AURA 300

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Aura 300 Inc., a Delaware corporation ("Processor" or "Aura"), and the subscribing salon ("Controller" or "Client") using Aura's Services, pursuant to the Terms and Conditions available at https://aura300.ai/terms (the "Agreement").

1. Roles and Scope

1.1. This DPA applies to the extent that Aura processes Personal Data on behalf of the Client in the course of providing the Services under the Agreement.


1.2. The Client is the Data Controller. Aura is the Data Processor, acting solely on documented Client instructions pursuant to GDPR Art. 28. Where Aura accesses Client data held within CRM Platforms, Aura operates as a Sub-Processor within the Client's data processing chain, with the CRM Platform acting as the primary data processor. In all cases Aura acts only at the Client's direction.

2. Nature and Purpose of Processing

2.1. Aura processes Personal Data to provide AI-powered communication services (voice, WhatsApp, etc.), scheduling automation, appointment management, marketing re-engagement, and CRM syncing.

3. Types of Data and Data Subjects

3.1. Data Subjects: Salon and clinic end customers, prospective customers, and website visitors/leads of the Client.


3.2. Categories of Personal Data processed may include: name; email address; telephone number; appointment and booking information; communication history; marketing preferences; CRM identifiers; call recordings and transcripts; messaging content and metadata; advertising data (Nami clients).


3.3. Special Categories (GDPR Art. 9): The Services are not designed to process special category data. Clients must not upload health, biometric, or other special category data without a separate written agreement with Aura.

4. Processor Obligations

Aura agrees to:


4.1. Process Personal Data only on documented instructions from the Client, unless otherwise required by applicable EU, Member State, UK, or U.S. law. Where required by law to process without instruction, Aura will inform the Client before doing so unless prohibited by law.


4.2. Ensure that all personnel authorised to process Personal Data are subject to binding confidentiality obligations and are granted access only to data necessary for their duties (least-privilege principle).


4.3. Implement and maintain appropriate technical and organisational measures (TOMs), including industry-standard encryption at rest, TLS 1.2+ in transit, role-based access controls, per-tenant isolation, audit logging, vulnerability management, personnel training, and incident detection and response procedures.


4.4. Notify the Client without undue delay, and in accordance with applicable law (including within 72 hours where required under GDPR Art. 33), after becoming aware of a Personal Data Breach, providing sufficient information to enable the Client to meet its own reporting obligations.


4.5. Provide commercially reasonable assistance to the Client in responding to Data Subject requests under applicable law (GDPR Arts. 15-22; CCPA/CPRA; and equivalent laws).


4.6. Assist the Client in fulfilling its obligations in respect of DPIAs and prior consultations with Supervisory Authorities.


4.7. Unless prohibited by applicable law, promptly notify the Client of any legally binding request from a governmental or regulatory authority for disclosure of Personal Data.

5. Sub-Processors

5.1. Aura may engage Sub-Processors (e.g., Twilio, Meta, Retell AI) to support service delivery.


5.2. The current Sub-Processor list is maintained at https://aura300.ai/sub-processors. Aura will update this list prior to engaging any new Sub-Processor.


5.3. Aura will impose data protection obligations on all Sub-Processors that are at least as protective as those in this DPA, including GDPR Art. 28(4) requirements where applicable.


5.4. Aura will provide the Client with at least 14 days prior written notice of any intended addition or replacement of Sub-Processors. The Client may object on reasonable, documented grounds within that period. If Aura proceeds despite a valid objection, the Client may terminate the Agreement for cause.


5.5. Aura remains liable to the Client for the acts and omissions of its Sub-Processors to the same extent as if Aura had performed the processing directly (GDPR Art. 28(4)), subject to the liability cap in Section 9.

6. International Data Transfers

6.1. Where Personal Data is transferred outside the EU/EEA, UK, or a jurisdiction with an adequacy decision, Aura will ensure appropriate safeguards are in place, including: Standard Contractual Clauses (SCCs) under GDPR (Commission Implementing Decision 2021/914); the UK International Data Transfer Addendum (IDTA) for UK transfers; and equivalent mechanisms under applicable law.

7. Data Retention and Deletion

7.1. Upon termination of the Agreement and upon written request from the Client, Aura will delete or return all Personal Data within 30 days, unless retention is required by applicable law.


7.2. Residual copies in routine backup systems may be retained until overwritten in accordance with Aura's standard backup schedule, subject to ongoing confidentiality obligations. Where no deletion request is received, Personal Data will be deleted within 30 days of termination. Aura will provide written confirmation of deletion on request.

8. Audit Rights

8.1. The Client may audit Aura's compliance with this DPA no more than once annually, upon no less than 30 days prior written notice, except where required by applicable law, a Supervisory Authority, or following a confirmed Personal Data Breach. The Client may not access information relating to other customers, trade secrets, source code, or vulnerability reports. In lieu of a direct audit, Aura may satisfy audit obligations by providing a written summary of its security controls or equivalent documentation.

9. Liability

9.1. Each party is liable for its own breaches of applicable data protection laws. Aura's aggregate liability under this DPA, including for the acts and omissions of its Sub-Processors, is subject to the liability cap set out in the Agreement, being the greater of: (a) fees paid by Client to Aura during the 12 months preceding the event giving rise to the claim; or (b) USD 5,000, except to the extent such limitation is prohibited by applicable data protection law. For the avoidance of doubt, nothing in this Section limits Aura's liability under GDPR Art. 82 or equivalent provisions that cannot be excluded by contract.


9.2. The Client is solely responsible for determining the lawfulness of the data it provides and for obtaining all necessary consents and notices.

10. Mergers, Acquisitions & Successors

10.1. In the event of a merger, acquisition, or sale of assets involving Aura, Personal Data may be transferred to the acquiring entity provided that such entity assumes obligations under this DPA or adopts data protection standards at least as protective.

11. Term, Termination, and Amendments

Amendments: Aura may update this DPA from time to time by posting a revised version at https://aura300.ai/dpa with at least 30 days' written notice to the Client. Continued use of the Services after the notice period constitutes acceptance of the updated DPA. Where a material change is required by applicable data protection law, Aura may implement the change with shorter notice.


11.1. This DPA shall remain in effect for the duration of the Agreement and thereafter as long as Aura retains Personal Data on behalf of the Client.

© 2026 Aura 300 Inc. — Delaware C-Corp. All rights reserved.

🇦🇺 Australia

🇮🇪 Ireland

🇬🇧 United Kingdom

🇺🇸 United States