obvius/legal/data processing

Data Processing & Security

This page explains how Obvius handles the business data inside the tools you connect: our role, our sub-processors, our security measures, and the Data Processing Agreement we sign before any project.

>Last updated: 9 June 2026

01Our role

For the personal data inside the tools you connect, you remain the data controller and Obvius (L41 Invest) acts as your data processor. A Data Processing Agreement (DPA) under Article 28 of the GDPR governs this relationship and is signed before we connect anything.

02What we access

We connect only to the accounts you choose, with the narrowest scopes that do the job. We read what a module or automation needs, and we write back only what you have approved. Access is least-privilege and can be revoked at any time.

03Where your data lives

Your data stays in your own accounts and tools. The working infrastructure we run on your behalf, for analysis, retrieval and automation, is hosted in the European Union wherever possible.

04Sub-processors

To deliver the service we rely on a limited set of sub-processors. The current list typically includes:

  • Vercel Inc., for website and application hosting.
  • An EU-hosted database and vector store (for example Supabase, EU region).
  • Large-language-model providers (for example OpenAI and Anthropic), configured so your data is not used to train their models.
  • A self-hosted n8n instance for automations.
  • The email and scheduling tools we use to communicate with you.

05Sub-processor changes

We keep an up-to-date list of sub-processors and provide it on request. We inform clients before adding a new sub-processor, so they can object.

06Security measures

  • Encryption of data in transit and at rest.
  • Credentials stored in a dedicated secret manager, never in plain text.
  • Least-privilege, scoped access that can be revoked instantly.
  • Access logging and monitoring.
  • A breach-notification process in line with the GDPR, with notification without undue delay.

07Retention and deletion

We keep working copies only for as long as needed to run the service. At the end of an engagement we delete the working copies and hand back access. Your own accounts and data remain untouched and yours.

08Helping you meet your obligations

We assist you with data-subject requests (access, deletion, portability) for the data we process on your behalf, and we support your audits as set out in the DPA.

09Request the DPA

To receive our Data Processing Agreement and the current sub-processor list, write to privacy@obvius.studio.

More legal documents
Privacy PolicyTerms & ConditionsCookie PolicyLegal Notice
Book a call