GDPR — Data Processing Agreement
Last updated: 1 April 2026
This Data Processing Agreement (“DPA”) is incorporated into the Multibase Terms of Service and applies wherever Customer processes personal data using the Service in connection with the EU GDPR or UK GDPR.
Customer = Controller (you decide what data is processed and why)
Multibase Ltd = Processor (we process data only on your instructions)
What this covers
| Data | Data subjects | Purpose |
|---|---|---|
| Reader search queries | Your portal readers | Power AI search and analytics |
| Email addresses (private portals) | Authenticated readers | Access control |
| Author profiles (name, avatar) | Your team members | Display on published articles |
| Aggregated portal analytics | Portal readers | Analytics dashboard |
Our commitments as your processor
We will:
- Process personal data only on your documented instructions, or as required by law
- Ensure everyone who accesses your data is under confidentiality obligations
- Implement appropriate technical and organisational security measures
- Notify you within 72 hours of discovering a personal data breach
- Help you respond to data subject rights requests within 5 business days
- Delete or return all your data on request or within 30 days of account closure
- Not engage new sub-processors without notifying you at least 14 days in advance
Security measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all data transmission |
| Encryption at rest | AES-256 for databases and file storage |
| Access control | Least-privilege access; MFA on infrastructure; role-based app access |
| Data isolation | Customer data is logically separated — no cross-account access possible |
| Backups | Daily automated backups, 30-day retention, encrypted, geographically separate region |
| Patch management | Critical CVEs patched within 7 days |
| Incident response | Documented process; on-call monitoring; post-incident reviews |
Sub-processors
You provide general authorisation for the sub-processors below. We’ll give you 14 days’ notice before adding a new sub-processor that handles your portal data. You may object within that window.
| Sub-processor | Location | Role | Transfer basis |
|---|---|---|---|
| Amazon Web Services | EU (Frankfurt) | Infrastructure, storage | EEA — no transfer |
| Anthropic | USA | AI features (transient only) | Standard Contractual Clauses |
| OpenAI | USA | Text embeddings (transient only) | Standard Contractual Clauses |
| Stripe | USA / EU | Payment processing | SCCs / Adequacy decision |
Note: Content sent to Anthropic and OpenAI for AI features is processed transiently to generate a response. It is not stored, logged, or used for model training.
Data breach notification
If we discover a personal data breach, we will notify you within 72 hours with:
- What happened and when we discovered it
- Categories and approximate number of data subjects affected
- Likely consequences
- Steps we’ve taken or will take
You’re responsible for notifying your supervisory authority and affected data subjects as required by applicable law.
International transfers
Customer data is stored on AWS eu-central-1 (Frankfurt) and does not leave the EEA for storage. Where transfers to third countries are required (AI providers), we rely on Standard Contractual Clauses (EU Commission Decision 2021/914) and UK IDTA where applicable. Copies available on request at privacy@multibase.io.
Data subject rights
If we receive a data subject request about your portal data, we’ll forward it to you promptly. On your instruction, we’ll assist with access, deletion, or export within 5 business days.
Audits
You may audit our compliance once per calendar year with 30 days’ notice. We may satisfy this by providing our most recent SOC 2 report or commissioning a mutually agreed third-party audit.
Your responsibilities as Controller
You remain responsible for:
- Having a lawful basis for processing reader data through your portals
- Publishing a privacy notice on your own branded portals
- Obtaining cookie consent from readers where required
- Not uploading special category data without appropriate legal basis
- Maintaining records of processing activities (ROPA) that include Multibase as a processor
- Notifying your supervisory authority of breaches within 72 hours of your awareness
Liability & governing law
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of England and Wales. Where Customer is in an EU Member State, this DPA satisfies Article 28 EU GDPR requirements.
Questions: privacy@multibase.io