Bauta Data Processing Addendum
Last updated: 2026-07-02
This Data Processing Addendum ("DPA") is part of the Bauta Terms of Service between Laien AS (org.nr. NO 916 557 221 MVA), Buen 25, 1528 Moss, Norway ("Bauta", "we", "us") and the customer accepting the Terms ("you"). It applies whenever you use Bauta to process personal data on behalf of your organization, and it implements Article 28 of the GDPR for that processing. It is accepted by reference, like the Terms themselves — no signature is needed. If your organization requires negotiated or countersigned DPA terms, that is an Enterprise deliverable: contact enterprise@bauta.app.
Roles and scope
For personal data that you cause Bauta to process, you are the controller (or a processor acting for another controller, in which case you warrant that your instructions to us match that controller's) and Laien AS is your processor. That covered data is:
- the artifact content you deploy, to the extent it contains personal data you chose to include;
- the viewer email addresses you introduce through email-based sharing and email-verified (OTP) viewing, including share invites;
- the aggregate, cookieless view-analytics events recorded when your artifacts are viewed; and
- the audit-log entries recording actions on your artifacts (see Deletion and return below for their retention).
Not covered: your own account and sign-in data (the user ID, email, and name we hold about you and your users as service accounts). For that data Laien AS is an independent controller, and the Privacy Policy — not this DPA — describes the processing.
Details of processing
| Item | Description |
|---|---|
| Subject matter | Hosting and serving the HTML/React artifacts you deploy through a connected AI client, and operating the sharing controls around them. |
| Duration | The term of your use of the service (your subscription), plus the deletion wind-down described under Deletion and return. |
| Nature and purpose | Storage, hosting, serving to the viewers you authorize, sharing and access gating (including email verification), aggregate view analytics, abuse prevention (e.g. malware/phishing scanning at deploy time), and the related support. |
| Types of personal data | Whatever personal data you include in artifact content (you control this); viewer and invitee email addresses; aggregate view events; audit-log records of account and artifact actions. |
| Categories of data subjects | The people you share artifacts with (viewers and invitees), and any individuals whose personal data you include in artifact content. |
Instructions
We process the covered data only on your documented instructions, including for transfers to third countries, unless EU/EEA or Norwegian law requires otherwise — in that case we inform you of the legal requirement before processing, unless the law forbids it. Your instructions are the tool calls and settings you make through the service (deploying, updating, sharing, exporting, deleting — the sharing mode you set is the instruction for who may view), plus the Terms and this DPA. We will inform you if, in our opinion, an instruction infringes the GDPR.
Confidentiality
Access to the covered data is limited to persons who need it to operate, secure, or support the service, and every such person is bound by a contractual or statutory duty of confidentiality. We do not read or use your artifact content for anything other than hosting it, serving it to the people you share it with, and abuse prevention.
Security
Taking into account the state of the art and the nature of the processing, we implement the technical and organizational measures below (GDPR art. 32). They describe the system as actually built:
- Sandboxed serving. Artifact code executes in a
sandboxed iframe (
allow-scriptsonly) served from a separate registered domain, isolated from your account, from other artifacts, and from any cookies (the content-serving domain sets none). - Private by default. New deploys are unlisted —
reachable only via a secret access-token link — until you choose a
different sharing mode; bare URLs return an existence-blind 404, and
privatefully locks serving. - Encryption. All traffic is encrypted in transit (TLS); stored data is encrypted at rest on Cloudflare infrastructure, and OAuth tokens are additionally encrypted at the application layer.
- EU-hosted storage. Artifact content (Cloudflare R2) and production metadata (Cloudflare D1) are stored with the EU jurisdiction restriction. Serving pointers and token storage (Cloudflare Workers KV) are globally replicated by design and cannot be restricted to a single region; the pointers are non-personal (URL slugs, revision identifiers, storage keys) and tokens are encrypted at rest.
- Access control. Artifact operations are owner-scoped and require an authenticated connection; read and write operations are separate tools; viewer data access uses short-lived scoped tokens, never ambient cookies.
- Audit log. An append-only record of account and artifact actions supports accountability and abuse defense.
- Abuse prevention. Deployed content is scanned for malware/phishing indicators, and every served page carries a report-abuse link reviewed by a person.
Subprocessors
You give general written authorization for the subprocessors below. We impose data-protection obligations on each of them equivalent to this DPA through their own data processing agreements, and we remain fully liable to you for their performance.
| Subprocessor | Processing | Their DPA |
|---|---|---|
| Cloudflare | All infrastructure: compute (Workers), metadata (D1), serving pointers and token storage (KV), artifact content (R2, EU jurisdiction), aggregate analytics (Analytics Engine). | Cloudflare DPA |
| WorkOS | Login (AuthKit), including federated sign-in providers such as Google. | WorkOS DPA |
| Resend | Transactional email (share notifications, viewer email verification), sent from the EU (eu-west-1) region. | Resend DPA |
| Anthropic | Content-safety review of deployed artifacts and handling of abuse reports (automated and assisted review via the Claude API). | Anthropic DPA |
Changes. Before we add or replace a subprocessor processing covered data, we will update this page and give account holders at least 30 days' notice by email. If you object on reasonable data-protection grounds and we cannot offer a workaround, you may terminate your use of the service and delete your data (see Deletion and return) before the change takes effect. Where a replacement is urgently required for security or service continuity (for example, a subprocessor incident), we may make the change immediately and give the same notice without undue delay afterwards — your objection and termination right above is unaffected.
Assistance
Taking into account the nature of the processing, we assist you in fulfilling your obligations to data subjects (GDPR arts. 12–23) and your security, breach-notification, and impact-assessment obligations (arts. 32–36):
- Self-serve tooling. You can export and delete your
artifacts directly through the Bauta connection in your AI client —
the
export_artifacttool returns every revision's original deployed source, anddelete_artifactremoves an artifact from serving immediately. - Requests we receive. If a data subject contacts us directly about processing we perform for you, we will not respond on your behalf beyond directing them to you, and will forward the request where you are identifiable.
- Everything else — including help with data-subject requests the tooling doesn't cover, and reasonable information for your DPIAs or supervisory-authority consultations — via privacy@bauta.app.
Personal data breaches
If we become aware of a personal data breach affecting the covered data, we will notify you without undue delay at your account email, and will provide the information we have that you reasonably need for your own notification obligations (GDPR arts. 33 and 34) — the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken — supplementing as more becomes known.
Deletion and return
At any time during the term, and at the end of it, you can export (return) and delete your artifacts self-serve with the tools above; deletion removes the artifact's records immediately and its content once no other artifact references the same stored content. Account-level erasure requests to privacy@bauta.app are verified and handled within 30 days. Infrastructure-level point-in-time recovery copies held by Cloudflare age out within 30 days of a deletion.
Audit-log carve-out. Append-only audit-log entries are retained after artifact or account deletion, on the documented legal basis of our legitimate interest (GDPR art. 6(1)(f)) in security, abuse defense, and the accountability of a hosting service. These entries record who did what and when using internal account and artifact identifiers — plus, for email-gated sharing, the viewer email addresses you introduced — and never contain artifact content. This retention is described identically in the Privacy Policy.
Audits and information
On request, we make available the information reasonably necessary to demonstrate compliance with this DPA — written information first: this document, the Privacy Policy, the security overview, and answers to reasonable written security questionnaires. Where that is genuinely insufficient, we allow audits (including inspections) conducted by you or an auditor you mandate: at most once per year, on at least 30 days' written notice, during business hours, without disrupting the service, under confidentiality, and at your cost. Audits of the underlying infrastructure are satisfied through our subprocessors' own audit reports and certifications, as made available under their DPAs — we cannot grant physical access to Cloudflare's facilities.
International transfers
The service is EU-hosted by default: Laien AS is established in Norway (EEA), and artifact content and production metadata are stored with the EU jurisdiction restriction as described under Security. We do not currently offer per-organization residency selection. Where a subprocessor processes covered data outside the EU/EEA (for example on Cloudflare's global network, including Workers KV), the transfer is governed by that subprocessor's DPA and its transfer mechanism under GDPR arts. 44–49 — the EU standard contractual clauses or, where the subprocessor is certified, the EU–U.S. Data Privacy Framework. We will not transfer covered data to a third country on our own initiative outside these mechanisms.
Liability, precedence, and governing law
This DPA is part of the Terms: the Terms' limitation of liability applies in aggregate across the Terms and this DPA, and nothing in this DPA limits liability that cannot be limited under applicable law. If this DPA conflicts with the Terms regarding the processing of personal data, this DPA prevails. This DPA is governed by the same law and jurisdiction as the Terms (Norway). It applies for as long as we process covered data on your behalf.
Changes
We will post changes to this DPA at this URL and update the date at the top. Material changes affecting account holders will be announced by email, with the notice periods the Terms provide; subprocessor changes follow the 30-day mechanism above.
Contact
Questions about this DPA and all privacy requests: privacy@bauta.app. Negotiated DPA terms (Enterprise): enterprise@bauta.app.