Data Processing Agreement (DPA)
Last Updated: March 02, 2026
Self-Hosted, Zero-Retention Architecture
Zirelia operates on a "Bring Your Own Infrastructure" model. The Software runs
entirely on your infrastructure — the Author has no access to your data, credentials, or generated
content.
1. Definitions and Roles
For the purposes of GDPR and applicable privacy regulations:
- Controller: The User who downloads, installs, and operates the Software and is
responsible for the personal data processed by their instance.
- Author: Antonio Trento — provides the Software under ELv2 license but has no
access to the User's data.
- User Data: Any information processed by the Software instance, including persona
configurations, API credentials, generated posts, and images stored in the User's database.
2. Nature of Processing (Zero-Retention)
The Software is designed to operate in a fully self-contained mode:
- Local Processing: Data (persona configs, prompts, generated content) is processed
exclusively within the User's infrastructure (RAM and PostgreSQL database).
- No Remote Storage by Author: The Author does not own, manage, or have any access
to databases containing User Data.
- Third-Party APIs: Data transits from the User's server to third-party APIs
(OpenAI, Replicate, Twitter/X) as configured by the User. These are direct connections under the
User's own accounts and credentials.
- Local Logs: Operational logs are saved locally on the User's filesystem and are
never sent to the Author.
3. AI-Generated Content & Data Protection
Zirelia generates text and images using AI models. From a data protection perspective:
- Persona configurations (including physical trait descriptions) are stored only in the User's
config/persona.yaml and database.
- Generated images are stored in the User's file system or cloud storage as configured.
- If the persona involves real-person data or likeness, the User (as Controller) is responsible for
ensuring a lawful basis for processing under GDPR Art. 6.
- The User must ensure AI-generated content does not violate applicable synthetic media laws
(e.g., EU AI Act, local deepfake regulations).
4. Security Measures
The Software incorporates security measures by design (Privacy by Design):
- All external API connections use HTTPS/TLS.
- Credentials are managed via Environment Variables (
.env), never hard-coded.
- No hidden telemetry or data exfiltration mechanisms are included in the Software.
- The Software is open-source — users may audit the full source code on GitHub.
5. Sub-processors
Since the Software is self-hosted, the User has direct control over all sub-processors by configuring
the respective API keys. Key sub-processors (configured by the User, not by the Author) include:
- OpenAI / Anthropic: LLM inference for content generation.
- Replicate (Black Forest Labs FLUX.1): Image generation.
- Twitter/X API: Social media publishing.
- PostgreSQL: Local data persistence (on User's infrastructure).
The Author does not act as a contractual intermediary toward these providers.
6. User Responsibilities as Controller
As the Controller, the User is responsible for:
- Ensuring a lawful basis for all data processing performed by their instance.
- Securing their
.env file and API credentials.
- Complying with GDPR, CCPA, and other applicable regulations for any personal data processed.
- Reviewing AI-generated content before publication to ensure compliance with platform ToS and law.
- Implementing appropriate retention policies for data stored in their local database.
7. Audits and Compliance
The Software is fully open-source under the Elastic License 2.0. Users may audit the complete source
code on GitHub to verify the absence of backdoors, hidden data collection, or exfiltration mechanisms.
8. Contact
For DPA-related inquiries: info@antoniotrento.net