Legal

Bauta Data Processing Addendum

Last updated: 2026-07-02

This Data Processing Addendum ("DPA") is part of the Bauta Terms of Service between Laien AS (org.nr. NO 916 557 221 MVA), Buen 25, 1528 Moss, Norway ("Bauta", "we", "us") and the customer accepting the Terms ("you"). It applies whenever you use Bauta to process personal data on behalf of your organization, and it implements Article 28 of the GDPR for that processing. It is accepted by reference, like the Terms themselves — no signature is needed. If your organization requires negotiated or countersigned DPA terms, that is an Enterprise deliverable: contact enterprise@bauta.app.

Roles and scope

For personal data that you cause Bauta to process, you are the controller (or a processor acting for another controller, in which case you warrant that your instructions to us match that controller's) and Laien AS is your processor. That covered data is:

Not covered: your own account and sign-in data (the user ID, email, and name we hold about you and your users as service accounts). For that data Laien AS is an independent controller, and the Privacy Policy — not this DPA — describes the processing.

Details of processing

ItemDescription
Subject matter Hosting and serving the HTML/React artifacts you deploy through a connected AI client, and operating the sharing controls around them.
Duration The term of your use of the service (your subscription), plus the deletion wind-down described under Deletion and return.
Nature and purpose Storage, hosting, serving to the viewers you authorize, sharing and access gating (including email verification), aggregate view analytics, abuse prevention (e.g. malware/phishing scanning at deploy time), and the related support.
Types of personal data Whatever personal data you include in artifact content (you control this); viewer and invitee email addresses; aggregate view events; audit-log records of account and artifact actions.
Categories of data subjects The people you share artifacts with (viewers and invitees), and any individuals whose personal data you include in artifact content.

Instructions

We process the covered data only on your documented instructions, including for transfers to third countries, unless EU/EEA or Norwegian law requires otherwise — in that case we inform you of the legal requirement before processing, unless the law forbids it. Your instructions are the tool calls and settings you make through the service (deploying, updating, sharing, exporting, deleting — the sharing mode you set is the instruction for who may view), plus the Terms and this DPA. We will inform you if, in our opinion, an instruction infringes the GDPR.

Confidentiality

Access to the covered data is limited to persons who need it to operate, secure, or support the service, and every such person is bound by a contractual or statutory duty of confidentiality. We do not read or use your artifact content for anything other than hosting it, serving it to the people you share it with, and abuse prevention.

Security

Taking into account the state of the art and the nature of the processing, we implement the technical and organizational measures below (GDPR art. 32). They describe the system as actually built:

Subprocessors

You give general written authorization for the subprocessors below. We impose data-protection obligations on each of them equivalent to this DPA through their own data processing agreements, and we remain fully liable to you for their performance.

SubprocessorProcessingTheir DPA
Cloudflare All infrastructure: compute (Workers), metadata (D1), serving pointers and token storage (KV), artifact content (R2, EU jurisdiction), aggregate analytics (Analytics Engine). Cloudflare DPA
WorkOS Login (AuthKit), including federated sign-in providers such as Google. WorkOS DPA
Resend Transactional email (share notifications, viewer email verification), sent from the EU (eu-west-1) region. Resend DPA
Anthropic Content-safety review of deployed artifacts and handling of abuse reports (automated and assisted review via the Claude API). Anthropic DPA

Changes. Before we add or replace a subprocessor processing covered data, we will update this page and give account holders at least 30 days' notice by email. If you object on reasonable data-protection grounds and we cannot offer a workaround, you may terminate your use of the service and delete your data (see Deletion and return) before the change takes effect. Where a replacement is urgently required for security or service continuity (for example, a subprocessor incident), we may make the change immediately and give the same notice without undue delay afterwards — your objection and termination right above is unaffected.

Assistance

Taking into account the nature of the processing, we assist you in fulfilling your obligations to data subjects (GDPR arts. 12–23) and your security, breach-notification, and impact-assessment obligations (arts. 32–36):

Personal data breaches

If we become aware of a personal data breach affecting the covered data, we will notify you without undue delay at your account email, and will provide the information we have that you reasonably need for your own notification obligations (GDPR arts. 33 and 34) — the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken — supplementing as more becomes known.

Deletion and return

At any time during the term, and at the end of it, you can export (return) and delete your artifacts self-serve with the tools above; deletion removes the artifact's records immediately and its content once no other artifact references the same stored content. Account-level erasure requests to privacy@bauta.app are verified and handled within 30 days. Infrastructure-level point-in-time recovery copies held by Cloudflare age out within 30 days of a deletion.

Audit-log carve-out. Append-only audit-log entries are retained after artifact or account deletion, on the documented legal basis of our legitimate interest (GDPR art. 6(1)(f)) in security, abuse defense, and the accountability of a hosting service. These entries record who did what and when using internal account and artifact identifiers — plus, for email-gated sharing, the viewer email addresses you introduced — and never contain artifact content. This retention is described identically in the Privacy Policy.

Audits and information

On request, we make available the information reasonably necessary to demonstrate compliance with this DPA — written information first: this document, the Privacy Policy, the security overview, and answers to reasonable written security questionnaires. Where that is genuinely insufficient, we allow audits (including inspections) conducted by you or an auditor you mandate: at most once per year, on at least 30 days' written notice, during business hours, without disrupting the service, under confidentiality, and at your cost. Audits of the underlying infrastructure are satisfied through our subprocessors' own audit reports and certifications, as made available under their DPAs — we cannot grant physical access to Cloudflare's facilities.

International transfers

The service is EU-hosted by default: Laien AS is established in Norway (EEA), and artifact content and production metadata are stored with the EU jurisdiction restriction as described under Security. We do not currently offer per-organization residency selection. Where a subprocessor processes covered data outside the EU/EEA (for example on Cloudflare's global network, including Workers KV), the transfer is governed by that subprocessor's DPA and its transfer mechanism under GDPR arts. 44–49 — the EU standard contractual clauses or, where the subprocessor is certified, the EU–U.S. Data Privacy Framework. We will not transfer covered data to a third country on our own initiative outside these mechanisms.

Liability, precedence, and governing law

This DPA is part of the Terms: the Terms' limitation of liability applies in aggregate across the Terms and this DPA, and nothing in this DPA limits liability that cannot be limited under applicable law. If this DPA conflicts with the Terms regarding the processing of personal data, this DPA prevails. This DPA is governed by the same law and jurisdiction as the Terms (Norway). It applies for as long as we process covered data on your behalf.

Changes

We will post changes to this DPA at this URL and update the date at the top. Material changes affecting account holders will be announced by email, with the notice periods the Terms provide; subprocessor changes follow the 30-day mechanism above.

Contact

Questions about this DPA and all privacy requests: privacy@bauta.app. Negotiated DPA terms (Enterprise): enterprise@bauta.app.