GDPR + LGPD aligned
DPA template covers GDPR (EU 2016/679), LGPD (Lei 13.709/2018), and UK GDPR. Brazilian customers get LGPD-specific language for ANPD requirements.
Compliance · DPA
Data Processing Agreement.
Standard DPA template covering GDPR (EU 2016/679) and LGPD (Brazil 13.709/2018). Eight clauses, plain language, written for legal review without surprises. Request a signed copy bound to your MSA via the email below — typical turnaround 3 business days.
Request a signed DPA
Email dpa@usetheo.dev with your legal entity name, jurisdiction, and any additional clauses you need. Acknowledgement within 1 business day, draft within 3.
Bundle with Enterprise
Enterprise contracts include the DPA, MSA, SLA, and the SOC 2 Type II report on its published audit cadence. Single signature.
What the standard DPA covers
Subject matter & purpose
TheoCloud processes Customer Data on behalf of the Customer to provide the deploy, build, observability, and runtime services. No secondary use, no aggregation across tenants.
Duration of processing
For the term of the subscription. On termination: Customer-initiated export within 30 days, then verifiable deletion within 60 days.
Categories of data
Application logs, runtime metrics, configuration (theo.yaml), deployment metadata (commit SHA, branch, author). Customer Data inside the application is processed by the Customer, not by Theo.
Sub-processors
Listed publicly with location, role, and DPA status. 30-day advance notice on additions; objection window. Current list available on request and reviewed quarterly.
International transfers
Customer-selectable region (EU, US, BR roadmap). Standard Contractual Clauses (SCC 2021/914) for any cross-border processing. No transfers to jurisdictions without adequacy.
Security measures (Annex II)
Encryption at rest (AES-256) and in transit (TLS 1.3+). Per-tenant isolation. Audit logs with 1-year retention. Annual penetration test. Incident response within 24h for confirmed breaches.
Audit & inspection rights
Annual SOC 2 Type II report provided under NDA on the audit cadence published with prospective Enterprise customers. Customer-led audit allowed once per year with reasonable notice. No-cost questionnaire response within 30 days.
Breach notification
Notification to Customer DPO within 24 hours of confirmed breach. Includes nature, affected categories, impact assessment, remediation timeline.
Compliance posture
Audit-ready by design
Signed image provenance, immutable audit logs, per-tenant SBOM, every deploy traceable to a commit SHA + human approver.
Standard documents
DPA (this template), MSA (master subscription agreement), SLA (uptime + response), SOC 2 Type II report (under NDA when available).
Operational evidence stack: DPA + audit logs + SBOM + signed images. SOC 2 Type II audit cadence shared with prospective Enterprise customers under NDA.