Every Sebrona DPA includes the following clauses at minimum. Engagement-specific addenda are negotiated where your sector demands more.
ART. 28(3)(A)
Documented processing instructions — model + routing policy locked to the signed spec.
ART. 28(3)(B)
Confidentiality undertakings from everyone with access (Sebrona team and named sub-processors).
ART. 28(3)(C)
Security measures per Art. 32 — encryption at rest, EU residency, default-deny policies (see /security).
ART. 28(3)(D)
Sub-processor flow-down — every sub-processor named at /security carries the same Art. 28 obligations.
ART. 28(3)(E)
Assistance with data-subject rights (Art. 15–22) within 10 working days of your request.
ART. 28(3)(F)
Assistance with Art. 33 (incident notification within 72h) and Art. 35 DPIAs.
ART. 28(3)(G)
End-of-engagement deletion or return of personal data; certified within 30 days of contract end.
ART. 28(3)(H)
Audit rights — you may audit Sebrona's processing once per year, or on notice in case of incident.