Data Processing Agreement

Version 1.0 ยท Effective: 2026-06-06 ยท Last reviewed: 2026-06-06

โ†“ Download as HTML ๐Ÿ“ง Request a signed PDF โ†’ Sub-processors list
Template โ€” review before launch. This is a click-through DPA modelled on industry standards (Vercel, Stripe, Sentry). Have an EU-qualified lawyer review for your jurisdiction and customer base before treating it as binding for an enterprise contract.

Parties

This Data Processing Agreement ("DPA") forms part of the terms of service between:

This DPA applies to the extent that we process Personal Data on your behalf in providing the Services. It is incorporated by reference into the Terms of Service. Where there is a conflict, this DPA prevails for matters concerning Personal Data.

1. Definitions

Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the Terms of Service. In particular:

2. Roles and responsibilities

You are the Controller of Personal Data you submit to the Services about your end users (your customers, employees, contacts). We are the Processor. We act only on your documented instructions, which are reflected in this DPA and your configuration of the Services.

3. Subject matter, nature, purpose, duration

Subject matterProvision of the cloud platform Services described in the Terms of Service.
Nature of processingStorage, hosting, transmission, automated processing required to deliver the Services; agent-based AI processing of content you submit to the Services.
Purpose of processingProvide and improve the Services; respond to support requests; comply with legal obligations.
DurationUntil the underlying subscription ends, plus our standard data-retention period (see Section 9).
Categories of Data SubjectsYour end users, customers, employees, and any other individuals whose data you choose to process via the Services.
Categories of Personal DataIdentification data (name, email, account credentials); business contact data; usage logs; content you store; payment data processed through Stripe (we never see card numbers).

4. Our obligations

4.1 Processing on instructions

We process Personal Data only on your documented instructions, including transfers, unless required by law. We immediately notify you if we believe an instruction violates GDPR or other data-protection law.

4.2 Confidentiality

All personnel with access to Personal Data are bound by written confidentiality obligations.

4.3 Security measures

We implement appropriate technical and organisational measures (Article 32 GDPR). Concretely:

The full list is maintained at /docs/security-audit.md and available on request.

4.4 Sub-processors

You authorise our use of sub-processors as listed at /legal/sub-processors.html. We will notify you at least 30 days before engaging a new sub-processor; you may object within 14 days for legitimate data-protection reasons (in which case you can terminate the affected Services for a pro-rated refund of pre-paid fees).

4.5 Data subject requests

We provide self-service tooling for Article 15 (access), Article 17 (erasure), and Article 20 (portability) requests โ€” see the "Your data" section of your dashboard. For requests where you require our assistance, contact privacy@biab.cloud; we respond within 30 days.

4.6 Breach notification

We notify you without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. Our notice will contain the nature of the breach, the categories and approximate number of Data Subjects, the likely consequences, and the measures taken to address and mitigate it.

4.7 Audits

You may audit our compliance with this DPA once per calendar year, at your cost, on at least 60 days' notice, during business hours, and subject to confidentiality. Where appropriate we may satisfy audit requests by providing our most recent third-party assessment report instead of permitting an on-site audit.

4.8 International transfers

Personal Data is hosted on infrastructure located in Germany (Hetzner, Falkenstein). For sub-processors located outside the EEA, we rely on Standard Contractual Clauses (SCCs, Decision 2021/914) and transfer impact assessments.

4.9 Return or deletion at end of contract

On termination, we provide an export of your data via the GDPR-export endpoint within 14 days. Thereafter we delete all Personal Data within 30 days, except where law requires retention (e.g. accounting records).

5. Your obligations

6. Liability

Each party's liability under this DPA is governed by the limitations in the Terms of Service, subject to mandatory law (notably Article 82 GDPR which cannot be contractually limited as between a controller and processor for harm to a data subject).

7. Term and termination

This DPA continues for as long as we process Personal Data on your behalf. The obligations in Section 4.6 (Breach), 4.7 (Audit), 4.9 (Return or deletion) survive termination.

8. Governing law and jurisdiction

This DPA is governed by the law specified in the Terms of Service. For matters falling exclusively under GDPR, the law of the EU member state of the Data Subject applies, as required by GDPR.

9. Retention

CategoryRetention
Account data (you)Lifetime of account + 30 days after deletion
Operational logs30 days
Audit log2 years online, 5 years archived (SOC 2 standard)
Backups30 days (older snapshots auto-pruned)
Billing records7 years (legal requirement in most EU jurisdictions)

Acceptance

By signing up for or continuing to use the Services after the Effective Date, you accept this DPA. If you require a counter-signed copy for your records, email privacy@biab.cloud with your company name and we will provide a PDF version.

Enterprise customers requiring modifications can request a negotiated DPA via their account manager (available on contracts โ‰ฅ โ‚ฌ15k/year).

Contact

Data Protection Officer: dpo@biab.cloud
Privacy inquiries: privacy@biab.cloud
Postal: see Terms of Service for company registration details

โ† Back to agents.biab.cloud