Data Processing Agreement
Version 1.0 ยท Effective: 2026-06-06 ยท Last reviewed: 2026-06-06
Parties
This Data Processing Agreement ("DPA") forms part of the terms of service between:
- Controller: The customer who subscribes to a paid plan at biab.cloud ("you", "Customer").
- Processor: The legal entity operating biab.cloud and its subsidiary services including agents.biab.cloud ("we", "us", "biab.cloud").
This DPA applies to the extent that we process Personal Data on your behalf in providing the Services. It is incorporated by reference into the Terms of Service. Where there is a conflict, this DPA prevails for matters concerning Personal Data.
1. Definitions
Terms not defined here have the meaning given in the GDPR (Regulation (EU) 2016/679) or the Terms of Service. In particular:
- Personal Data means any information relating to an identified or identifiable natural person processed by us on your behalf.
- Sub-processor means a third party we engage to assist in providing the Services that may have access to Personal Data.
- Data Subject means the individual to whom Personal Data relates.
2. Roles and responsibilities
You are the Controller of Personal Data you submit to the Services about your end users (your customers, employees, contacts). We are the Processor. We act only on your documented instructions, which are reflected in this DPA and your configuration of the Services.
3. Subject matter, nature, purpose, duration
| Subject matter | Provision of the cloud platform Services described in the Terms of Service. |
|---|---|
| Nature of processing | Storage, hosting, transmission, automated processing required to deliver the Services; agent-based AI processing of content you submit to the Services. |
| Purpose of processing | Provide and improve the Services; respond to support requests; comply with legal obligations. |
| Duration | Until the underlying subscription ends, plus our standard data-retention period (see Section 9). |
| Categories of Data Subjects | Your end users, customers, employees, and any other individuals whose data you choose to process via the Services. |
| Categories of Personal Data | Identification data (name, email, account credentials); business contact data; usage logs; content you store; payment data processed through Stripe (we never see card numbers). |
4. Our obligations
4.1 Processing on instructions
We process Personal Data only on your documented instructions, including transfers, unless required by law. We immediately notify you if we believe an instruction violates GDPR or other data-protection law.
4.2 Confidentiality
All personnel with access to Personal Data are bound by written confidentiality obligations.
4.3 Security measures
We implement appropriate technical and organisational measures (Article 32 GDPR). Concretely:
- TLS 1.2+ for all in-transit data; HSTS enforced
- SOPS+age encryption for secrets at rest in our GitOps repository
- Bcrypt for password hashes; scrypt for MFA backup codes
- Multi-factor authentication (TOTP + passkey) available for all users
- Per-tenant Kubernetes namespace isolation
- Append-only audit log of every privileged action (SOC 2 CC7.2 aligned)
- Daily off-cluster backups (when paid tier is selected)
- Annual internal security review; third-party penetration test scheduled Q3 2026
The full list is maintained at /docs/security-audit.md and available on request.
4.4 Sub-processors
You authorise our use of sub-processors as listed at /legal/sub-processors.html. We will notify you at least 30 days before engaging a new sub-processor; you may object within 14 days for legitimate data-protection reasons (in which case you can terminate the affected Services for a pro-rated refund of pre-paid fees).
4.5 Data subject requests
We provide self-service tooling for Article 15 (access), Article 17 (erasure), and Article 20 (portability) requests โ see the "Your data" section of your dashboard. For requests where you require our assistance, contact privacy@biab.cloud; we respond within 30 days.
4.6 Breach notification
We notify you without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. Our notice will contain the nature of the breach, the categories and approximate number of Data Subjects, the likely consequences, and the measures taken to address and mitigate it.
4.7 Audits
You may audit our compliance with this DPA once per calendar year, at your cost, on at least 60 days' notice, during business hours, and subject to confidentiality. Where appropriate we may satisfy audit requests by providing our most recent third-party assessment report instead of permitting an on-site audit.
4.8 International transfers
Personal Data is hosted on infrastructure located in Germany (Hetzner, Falkenstein). For sub-processors located outside the EEA, we rely on Standard Contractual Clauses (SCCs, Decision 2021/914) and transfer impact assessments.
4.9 Return or deletion at end of contract
On termination, we provide an export of your data via the GDPR-export endpoint within 14 days. Thereafter we delete all Personal Data within 30 days, except where law requires retention (e.g. accounting records).
5. Your obligations
- You ensure your collection and use of Personal Data complies with applicable law and that you have a legal basis to instruct us to process it.
- You configure the Services securely (strong account credentials, MFA, role assignments).
- You notify us of any compromise of your account credentials immediately.
6. Liability
Each party's liability under this DPA is governed by the limitations in the Terms of Service, subject to mandatory law (notably Article 82 GDPR which cannot be contractually limited as between a controller and processor for harm to a data subject).
7. Term and termination
This DPA continues for as long as we process Personal Data on your behalf. The obligations in Section 4.6 (Breach), 4.7 (Audit), 4.9 (Return or deletion) survive termination.
8. Governing law and jurisdiction
This DPA is governed by the law specified in the Terms of Service. For matters falling exclusively under GDPR, the law of the EU member state of the Data Subject applies, as required by GDPR.
9. Retention
| Category | Retention |
|---|---|
| Account data (you) | Lifetime of account + 30 days after deletion |
| Operational logs | 30 days |
| Audit log | 2 years online, 5 years archived (SOC 2 standard) |
| Backups | 30 days (older snapshots auto-pruned) |
| Billing records | 7 years (legal requirement in most EU jurisdictions) |
Acceptance
By signing up for or continuing to use the Services after the Effective Date, you accept this DPA. If you require a counter-signed copy for your records, email privacy@biab.cloud with your company name and we will provide a PDF version.
Enterprise customers requiring modifications can request a negotiated DPA via their account manager (available on contracts โฅ โฌ15k/year).
Contact
Data Protection Officer: dpo@biab.cloud
Privacy inquiries: privacy@biab.cloud
Postal: see Terms of Service for company registration details