RA WorkshopRA Workshop Dark Logo
PricingDownload
Sign inBook a demo
  1. Home
  2. Legal
  3. DPA
DRAFT FOR LEGAL REVIEW — NOT YET EFFECTIVE. This document is published for counsel review only and does not constitute a binding agreement until formally adopted by Delice Automatics Ltd.

Last updated: 12 July 2026

Document version: v0.1-draft

Data Processing Agreement and Subprocessor Annex (Article 28 GDPR)

This draft DPA and Article 28 schedules describe how Delice Automatics Ltd processes personal data on behalf of business customers using Delice cloud or hosted services, and lists active subprocessors. It is not effective until formally adopted.

Scope

This DPA applies when Delice processes personal data on your instructions as processor in connection with Smart Office Tools, hosted integrations, support portals, RaConnect/MicroAPI services where you are controller, or other Delice services identified in your order.

Roles

You are the controller for customer, employee, and end-user data you upload or cause to be processed. Delice Automatics Ltd acts as processor, except where Delice is an independent controller (for example its own billing, security logging, website operations, or compliance).

Processing instructions

Delice processes personal data only on documented instructions, including those in the main service agreement, this DPA, configuration you apply in the service, and documented support tickets, unless required by EU or Member State law.

Schedule 1 — Processing details

Subject matter: provision of Delice software and hosted services per the main agreement. Duration: term of the service agreement plus deletion period in Schedule 4. Nature and purpose: hosting, synchronisation, support, automation, and related technical operations instructed by you. Categories of data subjects: your customers, employees, and end users you choose to process. Categories of personal data: contact details, account identifiers, content you upload, technical logs, and support materials. Special categories: not intended unless you instruct otherwise and appropriate safeguards are agreed.

Security obligations

Delice implements appropriate technical and organisational measures, including access control, encryption in transit where applicable, logging, backup, and staff confidentiality obligations proportionate to risk.

Schedule 2 — Technical and organisational measures (TOMs)

Measures include: role-based access; authentication for administrative access; encryption in transit (TLS) for remote access; segregation of customer environments where applicable; backup and restore procedures; vulnerability patching; incident logging; staff confidentiality undertakings; and subprocessors bound by written data-protection terms. Detailed TOM descriptions and evidence requests are handled through security documentation and reasonable audits per the Audit section.

Schedule 3 — Processors and third-party disclosures (draft)

This schedule distinguishes Article 28 GDPR processors from independent controllers and data-source disclosures. Facts are subject to final verification before effectiveness. **Article 28 processors (subprocessors)** — process personal data on Delice's instructions when Delice acts as processor for you: • Google LLC (Google Workspace) — email, Drive, Calendar, Chat, Sheets, and related collaboration services used for Delice-hosted and integrated ERP operations. • ElevenLabs, Inc. — Scribe v2 speech-to-text for internal employee call transcription only in the current documented scope (not visitor or marketing audio). **Third-party disclosures (not Article 28 subprocessors under this DPA)** — listed for transparency; separate legal relationships or local processing apply: • Microsoft Corporation (Microsoft Clarity) — independent controller for website analytics and session replay on the public marketing site (raworkshop.bg), loaded only after visitor analytics consent; not a subprocessor for tenant ERP data. • MaxMind, Inc. (GeoLite2) — data licensor for a locally stored City database used in RaConnect/MicroAPI diagnostics; IP lookups run on Delice infrastructure and are not sent to MaxMind per query. • RIPE NCC — independent controller of the public RIPE Database; optional REST lookup when GeoLite2 lacks city-level data for Bulgarian IPs in RaConnect/MicroAPI services. Google Vertex AI is not listed here; it is out of scope for this draft schedule pending separate assessment. Vendor postal addresses, subprocessors' own subprocessors, and exact transfer mechanisms (for example SCCs) are pending final verification and will be listed before the DPA becomes effective. Delice will provide notice of material subprocessor changes as required by GDPR Article 28.

Bulgarian infrastructure and legacy CRM

Delice operates Bulgarian-hosted infrastructure for core ERP and related services and maintains an internal legacy CRM environment operated by Delice for historical business records. Personal data in those environments is processed under Delice's instructions and security policies; they are not marketed as third-party subprocessors but remain under Delice operational control.

Data subject requests

Delice will assist you in responding to data subject requests using appropriate technical measures, to the extent legally permitted and considering the nature of processing.

Personal data breach

Delice will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide information reasonably required for your regulatory obligations.

Schedule 4 — Return, deletion, and backups

Upon termination, Delice deletes active production copies of your personal data within 30 days after confirmed instructions, unless law requires retention. Encrypted backups may remain inaccessible for up to 90 days for disaster recovery, after which they are overwritten subject to legal hold or restoration duties. You may export your data during the notice period where the service supports export.

Audit

You may request reasonable information necessary to demonstrate compliance. On-site audits may be conducted no more than annually with advance notice, subject to confidentiality, security, and minimal disruption constraints.

Term

This DPA remains in effect for the duration of the service agreement and until deletion/return obligations are fulfilled.

RA WorkshopRA Workshop Dark Logo

Pyramid Software's RA Workshop — 15+ years, 51 countries, 2,000+ fabricators. Locally supported in Bulgaria by RA Workshop Bulgaria.

  • +359 (885) 82 17 84
  • service@delice.bg
  • Golden Class 20, Stara Zagora, Bulgaria
15+ years on the line51 countries30-day money-back

Product

  • RA Workshop Lite
  • RA Workshop Express
  • RA Workshop Professional
  • CNC Add-on
  • Ra Server
  • Smart Office Tools
  • Pricing

Solutions

  • Showrooms
  • Small fabricators (5–50)
  • Factories
  • Dealer networks
  • ROI calculator
  • CNC integrations

Resources

  • Blog
  • Video lessons
  • Free guides
  • Case studies
  • FAQ
  • Online help

Company

  • About
  • Why RA Workshop
  • Contact
  • Book a demo

Legal

  • Legal notice
  • Website terms
  • Privacy notice
  • Cookie policy
  • Delice Software EULA
  • RaConnect / MicroAPI
  • DPA / Subprocessors
  • Consumer withdrawal
  • 30-day refund policy

© 2026 Delice Automatics Ltd. · RA Workshop is a Pyramid Software product

Help centre