Skip to main content

Data Processing Agreement (DPA)

Last updated: November 6, 2025 | GDPR Article 28 Compliant

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and BrainPredict OÜ ("Processor") and governs the processing of personal data in compliance with GDPR (EU Regulation 2016/679).

Key Definitions:

  • Data Controller: Customer (you) - determines purposes and means of processing
  • Data Processor: BrainPredict OÜ - processes data on behalf of Customer
  • Personal Data: Any data uploaded to BrainPredict services that identifies individuals
  • Sub-processor: Third-party service providers used by BrainPredict (see Section 6)

2. Scope and Purpose of Processing

BrainPredict processes personal data only for the following purposes:

  • Providing AI-powered business intelligence and predictive analytics services
  • Training and improving AI models (only with federated learning opt-in)
  • Technical support and troubleshooting
  • Billing and subscription management
  • Security monitoring and incident response

Data Location: All personal data is processed and stored exclusively in EU data centers (Germany) operated by Hetzner Online GmbH.

3. Customer's Obligations (Data Controller)

As Data Controller, Customer must:

  • Ensure lawful basis for processing (consent, contract, legitimate interest, etc.)
  • Provide privacy notices to data subjects
  • Obtain necessary consents for data processing
  • Ensure data accuracy and completeness
  • Respond to data subject requests (access, deletion, portability)
  • Notify BrainPredict of any data protection concerns

4. BrainPredict's Obligations (Data Processor)

As Data Processor, BrainPredict will:

  • Process personal data only on documented instructions from Customer
  • Ensure personnel processing data are bound by confidentiality
  • Implement appropriate technical and organizational security measures (see Section 7)
  • Engage sub-processors only with Customer's prior authorization (see Section 6)
  • Assist Customer in responding to data subject requests
  • Assist Customer with data protection impact assessments (DPIAs)
  • Delete or return personal data upon termination (see Section 9)
  • Make available all information necessary to demonstrate GDPR compliance
  • Notify Customer of data breaches within 24 hours (see Section 8)

5. Data Subject Rights

BrainPredict will assist Customer in fulfilling data subject rights under GDPR Articles 15-22:

RightBrainPredict's Assistance
Access (Art. 15)Provide data export within 7 days
Rectification (Art. 16)Enable Customer to update data via portal
Erasure (Art. 17)Delete data within 30 days of request
Portability (Art. 20)Provide data in JSON/CSV format
Object (Art. 21)Stop processing upon Customer instruction

Response Time: BrainPredict will respond to Customer's assistance requests within 5 business days.

6. Sub-processors

Customer authorizes BrainPredict to engage the following sub-processors:

Authorized Sub-processors:

  • Hetzner Online GmbH (Germany) - Infrastructure hosting, data storage
  • Stripe, Inc. (USA/Ireland) - Payment processing (PCI-DSS compliant)
  • Proton AG (Switzerland) - Email service (end-to-end encrypted, GDPR compliant)
  • Microsoft Corporation (USA/EU) - Microsoft Teams integration for calendar and meeting management (optional feature)

Sub-processor Changes: BrainPredict will notify Customer at least 30 days before adding new sub-processors. Customer may object within 14 days. See complete list at /legal/subprocessors.

7. Security Measures

BrainPredict implements the following technical and organizational measures:

  • Encryption: AES-256 encryption at rest, TLS 1.3 in transit
  • Access Controls: Role-based access control (RBAC), multi-factor authentication
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Data Segregation: Multi-tenant architecture with logical data isolation
  • Backup & Recovery: Daily encrypted backups, 30-day retention
  • Audit Logging: Comprehensive logs retained for 12 months
  • Vulnerability Management: Regular security assessments and penetration testing
  • Incident Response: 24/7 security monitoring and incident response team

8. Data Breach Notification

In the event of a personal data breach, BrainPredict will:

  1. Notify Customer within 24 hours of becoming aware of the breach
  2. Provide details: nature of breach, affected data categories, estimated number of data subjects
  3. Describe likely consequences and mitigation measures taken
  4. Provide contact point for further information
  5. Assist Customer in notifying supervisory authorities (if required within 72 hours)

9. Data Deletion and Return

Upon termination of services, BrainPredict will:

  • 30-Day Grace Period: Customer can export data for 30 days after cancellation
  • Data Export: Provide all personal data in machine-readable format (JSON/CSV)
  • Secure Deletion: Permanently delete all personal data after 30 days using secure erasure methods
  • Backup Deletion: Delete data from all backups within 90 days
  • Certification: Provide written confirmation of deletion upon request

10. Audits and Compliance

Customer has the right to audit BrainPredict's compliance:

  • Documentation: BrainPredict will provide compliance documentation upon request
  • Third-Party Audits: Annual SOC 2 Type II and ISO 27001 audit reports available
  • On-Site Audits: Enterprise customers may conduct on-site audits with 30 days notice (max once per year)
  • Audit Costs: Customer bears costs of on-site audits unless non-compliance is found

11. Contact Information

BrainPredict OÜ - Data Protection Officer

Email: privacy@brainpredict.ai

Address: Harju maakond, Tallinn, Kesklinna linnaosa, Jõe tn 3-314, 10151, Estonia

Registry Code: 17352111

VAT: EE102917871