Data Processing Agreement

Article 28 GDPR · Article 39 LGPD · California CCPA · Japan APPI · UK DPA

Version: 1.0 · Effective date: 2026-04-21 · Controller: Customer · Processor: Brainiall Inc.

Who this is for. This Data Processing Agreement (DPA) forms part of the Brainiall Terms of Service between Brainiall Inc. ("Brainiall", "Processor") and the Customer ("Controller") for any processing of personal data subject to the GDPR (EU 2016/679), LGPD (Brazil Law 13.709/2018), Japan APPI (Act 57/2003), UK DPA, California CCPA, or other applicable privacy laws. It governs enterprise and business-tier use of the Brainiall chat, Studio, Academy, and API services.

1. Definitions

Terms such as personal data, processing, controller, processor, data subject, supervisory authority, and personal data breach have the meanings given in Article 4 GDPR and Article 5 LGPD. "Services" means the Brainiall platform as accessed by Customer via web, mobile, or API.

2. Scope and Roles

Customer acts as the Controller of personal data submitted to the Services. Brainiall acts as the Processor, processing such data exclusively on Customer's documented instructions (the Agreement, DPA, and any written directions).

Brainiall processes on behalf of Customer the categories of personal data that Customer chooses to submit: typically chat prompts, uploaded files, memory entries, and the identifiers necessary to authenticate and bill Customer's users (email, name, avatar URL, session IDs).

3. Nature and Purpose of Processing

Delivering AI inference (text, image, audio, video) in response to Customer prompts.
Persisting chat history, generated assets (Studio), and user-defined memory entries for Customer's continued access.
Serving accounts, authentication, billing, usage metering, and support.
Detecting abuse, fraud, and content that violates Customer's or Brainiall's terms.

4. Duration

Processing lasts as long as Customer's subscription is active, plus a retention window necessary to meet legal, accounting, and fraud-prevention obligations. Upon termination, Brainiall will delete or anonymize Customer personal data within 30 days, subject to backup retention not exceeding 90 days.

5. Processor Obligations

Documented instructions. Brainiall processes personal data only on Customer's documented instructions and promptly informs Customer if an instruction appears to violate applicable law.
Confidentiality. Brainiall ensures that personnel authorized to process personal data are bound by confidentiality obligations.
Security (Article 32 GDPR). See Section 7 below.
Sub-processors. See Section 8 below.
Data subject rights. Brainiall assists Customer in responding to data-subject requests (access, rectification, erasure, restriction, portability, objection) via the Services' self-service controls and, where necessary, via compliance@brainiall.com.
Breach notification. Brainiall notifies Customer of any personal data breach affecting Customer data without undue delay, and in any event within 72 hours of confirmed discovery.
DPIA assistance. Brainiall provides reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities.
Deletion/return. At Customer's choice, Brainiall deletes or returns all personal data at end of processing (see Section 4).
Audits. Brainiall makes available information necessary to demonstrate compliance and allows for audits — typically by providing third-party certifications, SOC-aligned reports, and written responses to standard security questionnaires. Onsite audits are available to qualifying enterprise customers under mutually agreed scope.

6. Controller Obligations

Customer warrants that it has the lawful basis to submit personal data to the Services and to instruct Brainiall to process it. Customer is responsible for the lawfulness of the data it submits, for configuring its own users' access, and for honoring its own obligations as Controller (transparency, lawful basis, data-subject communication).

7. Security Measures (Article 32 GDPR)

Brainiall implements and maintains the following technical and organizational measures ("TOMs"):

Category	Measure
Encryption in transit	TLS 1.2+ for all client–server traffic; HSTS enforced; TLS 1.3 preferred.
Encryption at rest	AES-256 for database and object storage; per-service managed keys.
Access control	Role-based access control, SSO/OAuth for Customer-side, least-privilege for Brainiall personnel, audit logging of privileged access.
Network	Private-network boundaries between public edge (Caddy) and inference/data tier; firewall rules by default-deny.
Secrets	Managed secret vault; rotation policy; no secrets in source control.
Integrity	Daily backups with 14-day retention; point-in-time recovery for primary DB; checksumming for object storage.
Observability	Structured logging, telemetry ring buffers, error-rate alerting; hourly synthetic smoke tests.
Incident response	Documented runbook, on-call rotation, 72-hour breach notification commitment.
Personnel	Background checks where legally permitted; annual security training; NDA.

8. Sub-processors

Customer authorizes Brainiall to engage sub-processors to provide the Services. Brainiall imposes written obligations on each sub-processor that are no less protective than this DPA.

Current sub-processors (updated at /subprocessors):

Sub-processor	Purpose	Location
Cloud infrastructure providers	Hosting, compute, storage	US, EU
AI infrastructure partners	Model inference (text, image, audio, video)	US, EU *
Stripe	Payment processing	US, EU (per customer region)
Google (OAuth only)	Authentication	US
Transactional email provider	Account, billing, and support email delivery	US, EU
Observability/error-tracking	Logs, metrics, incident triage	US, EU

* Enterprise customers under signed NDA may request provider-level disclosures via compliance@brainiall.com. Brainiall maintains contractual guarantees with all AI model partners that Customer data is not used to train third-party models and is retained only as required for inference completion and abuse prevention.

Brainiall notifies Customer of intended additions or replacements of sub-processors with at least 30 days' notice via the Services and to the Customer's notification email. Customer may object in writing within that window; where reasonable technical alternatives exist, Brainiall will accommodate the objection, otherwise Customer may terminate the affected Services for cause.

9. International Data Transfers

Where personal data originating in the EEA, UK, Switzerland, or Brazil is transferred to a country without an adequacy decision, Brainiall relies on the EU Standard Contractual Clauses (2021/914), the UK International Data Transfer Addendum, ANPD-recognized transfer mechanisms, and — for transfers involving Japanese data subjects — the consent and safeguards required under APPI Articles 24 and 28, as applicable. These clauses are incorporated by reference when the transfer occurs.

10. Data Subject Rights

The Services provide self-service controls for data subjects to access, export, delete, and correct their personal data via the Brainiall account UI. Where a data-subject request exceeds the self-service controls, Brainiall assists Controller through compliance@brainiall.com within 15 business days.

11. Liability and Term

Each party's liability under this DPA is subject to the limitations set out in the Agreement. This DPA terminates automatically upon termination of the underlying Agreement, except clauses that by their nature survive (confidentiality, post-termination deletion, audit records).

12. Conflict

In the event of conflict between the Agreement and this DPA regarding personal-data processing, this DPA prevails. In the event of conflict with the EU Standard Contractual Clauses, the Standard Contractual Clauses prevail.

13. Governing Law and Venue

This DPA is governed by the law of the Agreement, except that, for processing of personal data subject to GDPR or LGPD, mandatory data-protection laws apply regardless.

Need a signed copy?

Enterprise customers can request an executable version of this DPA with attached SCCs and company-specific addenda by contacting our compliance team.

Request signed DPA

14. Contact

Data protection inquiries: compliance@brainiall.com
Security: security@brainiall.com
General support: support@brainiall.com