Data Processing Agreements
Last updated: March 6, 2026
1. Overview
In accordance with Article 28 of the General Data Protection Regulation (GDPR), AOVANCY maintains Data Processing Agreements (DPAs) with all third-party service providers who process personal data on our behalf. This page provides transparency about our sub-processors, the data they process, and the safeguards in place for international data transfers.
AOVANCY acts as the Data Controller for personal data collected through the platform. Our sub-processors act as Data Processors under our instructions and are bound by contractual obligations to ensure the security and lawful processing of personal data.
2. Sub-Processors
The following third-party service providers process personal data on behalf of AOVANCY:
| Sub-Processor | Purpose | Data Categories | Location | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage | Account data, profile information, product data, order records, uploaded files | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) |
| Stripe Inc. | Payment processing, identity verification, payout disbursement | Name, email, payment method details (processed by Stripe, not stored by AOVANCY), transaction history | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) |
| Google LLC (Gemini API) | AI-powered content generation for courses and ebooks | User-provided prompts, course topics, generated content (no personal data required) | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) |
| Vercel Inc. | Application hosting, CDN, serverless functions | IP addresses, request metadata, server-side session data | United States (edge: global) | EU-US Data Privacy Framework + Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional email delivery | Email addresses, email content (purchase confirmations, notifications) | United States | Standard Contractual Clauses (SCCs) |
3. International Data Transfers
AOVANCY transfers personal data to sub-processors located in the United States. These transfers are conducted in compliance with Chapter V of the GDPR using the following mechanisms:
- EU-US Data Privacy Framework (DPF): Supabase, Stripe, Google, and Vercel are certified under the EU-US Data Privacy Framework, which was granted an adequacy decision by the European Commission on July 10, 2023 (Commission Implementing Decision (EU) 2023/1795).
- Standard Contractual Clauses (SCCs): As a supplementary safeguard, we maintain Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all US-based sub-processors. These SCCs ensure that personal data receives an adequate level of protection regardless of changes to adequacy decisions.
4. Data Processing Agreement Terms
Each DPA with our sub-processors includes the following obligations as required by Article 28(3) GDPR:
- Processing personal data only on documented instructions from AOVANCY
- Ensuring that persons authorized to process personal data are bound by confidentiality obligations
- Implementing appropriate technical and organizational security measures
- Assisting AOVANCY in responding to data subject rights requests
- Assisting with data breach notification obligations
- Deleting or returning all personal data at the end of the service relationship
- Making available all information necessary to demonstrate compliance with Article 28
- Allowing and contributing to audits and inspections
5. Your Rights
As a data subject, you have the right to request information about how your personal data is processed by our sub-processors. You may also exercise your rights under GDPR Articles 15-22 by contacting us at privacy@aovancy.com.
If you have concerns about the processing of your data by any of our sub-processors, you may lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro.
6. Updates
We will update this page when we add or change sub-processors. Material changes will be communicated to users via email notification at least 30 days in advance, in accordance with our Privacy Policy.
7. Contact
For questions about our data processing agreements or to request copies of our DPAs/SCCs, contact our Data Protection team at privacy@aovancy.com.