Skip to main content
Polyglot CloudPolyglot Cloud

Data Processing Agreement

Last updated: May 12, 2026 · GDPR Art. 28

Opens browser print dialog — choose "Save as PDF" as destination.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Elevio Solutions (PIB: 115278168, MB: 68239532), Internacionalnih Brigada 25, Belgrade, Serbia, operating as Polyglot Translate Cloud ("Processor", "we"), and the entity agreeing to these terms ("Controller", "you").

This DPA applies when you use our Services to process personal data on behalf of your end users, customers, or other data subjects, as required under Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the Services for processing (e.g., text containing names, email addresses, or other identifiers submitted for translation).
  • "Processing" means any operation performed on Personal Data, including translation, storage in Translation Memory, caching, and retrieval.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Services" means the Polyglot Translate Cloud platform, API, WordPress plugin, and related services as described in the Terms of Service.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data solely to provide the Services — specifically, translating text submitted by the Controller via the API, WordPress plugin, or web interface.

2.2 Nature of Processing

  • Machine translation of submitted text
  • Storage of source-target text pairs in Translation Memory
  • Caching of translation results for performance
  • Quality scoring and confidence calibration
  • Logging of API requests for usage tracking and debugging

2.3 Categories of Data Subjects

End users, customers, website visitors, or any individuals whose personal data may appear in text submitted for translation by the Controller.

2.4 Types of Personal Data

Any personal data contained in text submitted for translation, which may include but is not limited to: names, email addresses, physical addresses, phone numbers, and other identifiers. The Controller determines what data is submitted.

2.5 Duration

Processing continues for the duration of the Controller's use of the Services, plus any retention period specified in Section 8.

3. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (i.e., as necessary to provide the Services), unless required by EU or Member State law
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
  • Implement appropriate technical and organizational security measures as described in Section 5
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) as described in Section 7
  • Assist the Controller in ensuring compliance with obligations under Articles 32-36 GDPR (security, breach notification, DPIA)
  • Delete or return all Personal Data upon termination of the Services, at the Controller's choice, unless EU or Member State law requires storage
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR
  • Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller (with reasonable notice and during business hours)

4. Obligations of the Controller

The Controller shall:

  • Ensure that the processing of Personal Data through the Services has a valid legal basis under GDPR (e.g., consent, contract performance, legitimate interest)
  • Provide clear instructions regarding the processing of Personal Data
  • Minimize the Personal Data submitted for translation — use placeholder tokens (e.g., {customer_name}) instead of actual personal data where possible
  • Inform data subjects about the processing as required by Articles 13-14 GDPR
  • Notify the Processor promptly of any data subject requests that require the Processor's assistance

5. Security Measures

The Processor implements the following technical and organizational measures:

5.1 Technical Measures

  • TLS/SSL encryption for all data in transit (HTTPS, TLS 1.2+)
  • Bcrypt password hashing for account credentials
  • Server-side firewall (UFW) — all internal services bound to 127.0.0.1
  • Cloudflare WAF, DDoS protection, and edge caching
  • Rate limiting and anti-abuse detection
  • Automated daily backups
  • API authentication via bearer tokens

5.2 Organizational Measures

  • Access to production systems limited to authorized personnel
  • Confidentiality obligations for all personnel
  • Regular security reviews and updates
  • Incident response procedures as described in Section 6

6. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a personal data breach. The notification shall include:

  • The nature of the breach, including categories and approximate number of data subjects and records affected
  • The name and contact details of the Processor's contact point
  • The likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate its effects

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling data subject requests under Articles 15-22 GDPR. Upon receiving a request directly from a data subject, the Processor shall promptly redirect the request to the Controller unless otherwise instructed.

The Processor supports the following requests:

  • Access (Art. 15): Export of all Personal Data associated with the Controller's account, including Translation Memory entries
  • Rectification (Art. 16): Correction of inaccurate translation data via the API or dashboard
  • Erasure (Art. 17): Deletion of specific Translation Memory entries, API logs, and account data
  • Portability (Art. 20): Export of data in structured, machine-readable format (JSON/CSV)
  • Restriction (Art. 18): Suspension of processing for specific data sets upon request

Requests should be sent to [email protected]. The Processor will respond within 5 business days to assist the Controller.

8. Data Retention and Deletion

  • Translation Memory entries: Retained for the duration of the Services. Upon termination, the Controller may request deletion of all TM entries contributed from their account.
  • API request logs: Retained for 12 months, then automatically purged.
  • Server access logs: Retained for a maximum of 90 days.
  • Account data: Deleted within 30 days of account deletion request.

Upon termination of the Services, the Processor shall delete all Personal Data within 30 days, unless retention is required by law. The Controller may request a data export prior to deletion.

9. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

Sub-processorPurposeLocation
DigitalOcean, LLCInfrastructure hostingAmsterdam, Netherlands (EU)
Cloudflare, Inc.CDN, DDoS protection, DNSGlobal (edge servers, no permanent storage outside EU)
Lemon Squeezy, LLCPayment processing (Merchant of Record)United States (EU-U.S. DPF + SCCs)
Google LLC (Gemini API)Translation provider (cloud AI)EU/US (per Google Cloud DPA)

The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object within 14 days. If the Controller objects on reasonable grounds, the parties shall discuss in good faith. If no resolution is reached, the Controller may terminate the affected Services.

10. International Data Transfers

The Processor's primary servers are located in the European Union (Amsterdam, Netherlands via DigitalOcean). Personal Data is not permanently stored outside the EU.

Where Personal Data is transferred to sub-processors outside the EEA (e.g., Cloudflare, Google, Lemon Squeezy), such transfers are protected by:

  • EU-U.S. Data Privacy Framework (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Supplementary measures as required by Schrems II

11. Community Translation Memory

The Processor operates a Community Translation Memory where source-target text pairs may be shared across users to improve translation quality and reduce costs. This is a core feature of the Services described in the Terms of Service and Privacy Policy.

The Controller acknowledges that text submitted for translation may be stored in the Community TM and served to other users. Only the text pairs are shared — no account identifiers, API keys, or metadata are associated with shared TM entries.

Recommendation: Controllers should avoid submitting text containing personal data for translation. Use placeholder tokens (e.g., {customer_name}, {email}) to prevent personal data from entering the Community TM. The Controller may request opt-out from Community TM by contacting us.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Governing Law

This DPA shall be governed by the laws of the Republic of Serbia, without regard to conflict of law principles. For Controllers in the EU, mandatory local data protection laws prevail to the extent they provide greater protection.

14. Contact

For DPA-related inquiries, data subject assistance, or audit requests:

  • Email: [email protected]
  • Entity: Elevio Solutions
  • Tax ID (PIB): 115278168
  • Registration No (MB): 68239532
  • Address: Internacionalnih Brigada 25, Belgrade, Serbia