Thaura is your ethical AI companion, an AI-powered platform designed for privacy-first research and secure knowledge management with military-grade encryption.

How does Thaura protect my privacy?

Thaura uses state-of-the-art encryption to ensure your data and conversations remain ethical and protected at all times. We never sell or share your data with third parties.

Who can benefit from using Thaura?

Thaura is built for researchers, professionals, students, and anyone who values confidentiality in their knowledge management and research activities.

What makes Thaura different from other AI tools?

Thaura combines advanced AI capabilities with a commitment to ethical, secure, and adaptive learning. It's designed as a ethical AI that learns from your artifacts and adapts to your needs.

Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the contractual relationship between Thaura GbR (the “Processor”) and each customer that accesses or uses the Services (the “Controller”). It governs the Processor’s processing of Personal Data on behalf of the Controller within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 (“GDPR”). Where applicable, the provisions of the German Federal Data Protection Act (“BDSG”) apply in addition.

In the event of conflict between this DPA and the Main Agreement, this DPA shall prevail to the extent of any matter relating to the processing of Personal Data.

Definitions

For the purposes of this DPA, the following terms have the meanings given below. Capitalised data-protection terms not defined herein (including “Personal Data”, “Processing”, “Data Subject”, “Supervisory Authority”) have the meanings given to them in Art. 4 GDPR.

“Controller” means the customer that accesses or uses the Services pursuant to a Main Agreement and that determines the purposes and means of the Processing of Personal Data submitted to the Services.
“Processor” means Thaura GbR, a German civil-law partnership (Gesellschaft bürgerlichen Rechts) with offices at Fortunastr. 23 A, 30451 Hannover, Germany, contactable at info@thaura.ai.
“Main Agreement” means any of the following under which the Controller accesses the Services: a separately signed enterprise services agreement, an API access agreement, or the Processor’s general Terms of Service as published at thaura.ai/terms-of-service and accepted by the Controller.
“Services” means the cloud-based artificial-intelligence services provided by the Processor under the Main Agreement.
“Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller, as listed in Annex 1.
“Sensitive Data” means Personal Data falling within the special categories defined in Art. 9(1) GDPR.
“Parties” means the Controller and the Processor collectively.

§1 Subject Matter and Duration

1.1 Subject matter. The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller for the purposes of providing the Services described in the Main Agreement and further specified in §2 below.

1.2 Duration. This DPA shall enter into force on the date of last signature (“Effective Date”) and shall remain in force for as long as the Processor processes personal data on behalf of the Controller under the Main Agreement. Termination is governed by §12.

§2 Nature, Purpose, Categories of Data and Data Subjects

2.1 Nature of processing. The Processor performs the following processing activities on personal data submitted by the Controller or its end users through the Services:

Storage of conversational content, uploaded files, and user-generated artifacts;
Transmission of prompts and uploaded content to AI inference providers for the purpose of generating responses;
Optical character recognition (“OCR”), automated content analysis, and summarisation of uploaded documents;
Audio transcription of uploaded media;
Web search query execution and result aggregation;
Email delivery of transactional messages (e.g. authentication codes, receipts);
Payment processing for paid subscriptions;
Storage of metadata and access logs for security and operational purposes;
Encrypted backup of the foregoing.

2.2 Purpose. The sole purpose of the processing is the performance of the Services as defined in the Main Agreement. The Processor shall not process personal data for any other purpose, including in particular for its own commercial purposes, product improvement, model training, or finetuning, without the Controller’s documented prior instruction.

2.3 Categories of data subjects. The processing concerns the following categories of data subjects, as determined by the Controller:

Employees, contractors, and agents of the Controller;
End users, customers, members, beneficiaries, or applicants of the Controller;
Any other natural person whose personal data the Controller chooses to submit to the Services.

2.4 Categories of personal data. The categories of personal data processed are those that the Controller chooses to submit to the Services, which may include in particular:

Identifying data (name, email address, account credentials);
Contact data (postal address, telephone number);
Content data (text, files, images, audio, and other media submitted by the Controller or its end users);
Metadata (IP address, device identifiers, timestamps);
Financial or transactional data (where submitted by the Controller);
Any further categories of personal data submitted by the Controller through the Services.

2.5 Special categories of personal data. Where the Controller elects to submit special categories of personal data within the meaning of Art. 9 GDPR, the Sensitive Data Addendum (Annex 3) shall apply.

§3 Obligations of the Controller

3.1 The Controller is responsible for the lawfulness of the processing within the meaning of Art. 6 GDPR (and, where applicable, Art. 9 GDPR), including the existence of an appropriate legal basis for the transfer of personal data to the Processor.

3.2 The Controller shall provide all instructions to the Processor in writing, including in electronic form. This DPA, the Main Agreement, and the documented configuration of the Services constitute the initial instructions of the Controller. Further instructions may be issued in writing at any time.

3.3 The Controller shall promptly notify the Processor of any error or irregularity identified in the processing of personal data carried out by the Processor.

3.4 The Controller shall fulfil all information obligations toward data subjects pursuant to Arts. 13 and 14 GDPR.

§4 Obligations of the Processor

4.1 Processing on instructions. The Processor shall process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

4.2 No instructions in breach of law. Where the Processor is of the opinion that an instruction of the Controller infringes the GDPR or other Union or Member State data protection provisions, it shall inform the Controller without undue delay. The Processor is entitled to suspend the implementation of the instruction until it is confirmed or modified by the Controller.

4.3 Confidentiality. The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall continue after the termination of any employment or contractual relationship.

4.4 Security of processing. The Processor shall implement the technical and organisational measures set out in Annex 2 in accordance with Art. 32 GDPR. The Processor may update such measures from time to time provided that the level of protection is not materially degraded. The Processor shall notify the Controller of any material change.

4.5 Cooperation. The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR.

4.6 Assistance with compliance. The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Arts. 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor, in particular with regard to:

security of processing (Art. 32 GDPR);
notification of personal data breaches (Arts. 33–34 GDPR);
data protection impact assessments (Art. 35 GDPR);
prior consultation with supervisory authorities (Art. 36 GDPR).

4.7 Records of processing activities. The Processor maintains a record of processing activities carried out on behalf of the Controller in accordance with Art. 30(2) GDPR and shall make this record available to the Controller and the competent supervisory authority on request.

4.8 Data protection contact. The Processor’s contact for all matters relating to this DPA is:

Thaura GbR — Data Protection Contact
Fortunastr. 23 A, 30451 Hannover, Germany
Email: info@thaura.ai

§5 Technical and Organisational Measures

5.1 The Processor implements appropriate technical and organisational measures within the meaning of Art. 32 GDPR to ensure a level of security appropriate to the risk, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.

5.2 The applicable measures are described in Annex 2 (Technical and Organisational Measures).

5.3 The Processor shall regularly review the effectiveness of these measures and adjust them as necessary in line with technical developments and changes in the risk landscape.

§6 Sub-processors

6.1 General authorisation. The Controller grants the Processor general authorisation to engage the sub-processors listed in Annex 1 for the processing of personal data under this DPA.

6.2 Notification of changes. The Processor shall inform the Controller of any intended addition or replacement of sub-processors by email at least thirty (30) days in advance (“Notice Period”), thereby giving the Controller the opportunity to object on reasonable grounds within the Notice Period.

6.3 Right to object. If the Controller objects within the Notice Period on reasonable grounds relating to the protection of personal data, the Parties shall negotiate in good faith to find a solution. If no agreement is reached within thirty (30) days of the Controller’s objection, either Party may terminate the Main Agreement with respect to those Services that cannot be provided without the proposed sub-processor, on thirty (30) days’ written notice, without further liability.

6.4 Flow-down obligations. The Processor shall conclude a written contract with each sub-processor that imposes data protection obligations no less protective than those set out in this DPA, in accordance with Art. 28(4) GDPR. The Processor remains fully liable to the Controller for the performance of each sub-processor’s obligations.

§7 International Transfers

7.1 All Processing of Personal Data under this DPA takes place within the European Union or the European Economic Area.

7.2 Should the Processor in the future engage a Sub-processor located in a third country (i.e., outside the EU/EEA) for the Processing of Personal Data, such transfer shall be governed by an appropriate transfer mechanism under Chapter V GDPR, such as:

an adequacy decision under Art. 45 GDPR; or
the European Commission’s Standard Contractual Clauses (“SCCs”) of 4 June 2021 (Decision 2021/914) together with supplementary measures where required.

7.3 The Processor shall make available to the Controller, on request, copies of the relevant transfer mechanisms concluded with Sub-processors located in third countries.

§8 Data Subject Rights

8.1 Where a data subject contacts the Processor directly with a request relating to the processing under this DPA (such as a request for access, rectification, erasure, restriction, portability, or objection), the Processor shall, without undue delay and at the latest within five (5) working days, forward the request to the Controller without itself responding to the substance of the request, unless required to do so by applicable law.

8.2 The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to such requests.

§9 Data Breach Notification

9.1 The Processor shall notify the Controller in writing (email being sufficient) of any personal data breach within the meaning of Art. 4 No. 12 GDPR without undue delay, and in any event within forty-eight (48) hours after becoming aware of it.

9.2 Such notification shall, to the extent reasonably available at the time of notification, include:

a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned;
the name and contact details of the Processor’s point of contact;
a description of the likely consequences of the breach;
a description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 Where, and insofar as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay.

9.4 The Processor shall document all personal data breaches and the remedial measures taken, and shall make this documentation available to the Controller on request.

§10 Audit Rights

10.1 Demonstration of compliance. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and in this DPA.

10.2 Annual self-attestation. Once per calendar year, the Processor shall provide the Controller, on request, with a written self-attestation describing the Processor’s compliance with this DPA and the TOMs.

10.3 On-site audit. Subject to the conditions of this §10.3, the Controller (or an independent third-party auditor mandated by the Controller and not a competitor of the Processor) may conduct an on-site audit of the Processor’s premises and processing systems no more frequently than once per calendar year, except where an audit is triggered by a documented data protection incident or by a specific written request from a competent supervisory authority.

10.4 Audit conditions. On-site audits are subject to the following:

thirty (30) days’ prior written notice;
conduct during normal business hours;
compliance with the Processor’s reasonable confidentiality, security, and operational requirements;
execution of a non-disclosure agreement by the auditor;
absence of disruption to the Processor’s business operations beyond what is reasonably necessary for the audit;
audit costs borne by the Controller, except where the audit reveals material non-compliance, in which case the Processor shall bear reasonable costs.

10.5 Where the Processor obtains generally recognised certifications, attestations, or third-party audit reports (such as ISO 27001 or SOC 2), the provision of such documentation to the Controller shall be deemed to satisfy the Controller’s audit rights in respect of the matters covered by such certifications, unless additional information is reasonably required.

§11 Liability and Indemnification

11.1 The liability of the Parties under this DPA shall be governed by Art. 82 GDPR.

11.2 Liability cap. Subject to mandatory law and Art. 82 GDPR, the Processor’s total aggregate liability arising out of or in connection with this DPA (whether in contract, tort, or otherwise) is limited to the total fees paid by the Controller to the Processor under the Main Agreement during the twelve (12) months immediately preceding the event giving rise to the liability.

11.3 The limitation in §11.2 does not apply to liability arising from:

intent or gross negligence;
breaches of confidentiality;
injury to life, body, or health;
liability under the German Product Liability Act (Produkthaftungsgesetz);
any liability that cannot be limited under mandatory law.

11.4 Where larger liability caps are required for a specific deployment, the Parties may agree such caps in a separate written addendum.

§12 Termination, Return and Deletion of Data

12.1 This DPA terminates automatically upon termination of the Main Agreement for any reason.

12.2 Upon termination of the Main Agreement, the Processor shall, at the Controller’s choice expressed in writing within thirty (30) days of termination, either:

return all personal data processed on behalf of the Controller to the Controller in a structured, commonly used, and machine-readable format; or
delete all such personal data,

in each case within thirty (30) days for live (production) data, with backups purged within ninety (90) days, except where Union or Member State law requires storage of the personal data.

12.3 Upon completion, the Processor shall, on request, provide the Controller with a written confirmation of return or deletion.

12.4 Logs and metadata not constituting personal data of data subjects of the Controller (e.g. aggregated and anonymised operational metrics) may be retained beyond the foregoing periods for the Processor’s legitimate business interests.

§13 Special Category Data (Art. 9 GDPR)

13.1 The Controller shall not submit special categories of personal data within the meaning of Art. 9(1) GDPR (“Sensitive Data”) through the Services unless the Sensitive Data Addendum (Annex 3) has been concluded between the Parties.

13.2 Where the Sensitive Data Addendum has been concluded, processing of Sensitive Data shall be subject to its terms.

§14 Final Provisions

14.1 Order of precedence. In the event of inconsistency between the documents forming this contractual relationship, the following order of precedence shall apply (highest to lowest): (i) the Sensitive Data Addendum (where applicable); (ii) this DPA; (iii) the Main Agreement; (iv) the Processor’s general Terms of Service and Privacy Policy as published at thaura.ai.

14.2 Form. Amendments and supplements to this DPA must be made in writing (text form, including email, being sufficient). This applies also to any waiver of the written-form requirement.

14.3 Severability. Should individual provisions of this DPA be or become invalid or unenforceable, the validity of the remaining provisions shall remain unaffected. The Parties undertake to replace the invalid or unenforceable provision by a provision that comes as close as possible to the economic purpose of the invalid or unenforceable provision.

14.4 Governing law. This DPA is governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods.

14.5 Venue. Exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA is Hannover, Germany, to the extent permitted by mandatory law.

Annex 1 — Authorised Sub-processors

The Controller authorises the Processor to engage the following sub-processors for the processing of personal data under this DPA. The Processor shall notify the Controller of any intended addition or replacement of sub-processors in accordance with §6.

#	Sub-processor	Service	Categories of data processed	Location of processing
1	Hetzner Online GmbH	Cloud infrastructure (compute, primary storage)	All personal data submitted to the Services	Nuremberg, Germany (EU)
2	Hetzner Online GmbH (off-site backups)	Encrypted off-site backups	All personal data submitted to the Services (client-side encrypted before transmission via rclone-crypt)	Falkenstein, Germany (EU)
3	Together AI	AI model inference (LLM, vision/multimodal)	Prompts, conversation content, content submitted for inference	EU-only processing (Stockholm, Sweden) pursuant to a written commitment from Together AI; no use of Controller data for model training
4	Stripe	Payment processing for paid subscriptions	Billing data, payment-method tokens, transaction metadata	Ireland (EU)
5	Resend	Transactional email delivery	Recipient email address, transactional email content	Ireland (EU)

Updates to this list are notified in accordance with §6. The current version of this list is published at this URL.

Note on third-party services that do not process Personal Data. The Processor uses Brave Search (USA) as an upstream web-search API. Queries to Brave are issued server-side by the Processor for generic topic searches; no user identifier, no end-user IP address, and no Personal Data is transmitted to Brave. Brave is therefore not a Sub-processor within the meaning of Art. 28 GDPR and is mentioned here for transparency only.

Annex 2 — Technical and Organisational Measures (TOMs)

This Annex describes the technical and organisational measures implemented by the Processor within the meaning of Art. 32 GDPR.

1. Confidentiality (Art. 32(1)(b) GDPR)

1.1 Physical access control

All primary processing infrastructure is hosted at the data centre of Hetzner Online GmbH (Nuremberg, Germany). Off-site backup storage is at the Hetzner data centre in Falkenstein, Germany. Both facilities are certified to ISO 27001, with physical security measures including 24/7 surveillance, biometric and badge-controlled access, intrusion detection, fire detection and suppression, and redundant power and cooling. The Processor maintains no physical infrastructure outside these data centres.

1.2 System access control

Access to production systems is restricted to authorised personnel only.
Multi-factor authentication is required for access to the production environment.
SSH access is restricted to public-key authentication; password-based access is disabled.
All access events are logged.
Personnel access is revoked promptly upon termination of employment or change of role.

1.3 Data access control

Role-based access control (“RBAC”) within the application enforces the principle of least privilege.
Application-layer authorisation prevents users from accessing data belonging to other tenants.
Customer data is segregated by user identifier at the database and object-storage layers.

1.4 Pseudonymisation and separation

User content is stored under per-user prefixes in object storage.
Account identifiers used internally are non-meaningful surrogate keys.
Production and non-production environments are physically and logically separated; production data is not used in development or test environments.

2. Integrity (Art. 32(1)(b) GDPR)

2.1 Transmission control

All data in transit between client devices and the Processor is encrypted using TLS 1.2+ (TLS 1.3 preferred), with certificates issued by Let’s Encrypt.
All internal traffic between the Processor and its sub-processors is encrypted in transit.

2.2 Input control

All write operations on personal data are subject to authentication and authorisation checks.
Application-level audit logging records authentication events, administrative actions, and access to security-sensitive endpoints.

3. Availability and Resilience (Art. 32(1)(b) GDPR)

3.1 Availability control

Encrypted, automated backups are performed on a daily basis.
Backup retention follows a 7-daily, 4-weekly, 3-monthly schedule.
Backups are stored on an off-site Hetzner Storage Box in a different data centre (Falkenstein) from primary infrastructure (Nuremberg).

3.2 Recoverability

Recovery procedures from backup are documented.
The Processor performs automated restore-verification tests on a daily basis.

4. Procedures for Regular Review (Art. 32(1)(d) GDPR)

The Processor reviews these TOMs at least annually and updates them as appropriate in light of new threats, the state of the art, and the nature of processing.
Personnel with access to personal data receive periodic data-protection awareness training.

5. Encryption (Art. 32(1)(a) GDPR)

Encryption at rest. Application-level field encryption (AES-256-GCM) is used for selected sensitive fields in the primary database. Uploaded files in object storage are encrypted at rest (AES-256-GCM). Off-site backups to Hetzner Storage Box are client-side encrypted before upload using rclone-crypt (XSalsa20-Poly1305), so plaintext never reaches the backup target.
Encryption in transit. TLS 1.2+ for all external traffic. Internal service-to-service traffic is encrypted; backup transfers use SFTP/SSH over the rclone-crypt layer.
Key management. Encryption keys are managed by the Processor and stored separately from the encrypted data they protect. Application secrets are stored in environment-variable form on the production host with file-system access restricted to the application user.
Authentication credentials. User passwords (where applicable) are hashed using bcrypt. Authentication tokens are signed using JSON Web Signatures (JWS) with private keys held by the Processor.

6. Order Control (Art. 28 GDPR)

All sub-processors are subject to written data processing agreements with terms no less protective than this DPA.
Personnel are bound by confidentiality obligations that survive termination of employment.

7. Retention

Account data: retained until account deletion is requested by the user.
Conversation content, uploaded files, generated artifacts: retained until deleted by the user; cascade-deleted on account deletion.
Operational metadata (IP, device type): retained for thirty (30) days.
Application and access logs: retained for thirty (30) days and then automatically rotated.
Backups: retained on the 7-daily / 4-weekly / 3-monthly schedule defined in §3.1.

8. Personal Data Breach Procedure

Detection: Application monitoring and alerting in place; reports from users and third parties are triaged.
Notification: In the event of a confirmed personal data breach, the Processor notifies affected controllers in writing within 48 hours per §9.
Documentation: All breaches are documented and reviewed.

9. Data Subject Rights Support

Self-service tools allow users to delete their personal data and close their accounts (cascade-delete).
Data subjects may request a machine-readable export of their personal data by emailing info@thaura.ai; the Processor responds within statutory time limits.
Controllers receive support from the Processor for data subject requests routed via the Controller in accordance with §8.

Annex 3 — Sensitive Data Addendum (Art. 9 GDPR)

This Addendum applies only where executed by both Parties in writing.

1. Definitions

For the purposes of this Addendum, “Sensitive Data” means personal data falling within the special categories defined in Art. 9(1) GDPR, including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, and data concerning a natural person’s sex life or sexual orientation.

2. Controller Warranties

By submitting Sensitive Data to the Services, the Controller warrants that:

2.1 it has identified a valid legal basis for processing Sensitive Data under Art. 9(2) GDPR, which may include in particular:

explicit consent of the data subject pursuant to Art. 9(2)(a) GDPR;
processing necessary for reasons of substantial public interest pursuant to Art. 9(2)(g) GDPR;
processing for the purpose of preventive or occupational medicine pursuant to Art. 9(2)(h) GDPR;
another applicable exception under Art. 9(2) GDPR;

2.2 where consent is the legal basis, such consent has been obtained from the relevant data subject in a manner that is freely given, specific, informed, unambiguous, and explicit, and the Controller maintains adequate records of such consent;

2.3 the Controller has fulfilled all information obligations toward data subjects pursuant to Arts. 13 and 14 GDPR, including in respect of the engagement of the Processor;

2.4 where required, the Controller has conducted a data protection impact assessment (“DPIA”) in accordance with Art. 35 GDPR.

3. Processor Additional Obligations

When processing Sensitive Data on behalf of the Controller, the Processor shall:

3.1 apply the technical and organisational measures set out in Annex 2 with particular attention to access control and confidentiality;

3.2 process Sensitive Data strictly within the scope of the Controller’s documented instructions and the purposes set out in the Main Agreement;

3.3 cooperate with the Controller in any DPIA, prior consultation, or supervisory authority inquiry concerning the processing of Sensitive Data, in accordance with §4.6 of the DPA.

4. Restrictions

4.1 The Processor shall not use Sensitive Data for model training, finetuning, product improvement, or any other purpose beyond the provision of the Services.

4.2 The Processor shall ensure that none of its sub-processors uses Sensitive Data for the training or improvement of generally available AI models. The Processor’s contractual arrangements with Together Computer, Inc. include a no-training commitment that flows down from this Addendum.

5. Termination

5.1 Where the Controller cannot demonstrate, on the Processor’s reasonable request, that the processing of Sensitive Data has a valid legal basis under Art. 9(2) GDPR, the Processor may suspend the processing of Sensitive Data or terminate this Addendum on thirty (30) days’ written notice.

5.2 Termination of this Addendum does not affect the validity of the DPA in respect of non-sensitive personal data.

Contact

For all matters relating to this DPA — including DPA execution requests, sub-processor change notifications, breach reports, and data subject rights coordination — please contact:

Thaura GbR — Data Protection Contact
Fortunastr. 23 A, 30451 Hannover, Germany
Email: info@thaura.ai

Document version 1.0 · Last updated: 11 May 2026. Thaura GbR is a German civil-law partnership (Gesellschaft bürgerlichen Rechts). Updates to this document will be communicated to active Controllers in accordance with §6 and §14 above.