Human Oracles — Data Processing Agreement
Version 1.0 · Issued: 22 February 2026 · Art. 28 GDPR compliant
Parties & Definitions
- Processor
- Human Oracles, sole trader / JDG, Republic of Poland. Contact: rongan@humanoracles.xyz
- Controller
- The developer or organisation that has accepted the Human Oracles Terms of Service and uses the API in a context where personal data of natural persons (end-users) is submitted as question content.
- Service
-
The Human Oracles API available at
api.humanoracles.xyz/v1, enabling AI agents to submit questions to human operators ("Human Oracles") and receive responses. - Personal Data
-
Any information relating to an identified or identifiable natural
person (Art. 4(1) GDPR) that the Controller submits via the
POST /v1/askendpoint in question content, context objects, or metadata. - Processing
- Any operation performed on Personal Data by the Processor on behalf of the Controller, including storage in Azure Cosmos DB, transmission to Human Oracle operators, and deletion per TTL schedules.
- GDPR
- Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation), as implemented in Polish law by the Act on Personal Data Protection (RODO).
- Sub-Processor
- Any third party engaged by the Processor to carry out specific processing activities on Personal Data on behalf of the Controller (see Clause 5).
Clause 1 — Subject Matter & Duration
1.1 The Processor shall process Personal Data on behalf of the Controller solely for the purpose of providing the Service as described in Clause 2, strictly in accordance with the Controller's documented instructions (Clause 3), and for no other purpose.
1.2 This DPA enters into force on the date the Controller first submits personal data of natural persons via the API (the Effective Date) and remains in force until the earlier of: (a) termination of the Controller's account; or (b) written termination notice by either party with 30 days' notice.
1.3 On termination, the Processor's obligations under this DPA continue in respect of any Personal Data retained subject to legal obligations (e.g., payment records retained under Polish accounting law — see Clause 11).
Clause 2 — Nature & Purpose of Processing
| Field | Detail |
|---|---|
| Nature of processing | Collection (receipt via API), storage (Azure Cosmos DB), access (by Human Oracle operators), transmission (webhook delivery to Controller's endpoint), and deletion (automatic TTL) of Personal Data submitted in question content |
| Purpose of processing | Delivery of the Human Oracles Service — routing question content to a Human Oracle who provides a genuine human response, and returning that response to the Controller via the API or webhook |
| Categories of Personal Data |
Any personal data voluntarily included by the Controller in the
question, context, or
metadata fields of POST /v1/ask. This
may include: names, descriptions of persons, emotional or
psychological information, relationship information, or other
free-text personal data. The Processor does not define or
control the categories submitted.
|
| Special category data (Art. 9) | The Controller must not submit special category data unless a valid Art. 9 legal basis exists. If special category data is submitted, the Controller warrants that the relevant condition under Art. 9(2) is met. |
| Categories of data subjects | End-users of the Controller's product or service; third-party natural persons described or mentioned in submitted question content |
| Retention (Processor-side) | Question records: 90-day automatic TTL. Payment event records: 7-year legal retention (Polish accounting law). Webhook delivery logs: 30 days. Idempotency records: 24 hours. |
Clause 3 — Controller Instructions
3.1 The Controller's documented instructions to the Processor are set
out in this DPA and the Human Oracles Terms of Service. The act of
submitting a question via POST /v1/ask
constitutes a processing instruction to: store the question content;
transmit it to a Human Oracle for the purpose of generating a
response; return the response to the Controller; and delete the record
after 90 days.
3.2 The Controller may issue additional or modified instructions in writing to rongan@humanoracles.xyz. The Processor shall follow such instructions unless they would require the Processor to act contrary to applicable law. Where the Processor believes an instruction would violate GDPR, it shall promptly inform the Controller before proceeding.
3.3 The Processor shall not process Personal Data for any purpose other than those specified in Clause 2, including without limitation: training AI models; sharing with third parties for commercial purposes; profiling data subjects; or retaining data beyond the applicable TTL.
Clause 4 — Processor Obligations (Art. 28(3) Checklist)
The Processor warrants and undertakes the following obligations as required by Art. 28(3) GDPR:
4(a) — Process only on documented instructions
The Processor shall process Personal Data only on documented instructions from the Controller (Clause 3). Where the Processor is required to process Personal Data by EU or Member State law, it shall inform the Controller before processing, unless prohibited from doing so on grounds of public interest.
4(b) — Confidentiality obligations on authorised persons
The Processor shall ensure that all persons authorised to process Personal Data (Human Oracle operators) are subject to confidentiality obligations — either by contract or by statutory duty. Operators are contractually prohibited from: retaining copies of question content; sharing question content outside the dashboard; using question content for purposes other than generating a response within the Service.
4(c) — Implement appropriate security (Art. 32)
The Processor shall implement the technical and organisational security measures described in Clause 7 of this DPA.
4(d) — Respect sub-processor conditions
The Processor shall not engage sub-processors without the Controller's general written authorisation. The Controller provides general authorisation for the sub-processors listed in Clause 5. The Processor shall inform the Controller of any intended addition or replacement of sub-processors, giving the Controller the opportunity to object.
4(e) — Assist with data subject rights
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject rights requests, to the extent the Processor holds Personal Data relevant to such requests. See Clause 8.
4(f) — Assist with Art. 32–36 obligations
The Processor shall assist the Controller in ensuring compliance with Arts. 32 (security), 33 (breach notification), 34 (communication to data subjects), 35 (DPIA), and 36 (prior consultation), taking into account the nature of processing and information available to the Processor. The Processor's DPIA (see gdpr/breach#dpia) is available for Controller reference.
4(g) — Delete or return data on termination
At the choice of the Controller, the Processor shall delete or return all Personal Data on termination of this DPA, and delete existing copies, unless EU or Member State law requires storage. See Clause 11.
4(h) — Provide information for audits
The Processor shall make available all information necessary to demonstrate compliance with Art. 28 GDPR, and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor. See Clause 10.
Clause 5 — Sub-Processors
5.1 The Controller provides general written authorisation for the Processor to engage the following sub-processors. Each sub-processor is bound by a written contract imposing equivalent data protection obligations, including via EU Standard Contractual Clauses (SCCs) where applicable.
| Sub-Processor | Role | Personal Data accessed | Location | Transfer mechanism |
|---|---|---|---|---|
| Microsoft Azure | Cloud infrastructure: Cosmos DB (storage), Azure Functions (processing), Key Vault (secrets), Front Door (routing), Static Web Apps (hosting) | All Personal Data submitted via API — stored and processed in Azure Cosmos DB EU region | EU (primary); US for support operations | Microsoft Online Services DPA; SCCs (2021); EU–US Data Privacy Framework |
| Google Firebase / Google Cloud | Operator authentication — Firebase Auth for internal Human Oracle operators only | Operator email addresses and credentials only. No end-user Personal Data. | United States | Google Cloud Data Processing Amendment; SCCs; EU–US Data Privacy Framework |
| Coinbase / CDP Facilitator | x402 payment verification — verifying USDC payments on Base blockchain | Payment transaction data only (USDC amount, tx hash, wallet address). No question content or end-user Personal Data. | United States; Base blockchain is a global public ledger | Coinbase CDP Terms; SCCs where applicable |
5.2 The Processor shall notify the Controller of any intended addition or replacement of sub-processors with at least 14 days' notice by updating this page and emailing the Controller's registered address. The Controller may object to a new sub-processor in writing within 14 days. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate this DPA without penalty.
5.3 Where sub-processors fail to fulfil their data protection obligations, the Processor remains fully liable to the Controller for the performance of those obligations to the extent the Processor is liable under Art. 82 GDPR.
Clause 6 — Confidentiality
6.1 The Processor shall keep all Personal Data confidential and shall not disclose it to any third party except: (a) to sub-processors listed in Clause 5 to the extent necessary for the Service; (b) to Human Oracle operators to the minimum extent necessary to generate a response to the submitted question; (c) as required by EU or Member State law, in which case the Processor shall notify the Controller before disclosure where legally permitted.
6.2 Human Oracle operators are natural persons engaged by the Processor to read question content and provide responses. They are contractually bound by confidentiality obligations equivalent to those in this Clause. The Processor shall not permit operators to: retain notes or copies of question content after submitting a response; share question content with any person not authorised by the Processor; or use question content for any purpose other than generating a response within the Service.
6.3 The Processor shall not use Personal Data for training, fine-tuning, or improving any AI model, system, or product — whether its own or a third party's.
6.4 The confidentiality obligations in this Clause survive termination of this DPA indefinitely with respect to Personal Data processed during the term.
Clause 7 — Security (Art. 32)
7.1 The Processor implements the following technical and organisational measures appropriate to the risk, as required by Art. 32 GDPR:
Technical Measures
- Encryption in transit: TLS 1.2+ enforced on all API endpoints and dashboard connections. HTTP requests rejected or redirected.
- Encryption at rest: Azure Cosmos DB encrypts all data at rest using AES-256 (managed by Microsoft). Azure Key Vault manages webhook secrets with hardware security module (HSM) backing.
- API key protection: Raw API keys are never stored. Only the SHA-256 hash of the API key is stored in Cosmos DB. The raw key is displayed once at creation and never retrievable thereafter.
-
Partition-key isolation: Cosmos DB point-reads use
composite keys
(partition_key=agent_id, id=question_id)— preventing cross-tenant data reads at the database level. -
Access control: Every API request enforces
resource.agent_id == auth.agent_id; unauthorized lookups return 404 (no ID enumeration). - DDoS protection: Azure Front Door with WAF (Web Application Firewall) provides L3/L4/L7 DDoS mitigation.
- SSRF protection: Webhook URLs are validated against an allowlist/blocklist at registration, blocking private IP ranges, cloud metadata endpoints, and localhost.
- Webhook signing: HMAC-SHA256 signatures on all webhook payloads with timestamp-based replay window defense (5-minute window).
-
Operator authentication: Firebase Auth with
email/password; MFA recommended and being enforced. Dashboard
restricted to
ops.humanoracles.xyzdomain with CORS controls.
Organisational Measures
- Need-to-know access: Human Oracle operators see only question content — not agent account identity, email, wallet address, or payment data.
- Manual operator onboarding: No self-registration for operators. Accounts created manually by admin only, limiting the number of persons with access to question content.
- Confidentiality obligations: All operators bound by contractual confidentiality obligations (Clause 6).
- Breach procedure: Written breach response procedure maintained at gdpr/breach. 72-hour UODO notification target.
- Periodic review: Security measures reviewed annually or on material change, in conjunction with DPIA and RoPA review.
7.2 The Controller acknowledges that no system can guarantee absolute security. The Processor shall promptly notify the Controller of any breach affecting Personal Data in accordance with Clause 9.
Clause 8 — Data Subject Rights Assistance
8.1 The Processor shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures — insofar as possible — to fulfil the Controller's obligations to respond to data subject rights requests under Arts. 15–22 GDPR.
8.2 Where the Processor receives a data subject rights request directly from a data subject whose data was submitted by the Controller, the Processor shall:
- Not respond directly to the data subject on the Controller's behalf (unless the Controller has explicitly authorised this in writing)
- Forward the request to the Controller's registered contact email within 5 business days of receipt
- Provide the Controller with the information the Processor holds about that data subject, to the extent technically feasible, within 15 business days
8.3 Specific assistance the Processor can provide:
- Access (Art. 15): Export of question records, payment events, and webhook delivery logs associated with the Controller's account that contain the data subject's personal data — delivered in JSON format.
- Erasure (Art. 17): Deletion of question records (if within the 90-day TTL window). Payment records subject to 7-year legal retention cannot be erased — the Processor will pseudonymize the Controller's account reference within payment records to the extent technically feasible.
- Restriction (Art. 18): The Processor can flag specific question records for non-processing pending resolution of a restriction request.
- Portability (Art. 20): JSON export of question content records associated with the Controller's submissions.
8.4 The Processor charges no additional fee for reasonable assistance under this Clause. For requests requiring disproportionate effort, the Processor shall notify the Controller in advance and may agree a reasonable fee.
Clause 9 — Breach Notification Chain
9.1 The Processor shall notify the Controller of any personal data breach affecting Personal Data processed under this DPA without undue delay and, where feasible, within 48 hours of becoming aware of it — giving the Controller time to meet its own 72-hour UODO notification obligation under Art. 33 GDPR.
9.2 Breach notifications to the Controller shall be sent to the registered email address on the Controller's account and shall include, to the extent known at the time:
- The nature of the breach (confidentiality, integrity, availability)
- Categories and approximate number of data subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed by the Processor to address the breach, including measures to mitigate its possible adverse effects
- The Processor's contact point for further information
9.3 Where complete information is not yet available, the Processor shall provide a preliminary notification and supplement it as further information becomes available. Phased notification is permitted provided the initial notification is sent within 48 hours.
9.4 The Processor is not responsible for determining whether the breach requires notification to UODO or to data subjects under Arts. 33–34 GDPR. That assessment is the Controller's responsibility as data controller.
Clause 10 — Audit Rights
10.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations in this DPA and Art. 28 GDPR, including:
- This DPA and the sub-processor list (Clause 5)
- The RoPA (gdpr/index.html) documenting all processing activities
- The Breach Response Procedure and DPIA (gdpr/breach)
- Confirmation of the security measures in place (Clause 7)
10.2 The Controller may, on reasonable written notice of at least 30 days and no more than once per 12-month period, conduct or commission an audit of the Processor's compliance with this DPA. The Controller shall bear the costs of such audit unless the audit reveals a material breach, in which case the Processor shall bear reasonable costs.
10.3 Audits shall be conducted during normal business hours, with minimum disruption to the Processor's operations, and subject to appropriate confidentiality obligations on the auditor.
10.4 The Processor may satisfy audit requests by providing third-party audit reports (e.g., SOC 2 reports from Microsoft Azure or Firebase) where these cover the relevant processing activities, in lieu of a direct audit.
Clause 11 — Deletion & Return on Termination
11.1 On termination of this DPA for any reason, the Processor shall, at the Controller's written choice and within 30 days of receiving that choice:
- Delete: Delete all Personal Data processed under this DPA that is not subject to mandatory legal retention; or
- Return: Provide a JSON export of all question records and associated data held by the Processor at termination, and delete the original copies after confirmed receipt by the Controller.
11.2 The following data cannot be deleted on termination due to mandatory legal retention obligations:
- Payment event records: Retained for 7 years from the date of transaction — mandatory under Polish accounting law (ustawa o rachunkowości) and tax law. The Processor shall pseudonymize the Controller's account identifiers within these records to the extent technically feasible while preserving accounting integrity.
11.3 The Processor shall provide written confirmation of deletion to the Controller within 30 days of completing the deletion process, specifying which data was deleted and which was retained (and the legal basis for retention).
11.4 Question records with a remaining TTL are automatically deleted within 90 days of creation regardless of DPA termination — this automatic deletion satisfies the Processor's obligations under this Clause for question content.
Clause 12 — Governing Law & Signatures
Governing Law
This DPA is governed by and construed in accordance with the laws of the Republic of Poland, without regard to conflict of law principles. Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Poland, without prejudice to any mandatory data protection enforcement competence of UODO or the Controller's local supervisory authority.
Order of Precedence
In the event of any conflict between this DPA and the Human Oracles Terms of Service, this DPA prevails with respect to the processing of Personal Data. The Terms of Service govern all other aspects of the commercial relationship.
Amendments
The Processor may amend this DPA to comply with changes in applicable data protection law or regulatory guidance. Material amendments will be notified to Controllers via the email address on their account with 30 days' notice. Continued use of the Service after the notice period constitutes acceptance of the amended DPA. If the Controller does not accept material amendments, it may terminate its account without penalty.
Signatures — Standard Terms Acceptance
For most Controllers, this DPA is accepted by conduct — by using the Human Oracles API in a context where personal data of natural persons is submitted, the Controller accepts the terms of this DPA in full. No wet signature is required for standard use.
A countersigned version of this DPA (for enterprise contracts, regulated industries, or Controllers that require a signed instrument) is available on request. Contact rongan@humanoracles.xyz with subject line "DPA Signature Request" to arrange.
Review Log
| Version | Date | Changes |
|---|---|---|
| 1.0 | 22 February 2026 | Initial publication — 12 clauses covering Art. 28(3) requirements, sub-processor register, security (Art. 32), breach notification chain (48h to Controller), data subject rights assistance, audit rights, and deletion/return on termination. |