Version 1.0 — Effective April 2026 — Multiuniversal UAB, Vilnius, Lithuania
This Data Processing Agreement ("DPA") forms part of the service agreement between Multiuniversal UAB ("Processor") and the client ("Controller"). It applies automatically to all engagements in which Multiuniversal processes personal data on behalf of the Controller. No separate signature is required — commencement of a service engagement constitutes acceptance of these terms.
For questions about this DPA, contact us at privacy@multiuniversal.com.
- Definitions
- Scope and roles
- Processor obligations
- Controller obligations
- Sub-processors
- Security measures
- Data subject rights
- Personal data breaches
- International transfers
- Audit rights
- Term and termination
- Governing law
- Processing schedule
Definitions
In this DPA:
- "Controller" means the client who determines the purposes and means of processing personal data.
- "Processor" means Multiuniversal UAB, acting on the Controller's instructions.
- "Personal Data", "Data Subject", "Processing", "Supervisory Authority", and "Personal Data Breach" have the meanings given in the GDPR.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
- "Services" means the AI infrastructure, automation, or integration services provided by the Processor under the applicable service agreement.
- "Sub-processor" means any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
Scope and roles
The Processor provides AI infrastructure services that may involve the processing of personal data on behalf of the Controller. In this context:
- The Controller is the data controller responsible for determining the lawful basis and purpose of processing.
- The Processor processes personal data solely on documented instructions from the Controller and for no other purpose.
- The specific categories of personal data processed, the nature of processing, and the duration are set out in the Processing Schedule agreed per engagement.
Processor obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law.
- Ensure that persons authorised to process the personal data are bound by confidentiality obligations.
- Implement appropriate technical and organisational security measures in accordance with Section 6.
- Assist the Controller in fulfilling its obligations to respond to data subject requests under Section 7.
- Assist the Controller in ensuring compliance with its obligations under GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).
- At the Controller's choice, delete or return all personal data to the Controller upon termination of the Services, and delete existing copies unless Union or Member State law requires retention.
- Make available all information necessary to demonstrate compliance with this DPA and cooperate with audits as set out in Section 10.
- Notify the Controller immediately if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection law.
Controller obligations
The Controller shall:
- Ensure it has a valid lawful basis under GDPR Article 6 for all personal data provided to the Processor.
- Provide documented instructions for processing and notify the Processor promptly of any changes.
- Ensure that data subjects have been informed of the processing, as required by GDPR Articles 13 and 14.
- Not instruct the Processor to carry out any processing that would violate applicable law.
Sub-processors
The Processor shall not engage sub-processors to process the Controller's personal data without the Controller's prior written authorisation. Where the Controller provides general written authorisation, the Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object within 14 days.
Any sub-processor engaged shall be bound by data protection obligations equivalent to those in this DPA. The Processor remains fully liable to the Controller for the performance of sub-processors.
The current list of approved sub-processors used in standard service engagements is maintained at privacy@multiuniversal.com and provided on request. By default, AI model inference is performed on Multiuniversal's own on-premises infrastructure and does not involve any external AI provider.
Security measures
The Processor implements technical and organisational measures appropriate to the risk, including:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all data transmission |
| Encryption at rest | Encrypted storage for databases containing personal data |
| Access control | Role-based access; principle of least privilege; strong authentication |
| Data minimisation | Only data necessary for the specified purpose is processed |
| On-premises AI processing | AI inference runs on Multiuniversal's own servers — data does not leave the controlled environment |
| Incident response | Documented breach detection and response procedures |
The Processor reviews and updates these measures periodically in light of technological developments and the nature of the data processed.
Data subject rights
Taking into account the nature of the processing, the Processor shall assist the Controller — by appropriate technical and organisational measures — in fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).
Where the Processor receives a data subject request directly relating to the Controller's data, it shall promptly forward it to the Controller and shall not respond to the data subject directly unless instructed to do so.
Personal data breaches
The Processor shall notify the Controller without undue delay — and in any event within 48 hours — after becoming aware of a Personal Data Breach affecting the Controller's data. The notification shall include, to the extent available:
- A description of the nature of the breach, including categories and approximate number of data subjects and records affected
- The name and contact details of the data protection contact at the Processor
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
The Processor shall cooperate with the Controller and take reasonable steps to mitigate the effects of the breach. The Controller remains responsible for any notifications to supervisory authorities and data subjects under GDPR Articles 33 and 34.
International transfers
The Processor's infrastructure and personnel are located within Lithuania, which is a Member State of the European Union. Personal data processed under this DPA is not transferred outside the European Economic Area by default.
Where a specific engagement requires transfer of personal data to a third country, the Processor shall notify the Controller in advance. Any such transfer shall be subject to an appropriate safeguard under GDPR Chapter V (such as Standard Contractual Clauses or an adequacy decision), implemented prior to the transfer.
Audit rights
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller (or an auditor mandated by the Controller) may conduct audits or inspections of the Processor's processing activities, subject to:
- Reasonable written notice of at least 14 days
- The audit being conducted during normal business hours and in a manner that does not unreasonably disrupt the Processor's operations
- The auditor being bound by confidentiality obligations equivalent to those in this DPA
The Controller shall bear the costs of any audit unless the audit reveals a material breach of this DPA by the Processor.
Term and termination
This DPA remains in force for the duration of the applicable service agreement. Upon termination or expiry of the service agreement, the Processor shall, within 30 days and at the Controller's election, either return or delete all personal data. The Processor may retain a copy for up to 3 years following termination for the purposes of dispute resolution, audit, and legal claims — after which it shall be securely deleted. During any such retention period, processing is restricted to those purposes only. The Controller may request earlier deletion at any time.
Where retention beyond 3 years is required by applicable Union or Member State law, the Processor shall inform the Controller of the legal requirement and restrict processing to the minimum necessary to comply.
Governing law
This DPA is governed by and construed in accordance with the laws of the Republic of Lithuania. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Vilnius, Lithuania, unless the applicable service agreement specifies otherwise.
Where the Controller is subject to the laws of another EU Member State, nothing in this DPA limits the Controller's right to lodge a complaint with its local supervisory authority.
Processing schedule
The following schedule is completed per engagement and forms part of this DPA. A signed copy is provided to the Controller prior to commencement of processing.
| Controller name and address | To be completed per engagement |
| Description of services | To be completed per engagement |
| Purpose of processing | To be completed per engagement |
| Categories of personal data | To be completed per engagement |
| Categories of data subjects | To be completed per engagement |
| Retention period | To be completed per engagement |
| Approved sub-processors | None by default; listed if applicable |
| International transfers | None by default; mechanism listed if applicable |
To request a completed Processing Schedule for your engagement, or to discuss any aspect of this DPA, contact us at privacy@multiuniversal.com.