SelioBack to Home

Data Processing Agreement

Effective date: February 16, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between Nova Carpathians Creations S.R.L. ("Service Provider", "Processor", "we") and the entity or individual subscribing to the Selio AI service ("Customer", "Controller", "you") for the provision of the Selio AI application and related services ("Services").

This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and supplements the Terms of Service available at https://selio.dev/terms.

Service Provider details:

2. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

"Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Sub-processor" means any third party engaged by the Service Provider to process Personal Data on behalf of the Customer.

"Customer Data" means all data, including Personal Data, that is submitted to the Services by or on behalf of the Customer.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

3. Scope and Roles

3.1 Roles

The Customer acts as the Controller (or, where applicable, a Processor acting on behalf of its own Controller) of Personal Data processed through the Services. The Service Provider acts as the Processor of such Personal Data on behalf of the Customer.

3.2 Scope of processing

This DPA applies to all Personal Data processed by the Service Provider in the course of providing the Services, including data submitted, stored, or transmitted through the Selio AI application.

4. Details of Processing

4.1 Subject matter and duration

The Service Provider processes Customer Data for the purpose of providing the Selio AI sales coaching platform, for the duration of the agreement between the parties plus any retention period agreed upon or required by law.

4.2 Nature and purpose of processing

PurposeProcessing activities
Account managementStorage and authentication of user credentials, profile data, and organizational settings
Call transcriptionReal-time audio-to-text conversion via third-party transcription services
AI analysisProcessing of transcription data to generate coaching insights, lead scores, call summaries, and follow-up suggestions
Knowledge base (RAG)Document ingestion, embedding generation, storage, and retrieval for intelligent search
Email follow-upProcessing of email content for draft generation and sending via user-connected Gmail
Team managementProcessing of user roles, invitations, and organizational hierarchy
Usage trackingMonitoring of AI token consumption for billing and rate limiting

4.3 Categories of Data Subjects

  • Sales agents (employees or contractors of the Customer)
  • Sales managers and administrators (employees of the Customer)
  • Prospects and clients whose conversations are transcribed (third parties)

4.4 Types of Personal Data processed

  • Identity data: names, email addresses, phone numbers
  • Authentication data: hashed passwords, OAuth tokens (encrypted)
  • Professional data: organizational role, business context, industry
  • Communication data: call transcriptions, call recordings (audio transmitted for transcription), email content
  • Behavioral data: call metrics, AI interaction patterns, usage statistics
  • Document data: content of uploaded documents (PDF, DOCX, etc.)
  • Technical data: timezone, language preference, audio device settings

5. Obligations of the Service Provider

5.1 Processing instructions

The Service Provider shall process Customer Data only on documented instructions from the Customer, unless required to do so by applicable law. The documented instructions include the processing activities described in this DPA and the Terms of Service.

5.2 Confidentiality

The Service Provider ensures that all personnel authorized to process Customer Data are bound by obligations of confidentiality, whether contractual or statutory.

5.3 Security measures

The Service Provider implements and maintains appropriate technical and organizational security measures, including:

  • Encryption in transit: All data transmitted between the Application and servers is encrypted using TLS 1.2/1.3.
  • Encryption at rest: Sensitive data (Gmail OAuth tokens) encrypted with AES-256-GCM. Database hosted on infrastructure with disk-level encryption.
  • Multi-tenant isolation: Row Level Security (RLS) at the PostgreSQL database level ensures complete data separation between organizations.
  • Access control: Role-based access control (agent, manager, admin) with JWT-based authentication.
  • Credential security: Authentication tokens stored in native OS Keyring (macOS Keychain / Windows Credential Manager).
  • Least privilege: Each application component has minimal necessary permissions.
  • Content Security Policy: Strict CSP limiting external domain connections.
  • Server-side key management: Third-party API keys are proxied through server-side edge functions and never exposed to the client application.
  • Secure updates: Application binary updates verified via Minisign digital signatures.

5.4 Sub-processors

The Service Provider may engage Sub-processors to assist in providing the Services. The current list of Sub-processors is available at https://selio.dev/subprocessors.

Before engaging a new Sub-processor, the Service Provider shall:

  • Notify the Customer at least 30 days in advance via email or in-app notification.
  • Ensure the Sub-processor is bound by data protection obligations no less protective than those in this DPA.
  • Remain fully liable to the Customer for the performance of the Sub-processor's obligations.

If the Customer objects to a new Sub-processor within 15 days of notification, the parties shall work in good faith to find an alternative. If no resolution is reached, the Customer may terminate the affected Services without penalty.

5.5 No use for AI model training

The Service Provider shall not use Customer Data, including call transcriptions, documents, communications, or any other Customer content, for the purpose of training, developing, or improving artificial intelligence models, machine learning systems, or any automated decision-making technology.

Customer Data is processed solely for the purpose of providing the Services to the Customer. AI-generated outputs (insights, scores, suggestions) are produced through API calls to third-party AI providers, not through models trained on Customer Data.

5.6 Data Subject rights

The Service Provider shall assist the Customer in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by:

  • Providing data export functionality (CSV and JSON) within the Application.
  • Enabling account and data deletion through the Application settings or upon request.
  • Providing relevant information about data processing activities upon reasonable request.

5.7 Security incident notification

In the event of a Security Incident, the Service Provider shall:

  • Notify the Customer without undue delay, and in any case no later than 48 hours after becoming aware of the incident.
  • Provide all reasonably available information about the nature and scope of the incident, the data affected, and the remedial measures taken or proposed.
  • Cooperate with the Customer and any supervisory authority in investigating and remediating the incident.

5.8 Data Protection Impact Assessments

Upon reasonable request, the Service Provider shall provide the Customer with information necessary to conduct Data Protection Impact Assessments (DPIAs) as required under Article 35 GDPR.

5.9 Audits

The Service Provider shall make available to the Customer, upon reasonable request and no more than once per year, information necessary to demonstrate compliance with this DPA. This may include:

  • Responses to reasonable audit questionnaires.
  • Summaries of relevant third-party audit reports or certifications (e.g., SOC 2 reports from infrastructure providers).
  • Evidence of security measures and practices.

On-site audits may be conducted with at least 30 days' written notice, during normal business hours, at the Customer's expense, and subject to reasonable confidentiality obligations.

6. Obligations of the Customer

6.1 Lawful processing

The Customer warrants that it has a lawful basis for all Personal Data provided to the Service Provider and that it has provided all necessary notices and obtained all necessary consents for the processing of such data.

6.2 Audio recording consent

The Customer acknowledges that the Services include audio transcription functionality. The Customer is solely responsible for:

  • Ensuring compliance with all applicable laws regarding audio recording and monitoring in all relevant jurisdictions.
  • Obtaining consent from all parties involved in conversations before activating the transcription feature.
  • Informing all parties that the conversation will be processed by an AI system.

6.3 Instructions

The Customer shall ensure that its processing instructions to the Service Provider comply with applicable data protection law.

7. International Data Transfers

7.1 Primary data storage

Customer Data is stored on Supabase servers located in the European Union (AWS Frankfurt, eu-central-1).

7.2 Transfers to third countries

Certain processing activities require the transfer of data to Sub-processors located in the United States. For these transfers, the Service Provider relies on:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) GDPR.
  • Data Processing Agreements with each Sub-processor.
  • Technical measures including encryption in transit (TLS), data minimization, and stateless processing (API calls without permanent storage by the Sub-processor).

7.3 Transfer Impact Assessment

The Service Provider has conducted a Transfer Impact Assessment for each Sub-processor located outside the EEA and has determined that the combination of SCCs and supplementary technical measures provides an adequate level of protection for Customer Data.

8. Data Retention and Deletion

8.1 Retention

Customer Data is retained for the duration of the agreement and in accordance with the retention settings configured by the Customer within the Application (6, 12, 24, or 36 months for call transcriptions and lead scores).

8.2 Deletion upon termination

Upon termination of the agreement:

  • The Service Provider shall delete all Customer Data within 30 days, unless retention is required by applicable law.
  • The Customer may request data export before termination.
  • Deletion is performed through cascade delete at the database level, permanently removing all associated data.
  • The Service Provider shall provide written confirmation of deletion upon request.

8.3 Anonymization

Where the Customer has enabled anonymization settings, data may be anonymized rather than deleted, rendering it no longer Personal Data under GDPR.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service, except that neither party limits its liability for breaches of its confidentiality obligations or for infringement of the other party's intellectual property rights.

10. Term and Termination

This DPA takes effect upon the Customer's acceptance of the Terms of Service and remains in effect for the duration of the Service Provider's processing of Customer Data. The obligations regarding confidentiality, data deletion, and cooperation with supervisory authorities survive termination.

11. Governing Law

This DPA is governed by the laws of Romania and, where applicable, the GDPR and other EU data protection legislation. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.

12. Contact

For questions or requests related to this DPA:

  • Email: contact@greenlead.ro
  • Company: Nova Carpathians Creations S.R.L.
  • Tax ID (CUI): RO40526927
  • Registration No.: J7/158/2019

This document was published on February 16, 2026, and is effective as of this date.

Cookie and Analytics Preferences

We use essential cookies for core functionality and optional analytics to improve product and conversion performance.

Privacy & Cookies