Data Processing Agreement (DPA)
Last updated: March 1, 2026
1. Introduction
This Data Processing Agreement ("DPA") supplements the Terms of Service between Bravos AI ("Processor") and the customer using the Service ("Controller"). This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (GDPR) and the United Kingdom data protection legislation (UK GDPR).
By using the Service, the Controller accepts the terms of this DPA. If the Controller requires a signed version of this agreement, it may be requested at contacto@bravos-ai.com.
2. Definitions
- "Controller": The customer who determines the purposes and means of the processing of personal data through the Service.
- "Processor": Bravos AI, which processes personal data on behalf of the Controller.
- "Sub-processor": A third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
- "Personal Data": Any information relating to an identified or identifiable natural person processed in the context of the Service.
- "Data Subject": A natural person whose personal data is being processed.
- "Security Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data.
- "SCCs": Standard Contractual Clauses approved by the European Commission for international data transfers.
3. Subject Matter and Duration of Processing
The Processor processes personal data on behalf of the Controller for the purpose of providing the Bravos AI Service, which includes the creation, training, and deployment of AI-powered chatbots.
- • Duration: This DPA remains in effect for as long as the Controller uses the Service, plus the period necessary for the deletion or return of data after termination.
- • Nature of processing: Storage, indexing, vector embedding generation, processing through AI models for response generation, and content delivery to End Users.
- • Purpose: To provide the AI chatbot service contracted by the Controller, including the processing of End User queries and the generation of responses based on Training Data.
4. Types of Personal Data and Categories of Data Subjects
4.1 Types of Personal Data
- • Controller account data (name, email, encrypted password)
- • Conversation messages between End Users and the chatbot
- • Media files shared by End Users (automatically deleted after 24 hours)
- • Anonymous session identifiers (fingerprint)
- • Data contained in Training Data provided by the Controller (documents, CSV, Excel, URLs)
- • Lead data captured through the chatbot (name, email, phone, or other fields configured by the Controller)
- • Technical data (IP address, user agent, device data)
4.2 Categories of Data Subjects
- • End Users who interact with the Controller's chatbots
- • Employees or representatives of the Controller with access to the admin panel
- • Individuals whose personal data is contained in the Training Data
Note: Special categories of data (Art. 9 GDPR) are not intentionally processed. The Controller agrees not to upload sensitive data (racial or ethnic origin, political opinions, health data, sexual orientation, etc.) as Training Data unless the appropriate legal basis is in place.
5. Obligations of the Processor
5.1 Documented Instructions
The Processor shall process personal data only on documented instructions from the Controller, including those set out in the Terms of Service and this DPA, unless required to do so by law. In such a case, the Processor shall inform the Controller prior to processing, unless the law prohibits such notification.
5.2 Confidentiality
The Processor ensures that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Security Measures (Art. 32 GDPR)
The Processor implements the following technical and organizational measures to ensure a level of security appropriate to the risk:
- • Encryption of data in transit (HTTPS/TLS)
- • Password encryption (bcrypt)
- • Restricted access to personal data based on the principle of least privilege
- • Regular and automated backups
- • Security monitoring and anomaly detection
- • Hosting on Hetzner Online GmbH servers (Germany, EU) with ISO 27001 standards
- • Periodic review of the effectiveness of security measures
5.4 Security Breach Notification
In the event of a Security Breach affecting the Controller's personal data, the Processor shall notify the Controller without undue delay and, in any case, within 72 hours of becoming aware of the breach. The notification shall include the nature of the breach, the categories and approximate number of affected data subjects, the likely consequences, and the measures taken or proposed to remedy the situation.
5.5 Assistance to the Controller
The Processor shall assist the Controller, taking into account the nature of the processing, in:
- • Responding to data subject requests (access, rectification, erasure, portability, objection, restriction)
- • Fulfilling obligations regarding security of processing (Art. 32 GDPR)
- • Notifying security breaches to the supervisory authority (Art. 33 GDPR)
- • Conducting data protection impact assessments (DPIA), where necessary
- • Prior consultation with the supervisory authority (Art. 36 GDPR)
5.6 Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR. The Processor shall allow and contribute to audits, including inspections, conducted by the Controller or an authorized auditor, with reasonable notice of at least 30 days and during business hours. The Controller shall bear the costs of the audit.
6. Sub-processors
The Controller grants the Processor a general authorization to engage sub-processors, subject to the conditions in this section. The Processor ensures that sub-processors are bound by data protection obligations equivalent to those in this DPA.
6.1 Current Sub-processors
| Provider | Service | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| OpenAI, LLC | Natural language processing and chatbot response generation | Conversation messages, query context, relevant Training Data | USA (OpenAI Ireland Ltd. for EEA) | DPA + SCCs |
| Hetzner Online GmbH | Server hosting, database, and storage | All Service data | Germany (EU) | DPA |
| Stripe, Inc. | Payment and subscription processing | Controller billing data | USA | EU-US DPF + DPA |
| Resend, Inc. | Transactional email delivery | Controller email address | USA | DPA + SCCs |
6.2 Notification of Changes
The Processor shall notify the Controller of any addition or replacement of sub-processors with at least 30 days' prior notice. The Controller may object to the new sub-processor on reasonable grounds related to data protection, within 15 days of notification. If the objection cannot be reasonably resolved, either party may terminate the agreement.
7. AI-Specific Provisions
No-training commitment: Neither the Processor nor its sub-processors use the Controller's personal data, End User conversations, or Training Data to train, fine-tune, or improve general-purpose AI models. This restriction survives the termination of this DPA.
7.1 AI Processing
The Service uses third-party artificial intelligence models (currently OpenAI) to generate chatbot responses. The processing flow is as follows:
- • Training Data is processed locally to generate vector embeddings, which are stored in the Processor's database
- • When an End User sends a message, relevant fragments of Training Data are retrieved and sent to the OpenAI API along with the user's message to generate a response
- • OpenAI processes this data solely to generate the response and does not retain it beyond 30 days (for abuse monitoring), after which it is automatically deleted
- • OpenAI does not use data submitted through its API to train its models
7.2 Contractual Restrictions with AI Providers
The Processor maintains data processing agreements (DPAs) with all its AI providers that include:
- • Express prohibition on using customer data for model training
- • Defined retention periods and automatic deletion
- • Standard Contractual Clauses (SCCs) for international transfers
- • Appropriate technical and organizational security measures
8. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or the United Kingdom, the Processor ensures that appropriate safeguards are in place:
- • Standard Contractual Clauses (SCCs): Module 2 (Controller to Processor) approved by the European Commission, incorporated by reference into this DPA
- • EU-US Data Privacy Framework (DPF): Verification of US provider participation where applicable
- • UK International Data Transfer Agreement (IDTA): For transfers subject to UK GDPR
- • Transfer Impact Assessment (TIA): Where required by applicable legislation
9. Data Subject Rights
The Processor shall assist the Controller, by appropriate technical and organizational measures, in responding to data subject requests under Chapter III of the GDPR:
- • Access and portability: The Controller can export conversations and data from the admin panel
- • Erasure: The Controller can delete conversations, training data, and lead data from the admin panel. Upon account cancellation, all data is deleted within 30 days
- • Rectification: The Controller can update Training Data at any time
- • Additional requests: For requests requiring Processor assistance, contact contacto@bravos-ai.com
10. Data Retention and Deletion
Upon termination of the Service, the Processor shall delete all of the Controller's personal data within the following timeframes, unless a legal obligation requires its retention:
- • Account data: 30 days after cancellation
- • Training Data and embeddings: Deleted immediately upon datasource removal or account cancellation
- • Widget conversations: 90 days from creation (automatic deletion)
- • Widget media files: 24 hours (automatic deletion)
- • Billing data: 10 years (legal tax requirement)
- • Technical logs: 90 days
The Controller may request the return of their data in a structured format prior to deletion by contacting contacto@bravos-ai.com.
11. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 of the GDPR.
12. Governing Law and Jurisdiction
This DPA is governed by the laws of the United Kingdom. Any disputes shall be resolved in accordance with the courts of England and Wales, without prejudice to the right of data subjects to lodge complaints with the data protection authority of their country of residence.
13. Contact
For any inquiries regarding this DPA or the processing of personal data:
- Email: contacto@bravos-ai.com
- Registered address: 7 Great Lane, Bierton, Aylesbury, HP22 5DE, United Kingdom