GDPR Article 28 compliant. SCCs incorporated for international transfers.
Brainboot Data Processing Addendum Version 1.0 — Effective 2026-05-16
This Data Processing Addendum ("DPA") forms part of the Master Service Agreement, Terms of Service, or other written or electronic agreement (the "Agreement") between Brainboot ("Brainboot," "we," "us") and the customer ("Customer," "you") for the provision of the Brainboot Prompt OS platform and related services (the "Services").
By executing the Agreement, you agree to this DPA on behalf of yourself and, to the extent required under Applicable Data Protection Law, on behalf of any of your authorized affiliates whose Personal Data is processed in connection with the Services.
2.1. Roles. With respect to Customer Data, Customer is the Controller (or Processor acting on behalf of its own Controller(s)) and Brainboot is the Processor.
2.2. Subject matter. The processing operations performed by Brainboot are those reasonably necessary to provide the Services described in the Agreement, including authentication, multi-tenant storage, model invocation routing, billing, support, and product analytics.
2.3. Duration. The duration of processing matches the term of the Agreement, plus any retention period required for backup, billing, or legal hold purposes (see §11).
2.4. Categories of Data Subjects. Customer's authorized end-users, administrators, and any individuals whose data is included in inputs Customer submits to the Services.
2.5. Categories of Personal Data. Account identifiers (email, name), authentication metadata, billing identifiers, usage telemetry, and any Personal Data Customer chooses to include in inputs to the Services.
3.1. Processing on documented instructions. Brainboot will Process Customer Data only on documented instructions from Customer, including those reflected in the Agreement and this DPA, and as required by Applicable Data Protection Law.
3.2. Confidentiality. Brainboot will ensure that personnel authorized to process Customer Data are under appropriate confidentiality obligations.
3.3. Security measures. Brainboot will implement and maintain the technical and organizational measures described in Annex II to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
3.4. Sub-processors. Brainboot may engage Sub-processors as set out in §4.
3.5. Data Subject requests. Brainboot will, to the extent legally permitted, promptly notify Customer of any request from a Data Subject and reasonably assist Customer in fulfilling such request.
3.6. Audit support. Brainboot will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, and contribute to audits conducted by Customer or its independent auditor, subject to reasonable confidentiality and frequency limits (no more than once annually unless required by law or following a Security Incident).
3.7. Return or deletion. Upon termination, Brainboot will delete or return Customer Data within 30 days, unless retention is required by law (see §11).
4.1. General authorization. Customer grants Brainboot a general authorization to engage Sub-processors to process Customer Data, subject to the conditions in this section.
4.2. Current Sub-processors. As of the effective date, Brainboot uses the Sub-processors listed at /subprocessors on the Brainboot website. As of 2026-05-16 these are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage | United States (us-east-1) |
| Stripe, Inc. | Payment processing, billing, invoicing | United States |
| Vercel Inc. | Application hosting, edge runtime | Global (US primary) |
| Vercel AI Gateway | LLM provider routing (passthrough; see Annex III) | Global |
| Upstash, Inc. | Distributed rate limiting (Redis) | United States (us-east-1) |
| Resend, Inc. | Transactional email delivery | United States |
| Functional Software, Inc. (Sentry) | Error tracking, observability | United States |
4.3. Change notice. Brainboot will notify Customer (via email to designated billing contact or in-app notice) at least 30 days before engaging a new Sub-processor that processes Customer Data. Customer may object on reasonable Data Protection grounds within 15 days of notice; the parties will negotiate in good faith, and Customer may terminate the affected Services without penalty if a resolution cannot be reached.
4.4. Sub-processor obligations. Brainboot will impose data protection terms on each Sub-processor materially equivalent to those in this DPA and will remain liable for its Sub-processors' acts and omissions.
5.1. Customer acknowledges that providing the Services may involve transfers of Customer Data to jurisdictions outside the EEA, UK, or Switzerland, including the United States.
5.2. SCCs. Where Brainboot transfers Personal Data subject to GDPR from the EEA to a country not deemed to provide an adequate level of protection, the Standard Contractual Clauses (Module Two: Controller-to-Processor, or Module Three where applicable) are incorporated by reference into this DPA, with the following selections:
- Clause 7 (Docking clause): not applicable - Clause 9 (Sub-processors): Option 2 (general written authorization with 30-day notice) - Clause 11(a) (Independent dispute resolution): not selected - Clause 17 (Governing law): Ireland - Clause 18 (Forum and jurisdiction): Ireland - Annexes I, II, III: as set out in this DPA5.3. UK Addendum. For transfers from the UK, the parties incorporate the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.
6.1. Notification. Brainboot will notify Customer within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data, providing:
- Nature of the breach, including categories and approximate number of Data Subjects and records affected - Likely consequences - Measures taken or proposed to address the breach and mitigate its effects - Contact point for further information6.2. Cooperation. Brainboot will reasonably cooperate with Customer's investigation and notification obligations under Applicable Data Protection Law.
7.1. Lawful basis. Customer represents that it has a valid legal basis for the Processing of Customer Data by Brainboot.
7.2. Notices and consents. Customer is responsible for providing required notices to Data Subjects and obtaining required consents.
7.3. Sensitive data restrictions. Customer agrees not to submit Special Category Personal Data (Article 9 GDPR), data relating to criminal convictions, or Personal Data of children under 16 to the Services without first executing a separate written agreement with Brainboot.
8.1. Information. Brainboot will make available to Customer, upon request, the following as evidence of compliance: SOC 2 reports (when available), penetration test summaries, security architecture documents, and answers to standard vendor questionnaires (CAIQ-Lite, SIG-Lite).
8.2. On-site audits. If the materials provided are insufficient, Customer may, at its own expense, conduct an on-site audit no more than once per 12 months with at least 30 days' written notice, during business hours, subject to reasonable confidentiality obligations.
8.3. Regulator audits. Brainboot will cooperate with audits required by a supervisory authority.
9.1. Liability under this DPA is subject to the limitations and exclusions in the Agreement, except that nothing in the Agreement excludes or limits liability that cannot be excluded or limited under Applicable Data Protection Law.
10.1. In the event of conflict, the following order applies: (1) SCCs and UK Addendum (where incorporated), (2) this DPA, (3) the Agreement.
11.1. Active Customer Data: retained for the duration of the Agreement.
11.2. Backups: retained for up to 35 days following deletion of active data.
11.3. Billing records: retained for 7 years (US tax compliance).
11.4. Audit logs: retained for 12 months minimum.
11.5. Upon Customer request after termination, Brainboot will delete Customer Data within 30 days, subject to the above retention periods.
This DPA will remain in effect for as long as Brainboot processes Customer Data under the Agreement and survives termination of the Agreement to the extent required to give effect to any obligation that by its nature should survive.
Subject matter: Provision of the Brainboot Prompt OS platform (chat, brain editor, blueprints, circuits, marketplace).
Nature of processing: Storage, retrieval, transmission, transformation, billing, support, model invocation routing.
Purpose of processing: Providing the Services in accordance with the Agreement.
Duration: The term of the Agreement plus retention periods per §11.
Categories of Data Subjects: Customer's authorized end-users, administrators, end-customers whose data Customer submits as inputs.
Categories of Personal Data: Account identifiers, authentication metadata, usage telemetry, content of inputs and outputs to the Services as submitted by Customer.
Brainboot maintains the following measures (current state; subject to update at Brainboot's sole discretion provided overall protection is not materially weakened):
Access control:
See §4.2 above. Current list maintained at https://brainboot.dev/subprocessors.
LLM provider routing: Inputs and outputs are routed via Vercel AI Gateway to provider APIs (Anthropic, OpenAI, Google, xAI, DeepSeek, Mistral). Vercel AI Gateway acts as a pass-through; underlying provider terms apply at the provider level. Customer may restrict permitted providers via org-level policy (contact security@brainboot.dev).
This DPA is incorporated into and forms part of the Agreement. By accepting the Agreement, or by accessing or using the Services, both parties are deemed to have signed and accepted this DPA. For execution as a separate signed document, contact legal@brainboot.dev.
Brainboot [address on file] legal@brainboot.dev
Customer [per Agreement]
legal/DPA-TEMPLATE.md. Last updated 2026-05-16.