Data & Security Annex
Data processing agreement (Article 28 GDPR), hosting, security and confidentiality.
Version 1.8, updated June 14, 2026
This document is an English translation provided for convenience. In the event of any discrepancy, the French version prevails.
Preamble and purpose
This annex supplements and forms an integral part of the Azuro AI Terms of Service. It constitutes a data processing agreement within the meaning of Article 28 of Regulation (EU) 2016/679 (GDPR) and sets out the data processing, hosting, security and confidentiality arrangements applicable to the Service. It is made available to the Customer as an annex to the Terms of Service and is provided to them on request.
Capitalized terms have the meaning given to them in the Terms of Service.
Part 1. Data processing agreement (Article 28 GDPR)
1.1 Roles of the parties
The Customer is the data controller: they determine the purposes and means of the processing operations they carry out by means of the AIOS, as well as the data they upload to and create within it. Azuro is the processor: it processes the data on the Customer's behalf, within the limits of the provision of the Service, without determining its purposes.
1.2 Description of the processing
- Nature and purpose: provision of the Service (making the AIOS available, hosting the VPS, updates, support).
- Categories of data: the data uploaded and created by the Customer within the AIOS, the nature of which is freely determined by the Customer and may include personal data.
- Categories of data subjects: determined by the Customer according to their use of the Service.
- Duration: the duration of the contractual relationship.
1.3 Azuro's obligations
Azuro undertakes to:
- a) process the data only on the Customer's documented instructions, except where required by law;
- b) ensure that persons authorized to process the data have committed themselves to confidentiality;
- c) implement the appropriate technical and organizational measures (Article 32 GDPR), described in Part 4;
- d) engage a sub-processor only under the conditions of Part 2 (informing the Customer, with the possibility to object);
- e) assist the Customer, insofar as possible, in responding to requests to exercise the rights of data subjects;
- f) assist the Customer in complying with their obligations regarding security, breach notification and impact assessments;
- g) at the Customer's choice, return or delete the data at the end of the relationship, under the conditions of Part 5;
- h) make available to the Customer the information necessary to demonstrate compliance with the obligations under this article;
- i) notify the Customer of any data breach under the conditions of Part 6.
1.4 Customer's obligations
The Customer undertakes to have a legal basis for the processing operations they carry out, to give only lawful instructions, to inform data subjects where required, and to upload to the AIOS only data they are entitled to process.
Part 2. Processors and third parties
2.1 Azuro's sub-processors
To provide the Service, Azuro uses the following processors:
- Hosting: Hostinger, which provides the VPS infrastructure. Hosting located in France by default (Part 4).
- Payment: Stripe, which handles payment processing and billing (billing data: identity, address, email address, VAT number where applicable).
- Off-site backup: GitHub, which hosts the two private backup repositories dedicated to the Customer (Workspace and system), under the conditions of Part 4.
Azuro reserves the right to change these processors under the conditions of Section 2.3.
2.2 Artificial intelligence model
The artificial intelligence model used by the AIOS is, to date, that of Anthropic (Claude). It is used by means of the Customer's personal subscription with that provider. The relationship regarding that service, as well as the conditions applicable to it, are a matter between the Customer and the provider.
Azuro does not use the Customer's content to train any artificial intelligence model. The conditions applicable to the use of data by the model provider, including with respect to training, are governed by that provider's terms applicable to the Customer's subscription.
Azuro reserves the right to support other AI model providers.
2.3 Information and objection
Azuro informs the Customer of any planned change concerning its sub-processors. The Customer may object to such a change on legitimate grounds.
Part 3. Confidentiality and access
3.1 Confidentiality undertaking
Azuro and the persons acting on its behalf are bound by an obligation of confidentiality regarding the Customer's data. This obligation survives the end of the contractual relationship.
3.2 Operator access
Azuro's access to the Customer's VPS is limited to what is strictly necessary for maintenance and defect-correction operations. One Customer's data is not accessible from another Customer's instance (segregation). In accordance with the Terms of Service, this access may be discontinued at the Customer's request.
Part 4. Hosting and security
4.1 Hosting and location
The AIOS is deployed on a VPS dedicated to the Customer (isolated architecture, one server per Customer). Hosting is located in France by default. Another location may be chosen at the Customer's request, subject to available locations.
4.2 Security in transit
Communications between the Customer, the AIOS and third-party services are encrypted in transit (HTTPS / TLS). Unencrypted connections are redirected to the encrypted channel.
4.3 Security of data at rest
The protection of data stored on the Customer's VPS relies on layered defense:
- Single-tenant isolation: a VPS is dedicated to each Customer. No data is shared between Customers, and one Customer's data is not accessible from another Customer's instance.
- Restricted access to secrets: files containing secrets (credentials, tokens, technical keys) are stored with permissions restricted to the server's administrator account only.
- Hardened access control: access to the application is protected under the conditions of Section 4.4.
- Encryption in transit: exchanges are encrypted in accordance with Section 4.2.
- Encrypted off-site backups: off-site copies are kept on infrastructure that ensures their encryption at rest, under the conditions of Section 4.5.
4.4 Authentication and access control
Access to the application is protected by the following measures:
- Password not stored in plain text: the access password is verified by means of a cryptographic digest (hash) and is not stored in plain text.
- Limitation of login attempts: a mechanism temporarily blocks repeated login attempts, as protection against brute-force attacks.
- Secure session cookie: the session cookie is transmitted only over an encrypted channel (Secure attribute), is not accessible to page code (HttpOnly), and is restricted to the site (SameSite).
- Optional two-factor authentication: the Customer may enable two-factor authentication using a time-based one-time code (TOTP), together with single-use backup codes.
4.5 Backups
The Service includes a multi-level backup arrangement, intended to enable data recovery in the event of loss:
- On the VPS: a backup of the Workspace and the AIOS is performed every day on the VPS itself, allowing rapid restoration in the event of a mishandling or data loss.
- Off-site: a copy is replicated every day to GitHub, in two private repositories dedicated to the Customer (one for the Workspace, the other for the system), under Azuro's control, in order to allow restoration even in the event of a VPS failure.
- At the hosting provider level: the hosting provider additionally performs, on a periodic basis, its own backup of the server.
These backups are enabled by default and may be disabled upon the Customer's simple request.
Part 5. Retention, return and deletion
5.1 Retention periods
The retention periods applied are as follows:
- Service data (Workspace content, conversations, attachments, settings, memory): retained for the entire duration of the contractual relationship. It is not subject to any age-based purge; it is deleted at the end of the relationship (Section 5.3) or at the Customer's request (Section 5.4 and Article 8 of the Terms of Service).
- Application logs: retained for a maximum of 180 days (six months), with rotation and automatic purge beyond that period.
- Technical session markers: 90 days.
- Internal session logs: 180 days.
These periods are applied automatically.
5.2 Return and self-service export
At any time during the relationship, the Customer may export by themselves, from the application and without any intervention by Azuro, all of their data (Workspace, conversations, settings, memory, attachments and the acceptance history of the contractual documents), in the form of an archive in open formats. This function remains available even where the subscription has expired, in order to guarantee reversibility.
At the end of the relationship, Azuro additionally returns to the Customer the entire content of their VPS (Workspace and the AIOS as configured by the Customer), in open formats.
5.3 Deletion
At the end of the relationship, or at the Customer's request during the relationship, Azuro proceeds with the permanent deletion of the data, after confirmation by the Customer. Where the request is made during the relationship, deletion is carried out within a maximum of thirty (30) days. A certificate of deletion is provided to the Customer.
5.4 Deletion request by the Customer
The Customer may, from the application, request the deletion of all of their data. The request is subject to prior confirmation (with the option to export their data first), remains cancellable as long as it has not been executed, and gives rise to the provision of a certificate of deletion under the conditions of Section 5.3.
Part 6. Data breach notification
In the event of a data breach liable to affect the Customer's data, Azuro informs the Customer as soon as possible and assists them, insofar as possible, in managing the incident.
Part 7. Duration and relationship to the Terms
This annex applies for the entire duration of the Terms of Service, to which it is subordinate and whose fate it follows. The confidentiality undertakings survive its termination.