Data Processing Agreement

Last updated: April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between BrainAI Team ("Processor," "we," "us") and the entity using our services ("Controller," "you," "your") for the provision of agentic team building and AI agent services (the "Services") as described at brainai.team.

This DPA applies where and to the extent BrainAI Team processes Personal Data on your behalf in the course of providing the Services. This DPA is designed to ensure compliance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent data protection legislation.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the Services.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
  • "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the performance of the Services, including the GDPR, UK GDPR, and any applicable national implementing legislation.

2. Scope and Purpose of Processing

2.1 Nature and Purpose

BrainAI Team processes Personal Data to provide you with agentic team services. This includes building, deploying, and operating AI agent teams that connect to your tools, systems, and data sources to perform tasks on your behalf.

2.2 Types of Personal Data

The categories of Personal Data processed depend on your use of the Services and may include:

  • Contact information (names, email addresses, phone numbers)
  • Business data (company information, project details, documents)
  • Technical data (API credentials, system configurations, access tokens)
  • End-user data processed by your AI agents (as determined by your instructions and tool integrations)
  • Communication data (messages, files, and content processed through agent workflows)

2.3 Categories of Data Subjects

  • Your employees, contractors, and authorized users
  • Your clients, customers, and end-users whose data is processed by the AI agents
  • Any other individuals whose Personal Data you instruct us to process through the Services

3. Obligations of the Processor

BrainAI Team will:

  • Process Personal Data only on your documented instructions, unless required to do so by applicable law. If such a legal requirement exists, we will inform you before processing (unless prohibited by law).
  • Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of the processing, as described in Section 6.
  • Not engage another processor (sub-processor) without your prior written authorization, as described in Section 5.
  • Assist you, taking into account the nature of processing, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law.
  • Assist you in ensuring compliance with your obligations regarding data security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
  • At your choice, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless storage is required by applicable law.
  • Make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits.

4. Obligations of the Controller

You will:

  • Ensure that your instructions to us regarding the processing of Personal Data comply with Applicable Data Protection Law.
  • Have obtained all necessary consents and authorizations required for the lawful processing of Personal Data by us on your behalf.
  • Provide us with clear and documented instructions for the processing of Personal Data, including the configuration of AI agents and their access to third-party tools and systems.
  • Maintain appropriate records of processing activities conducted under this DPA.
  • Notify us promptly if you become aware of any circumstances that may affect the processing of Personal Data under this DPA.

5. Sub-processors

5.1 Authorization

You provide general authorization for us to engage sub-processors to assist in providing the Services. We maintain an up-to-date list of sub-processors, which is available upon request.

5.2 Current Sub-processors

Our sub-processors include, but are not limited to:

  • Cloud infrastructure providers (e.g., DigitalOcean, Google Cloud Platform) for hosting and compute
  • AI model providers (e.g., Anthropic, OpenAI) for AI agent reasoning and task execution
  • Communication providers (e.g., email delivery services) for agent-to-human communication
  • Analytics providers (e.g., Google Analytics) for platform usage analysis

5.3 Notification of Changes

We will notify you of any intended changes concerning the addition or replacement of sub-processors at least 14 days before the change takes effect. If you object to a new sub-processor on reasonable data protection grounds, we will work with you to find an alternative solution. If no resolution can be reached, either party may terminate the affected Services.

5.4 Sub-processor Obligations

We will impose the same data protection obligations as set out in this DPA on any sub-processor we engage, by way of a written contract. We remain fully liable to you for the performance of the sub-processor's obligations.

6. Data Security

BrainAI Team implements and maintains appropriate technical and organizational security measures, including:

  • Encryption of data in transit (TLS/HTTPS) and at rest where applicable
  • Access controls and authentication mechanisms to prevent unauthorized access to Personal Data
  • Regular security assessments and vulnerability monitoring of our infrastructure
  • Isolated agent execution environments to prevent cross-client data leakage
  • Secure credential management for API keys, tokens, and third-party service credentials used by AI agents
  • Logging and audit trails for agent actions and data access
  • Incident response procedures for detecting, investigating, and mitigating security events
  • Employee confidentiality agreements and security training

7. Data Subject Rights

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures in fulfilling your obligations to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law, including:

  • Right of access to their Personal Data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object to processing

If we receive a request directly from a Data Subject, we will promptly redirect the request to you and will not respond to the Data Subject directly unless instructed by you or required by law.

8. Data Breach Notification

8.1 Notification

We will notify you without undue delay, and in any event within 48 hours, after becoming aware of a Data Breach affecting Personal Data processed on your behalf.

8.2 Breach Information

The notification will include:

  • A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected
  • The name and contact details of our point of contact for further information
  • A description of the likely consequences of the Data Breach
  • A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

8.3 Cooperation

We will cooperate with you and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any Data Breach. We will not inform any third party of a Data Breach without your prior approval, unless required by law.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area, the United Kingdom, or Switzerland in connection with the provision of the Services. Where such transfers occur, we will ensure they are subject to appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement or Addendum, as applicable
  • Adequacy decisions by the European Commission or UK Secretary of State
  • Any other transfer mechanism permitted under Applicable Data Protection Law

10. Audit Rights

You have the right to audit our compliance with this DPA. We will make available to you all information reasonably necessary to demonstrate compliance and will contribute to audits conducted by you or an auditor you appoint.

Audits are subject to the following conditions:

  • You must provide at least 30 days' written notice before conducting an audit
  • Audits will be conducted during normal business hours and will not unreasonably disrupt our operations
  • You will bear the costs of any audit, unless the audit reveals a material breach of this DPA by us
  • Audit findings and information obtained will be treated as confidential
  • Audits will be limited to once per 12-month period, unless a Data Breach has occurred or a supervisory authority requests an audit

11. Term and Termination

11.1 Duration

This DPA will remain in effect for the duration of our agreement to provide Services, and will automatically terminate when the Services agreement ends.

11.2 Data Return and Deletion

Upon termination of the Services, we will, at your election, return or delete all Personal Data processed on your behalf within 30 days, unless retention is required by applicable law. We will provide written confirmation of deletion upon request.

11.3 Survival

The obligations under this DPA regarding confidentiality, data security, and cooperation will survive termination to the extent necessary to protect Personal Data that remains in our possession.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the underlying Services agreement between the parties.

Where we are responsible for damage caused by processing that infringes Applicable Data Protection Law, or where we have acted outside or contrary to your lawful instructions, we will be liable for the damage caused. We will not be liable for damage to the extent that you are responsible for the processing that caused the damage.

13. General Provisions

  • This DPA will be governed by the same law that governs the underlying Services agreement, unless Applicable Data Protection Law requires otherwise.
  • In the event of any conflict between this DPA and the Services agreement, this DPA will prevail with respect to data protection matters.
  • Amendments to this DPA must be in writing and agreed by both parties.
  • We may update this DPA to reflect changes in Applicable Data Protection Law. We will notify you of material changes at least 30 days before they take effect.

14. Contact

For questions about this DPA or to exercise your rights under it, contact us:

BrainAI Team

Operated by AuctionVilla Platforms, Inc.

Email: [email protected]

Website: brainai.team