⚖ UK GDPR · EU GDPR Art. 28

Data Processing Agreement

Last updated: 1 January 2026 · AURA OPERATIONS LTD
Contents
1. Parties & Definitions 2. Scope of Processing 3. Processor Obligations 4. Sub-processors 5. Security Measures 6. Data Breaches 7. Deletion & Return 8. Audits

1. Parties and Definitions

This Data Processing Agreement ("DPA") is entered into between AURA OPERATIONS LTD ("Processor") and the customer entity that has agreed to our Terms of Service ("Controller").

This DPA forms part of and is incorporated into the Terms of Service. In the event of a conflict, this DPA shall prevail in respect of data protection matters.

"Personal Data", "Processing", "Data Subject", and "Supervisory Authority" have the meanings given in UK GDPR and EU GDPR 2016/679.

2. Scope and Nature of Processing

Shok-IS processes Personal Data on your behalf solely to provide the prediction inference services described in the Terms of Service. The categories of data processed depend entirely on the input vectors you submit to the API. Shok-IS does not inspect, analyse, or use Customer Data for any purpose other than providing the Service.

Data subjects: Your end users, customers, or employees whose attributes form the input vectors.

Duration: For the term of your subscription agreement.

3. Processor Obligations

AURA OPERATIONS LTD agrees to:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures per Article 32 UK GDPR
  • Not engage sub-processors without prior written authorisation from the Controller
  • Assist the Controller in responding to Data Subject rights requests
  • Delete or return all Personal Data upon termination of the agreement

4. Sub-processors

The Controller provides general authorisation for Shok-IS to engage the following sub-processors:

  • Amazon Web Services EMEA SARL — Cloud infrastructure (EU/UK data centres)
  • Stripe, Inc. — Payment processing (SCCs in place)
  • Datadog, Inc. — Infrastructure monitoring (aggregated metrics only, no Personal Data)

We will notify you at least 14 days before engaging any new sub-processor. You have the right to object to new sub-processors within this period.

5. Technical and Organisational Security Measures

  • AES-256 encryption at rest; TLS 1.3 in transit
  • Zero-trust network architecture with mTLS between internal services
  • Workspace-level data isolation with no cross-tenant access
  • API key hashing using Argon2id
  • Annual third-party penetration testing
  • SOC 2 Type II certification (audited by Schellman & Co.)
  • Role-based access controls with MFA enforced for all staff

6. Data Breach Notification

In the event of a Personal Data Breach, Shok-IS will notify the Controller without undue delay and within 72 hours of becoming aware of the breach, to the extent such notification is required under UK GDPR Article 33. Notification will be sent to the primary account email address.

7. Deletion and Return of Data

Upon termination of the Services, Shok-IS will, at the Controller's election, delete or return all Personal Data within 90 days. Confirmation of deletion will be provided in writing.

8. Audits and Inspections

Shok-IS will make available all information necessary to demonstrate compliance with this DPA and allow for audits conducted by the Controller or a mandated auditor, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations.

For Enterprise customers, our current SOC 2 Type II report is available under NDA upon request.