA, the Terms shall prevail unless the conflicting provision of this DPA is required by GDPR, in which case this DPA shall prevail to the extent necessary for GDPR compliance.
1. Definitions
Unless the context or circumstances clearly indicate otherwise, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms.
- "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in GDPR Article 4(1).
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Controller" means the Customer — the legal entity that determines the purposes and means of the Processing of Personal Data and has accepted the Terms.
- "Processor" means Cloud Automation Solutions EOOD (EIK: 203094836, registered address: Bulgaria, Sofia, 1797, 131-VA str. 1B), which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
- "PDPA" means the Bulgarian Personal Data Protection Act.
- "Standard Contractual Clauses (SCCs)" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission.
- "Technical and Organizational Measures (TOMs)" means the security measures described in Appendix 2 to this DPA.
2. Parties
2.1 Controller
The Controller is the Customer — the legal entity that has registered for and uses the Bugzy AI service and has accepted the Terms.
2.2 Processor
The Processor is:
Company: Cloud Automation Solutions EOOD Registration Number (EIK): 203094836 Registered Address: Bulgaria, Sofia, 1797, 131-VA str. 1B Email: privacy@bugzy.ai
The Processor may engage Sub-processors under the conditions set out in Section 6 of this DPA.
3. Controller Obligations
The Controller is responsible for:
- Determining the purposes and legal bases for the Processing of Personal Data
- Ensuring that it has a valid legal basis (under GDPR Article 6) for each type of Processing it instructs the Processor to perform
- Providing documented Processing instructions to the Processor
- Ensuring that it has obtained all necessary consents, authorizations, and rights to grant the Processor access to the Personal Data
- Informing Data Subjects about the Processing of their Personal Data in accordance with GDPR Articles 13 and 14
- Responding to Data Subject requests regarding the exercise of their rights (with assistance from the Processor as described in Section 7)
- Ensuring that only synthetic or anonymized test data is used wherever possible, and that production data containing Personal Data is not provided to the Service without appropriate safeguards
4. Processor Obligations
The Processor undertakes to:
- Process Personal Data only on the basis of documented instructions from the Controller, unless required to process by EU or Member State law to which the Processor is subject (in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information)
- Ensure that all personnel authorized to process Personal Data are bound by contractual and statutory obligations of confidentiality and have received appropriate training on data protection
- Implement and maintain appropriate Technical and Organizational Measures (TOMs) as described in Appendix 2 to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32
- Not independently determine the purposes or means of Processing — the Processor acts solely on the Controller's instructions
- Assist the Controller in ensuring compliance with its obligations under GDPR Articles 32 to 36 (security, breach notification, data protection impact assessments, and prior consultation)
- At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires retention
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (subject to Section 9)
5. Security Measures
5.1 General
The Processor implements and maintains appropriate Technical and Organizational Measures for the security of Personal Data processing in accordance with GDPR Article 32. The applicable measures are described in Appendix 2 to this DPA.
5.2 Updates
The Processor reserves the right to update the TOMs as technology evolves and risk profiles change, provided that the overall level of protection is not materially reduced. The Processor will inform the Controller of any significant changes to the TOMs.
5.3 Data Breach Notification
In the event of a Data Breach, the Processor will:
- Notify the Controller within 24 hours of becoming aware of the breach
- Provide all relevant information about the breach, including the nature of the breach, categories and approximate number of Data Subjects affected, and likely consequences
- Cooperate with the Controller to investigate, contain, and remedy the breach
- Implement measures to prevent future breaches
- Assist the Controller in fulfilling its breach notification obligations under GDPR Articles 33 and 34
6. Sub-processors
6.1 General Authorization
The Controller grants the Processor general authorization to engage Sub-processors for the performance of the services described in the Terms. The Processor maintains a list of current Sub-processors, which is set out in Appendix 1, Section 10.
6.2 Sub-processor Obligations
The Processor ensures that:
- Each Sub-processor is bound by a written agreement imposing data protection obligations no less protective than those set out in this DPA
- The Processor is fully responsible for the performance of each Sub-processor's obligations relating to the processing of Personal Data
- The Processor has conducted appropriate due diligence on each Sub-processor before engagement
6.3 Changes to Sub-processors
The Processor will inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least thirty (30) days in advance by email or notification in the Platform.
The Controller may object to a Sub-processor change on reasonable data protection grounds within fourteen (14) days of being notified. If the Controller objects and the parties cannot resolve the objection within thirty (30) days, either party may terminate the Agreement.
The Controller acknowledges that objecting to a specific Sub-processor may result in limited functionality or delays in the provision of the Service.
6.4 Non-EEA Sub-processors
For Sub-processors established outside the European Economic Area (EEA), the Processor guarantees the application of an appropriate transfer mechanism in accordance with GDPR Chapter V (see Section 8).
7. Data Subject Rights
7.1 Controller Responsibility
The Controller is responsible for responding to Data Subject requests for the exercise of their rights under GDPR Articles 15 to 22.
7.2 Processor Assistance
The Processor does not independently respond to Data Subject requests or complaints unless explicitly authorized by the Controller. If the Processor receives a request from a Data Subject for the exercise of their rights under GDPR Articles 15 to 22, the Processor will:
- Notify the Controller within three (3) business days of receiving the request
- Forward the request to the Controller
- Provide reasonable technical assistance to enable the Controller to respond to the request within the required timeframes
7.3 Cooperation and Costs
The parties will cooperate in good faith to fulfill Data Subject requests. If a request requires extraordinary technical actions (e.g., retrieval of archival data, complex data extraction), the Controller shall bear the reasonable costs of such actions.
8. International Data Transfers
8.1 EU Processing
Personal Data is primarily processed and stored within the European Union.
8.2 AI Processing (Non-EEA Transfer)
The Controller acknowledges that the Processor uses Anthropic PBC (Claude API) as a Sub-processor providing AI functionality for test generation and analysis. This Sub-processor is located in the United States. The Processor guarantees that:
- A Data Processing Agreement is in place with Anthropic PBC
- Standard Contractual Clauses (SCCs) are applied as the legal basis for the transfer
- Data sent to the AI provider is minimized to the volume strictly necessary for test generation
- Customer data is not used for training AI models
8.3 Legal Bases for Non-EEA Transfers
For any Sub-processor established outside the European Economic Area, the Processor ensures that the transfer is based on one of the following mechanisms under GDPR Chapter V:
- An adequacy decision by the European Commission (GDPR Article 45)
- Standard Contractual Clauses approved by the European Commission (GDPR Article 46)
- Derogations for specific situations (GDPR Article 49), where applicable
The Processor conducts transfer impact assessments and applies additional Technical and Organizational Measures when necessary to ensure an equivalent level of data protection.
9. Audit Rights
9.1 Documentation
The Processor will, upon reasonable request, provide the Controller with documentation (reports, certifications, summaries of security measures) demonstrating compliance with this DPA. This documentation-based approach is the default method of demonstrating compliance.
9.2 On-site Audits
The Controller has the right to conduct on-site audits of the Processor's compliance with this DPA, subject to the following conditions:
- The Controller must submit a written request with reasonable justification at least thirty (30) days in advance
- Audits may be conducted no more than once per calendar year, unless required by a supervisory authority or following a Data Breach
- Audits must be conducted during normal business hours (CET/CEST 09:00–18:00, Monday–Friday)
- Audits must not unreasonably interfere with the Processor's operations
- The auditor must be bound by appropriate confidentiality obligations
- The audit is conducted at the Controller's expense
9.3 Cooperation
The Processor will cooperate with audits and provide all necessary information and reasonable access to demonstrate compliance with this DPA and GDPR.
10. Liability
10.1 Liability Cap
Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms. The total aggregate liability of the Processor for all claims arising under this DPA shall not exceed the total amount of fees paid by the Controller in the twelve (12) months preceding the event giving rise to the liability. This limit is cumulative for all claims under this DPA.
10.2 Indemnification
The Processor will indemnify the Controller against claims arising from the Processor's breach of this DPA, to the extent permitted by law and subject to the liability cap in Section 10.1.
10.3 Exceptions
The liability limitations in Sections 10.1 and 10.2 do not apply in the event of intent, gross negligence, or personal injury, consistent with Bulgarian law and the Terms.
11. Term and Termination
This DPA enters into force upon the Controller's acceptance of the Terms and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. The DPA will automatically terminate when all Personal Data has been deleted or returned in accordance with Section 4.
12. Data Deletion Upon Termination
Upon termination of the Agreement:
- The Controller has a thirty (30) day grace period to export its data using the Platform's export features
- After the grace period, the Processor will delete or return all Personal Data (at the Controller's choice), including all copies, within a reasonable time
- Deletion will be completed no later than ninety (90) days after the grace period expires
- The Processor will provide written certification of deletion upon the Controller's request
- Data that the Processor is required by law to retain (e.g., financial records under Bulgarian tax law) will be retained for the legally required period and then deleted
13. Governing Law
This DPA is governed by the laws of the Republic of Bulgaria and the EU General Data Protection Regulation (GDPR). Any disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms.
14. Contact Information
For questions about this DPA or data processing practices:
Processor: Cloud Automation Solutions EOOD Data Protection Contact Person: Milko Slavov Email: privacy@bugzy.ai Address: Bulgaria, Sofia, 1797, 131-VA str. 1B
Appendix 1 — Processing Details
1. Subject Matter of Processing
The processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Bugzy AI platform and related QA testing services, as described in the Terms.
2. Nature and Operations of Processing
The Processor performs the following processing operations:
- Collection (receiving account registration data, integration credentials)
- Storage (account data, test results, execution logs, AI-generated content)
- Access/retrieval (read-only access to Controller's documentation, issue trackers, communication systems via authorized API integrations)
- Use (analyzing documentation to generate test plans and test cases using AI models)
- Transmission (sending limited data to AI sub-processor for test generation)
- Deletion (upon account termination or data subject request)
3. Purposes of Processing
- Providing the Bugzy AI QA testing service to the Controller
- Account creation and management
- AI-powered test plan and test case generation
- Automated test execution and result reporting
- Integration with the Controller's development tools
- Customer support and communication
- Security monitoring and fraud prevention
- Legal compliance
4. Categories of Data Subjects
- Controller's employees and contractors (Users of the Service)
- Controller's customers or end users (if their data appears in documentation, issue trackers, or test scenarios)
- Third parties mentioned in the Controller's systems
5. Categories of Personal Data
- Contact information (names, email addresses)
- Account credentials (encrypted passwords, OAuth tokens)
- Company information (company name, EIK/registration numbers)
- User-generated content (names, emails, or other personal data appearing in documentation, issue trackers, or communication systems)
- Technical data (IP addresses, browser type, device information)
- Integration credentials (encrypted API keys)
- Test execution metadata
6. Recipients of Personal Data
Personal Data may be disclosed to:
- The Processor's authorized personnel (on a need-to-know basis)
- Sub-processors listed in Section 10 of this Appendix
- Competent authorities where required by law
7. Start of Processing
Processing begins on the date the Controller registers an Account and accepts the Terms.
8. Retention Periods
As specified in the Privacy Policy, Section 7 (Data Retention):
| Data Type | Retention Period |
|---|---|
| Active Account Data | Duration of service use |
| Deleted Account Data | 30 days from account deletion |
| Backup Data | Maximum 90 days |
| Test Results | 1 year (configurable per project) |
| Execution Logs | 90 days |
| Security Logs | 1 year |
| Financial Records | 5 years |
9. Transfers Outside the EEA
| Sub-processor | Location | Transfer Mechanism |
|---|---|---|
| Anthropic PBC | United States | Standard Contractual Clauses (SCCs) |
| Stripe Inc. | United States | Standard Contractual Clauses (SCCs) |
10. List of Sub-processors
| Provider | Purpose | Location | GDPR Compliance |
|---|---|---|---|
| Vercel Inc. | Web hosting, edge computing | EU Region | EU infrastructure, DPA |
| Supabase Inc. | Database, authentication | EU Region | EU infrastructure, DPA |
| Google Cloud Platform | File storage, compute infrastructure | EU Region | EU infrastructure, DPA |
| PostHog Inc. | Product analytics | EU Region | EU infrastructure, DPA |
| Anthropic PBC | AI processing (Claude API for test generation) | US (with EU DPA, SCCs) | DPA, Standard Contractual Clauses |
| Stripe Inc. | Payment processing, billing | US (with EU DPA, SCCs) | DPA, Standard Contractual Clauses, PCI DSS |
Appendix 2 — Technical and Organizational Measures
The Processor implements and maintains the following Technical and Organizational Measures in accordance with GDPR Article 32:
| Measure Type | Description |
|---|---|
| Encryption in Transit | All data transmitted using TLS 1.3+ (HTTPS). No unencrypted data transmission. |
| Encryption at Rest | Database and file storage are encrypted using industry-standard encryption (AES-256). |
| Access Control | Role-based access control (RBAC) for all team and customer data. Principle of least privilege applied. |
| Authentication Security | Passwords hashed using bcrypt with salt. OAuth 2.0 for third-party integrations. Multi-factor authentication (MFA) supported. |
| Infrastructure Isolation | Each customer's data is logically isolated in separate environments. No cross-customer data access. |
| API Security | OAuth 2.0 for integrations. API keys encrypted at rest. Rate limiting and abuse prevention. |
| Data Minimization | Only data strictly necessary for service provision is collected and processed. Data sent to AI providers is minimized to the volume required for test generation. |
| Anonymization/Pseudonymization | Analytics data is anonymized. Personally identifiable information is pseudonymized where possible during AI processing. |
| Backup and Recovery | Regular automated backups with maximum 90 days retention. Disaster recovery procedures in place. |
| Monitoring and Logging | 24/7 automated security monitoring and alerting. Security event logging for audit purposes. Logs retained for 1 year. |
| Incident Response | Documented incident response plan. Breach notification within 24 hours to Controller, 72 hours to supervisory authority. |
| Vulnerability Management | Regular security assessments. Prompt application of security patches. Dependency vulnerability scanning. |
| Employee Training | All personnel authorized to process Personal Data receive data protection training. Confidentiality obligations in employment contracts. |
| Physical Security | Infrastructure hosted by certified cloud providers (Google Cloud, Vercel, Supabase) with SOC 2 and/or ISO 27001 certifications. |
| Data Deletion | Secure deletion procedures for Personal Data upon termination or request. Certification of deletion available upon request. |