Brainiall
Sign inGet started

Data Processing Addendum

Last updated: 2026-04-28 · GDPR Art. 28 / LGPD Art. 39 compliant

1. Parties and scope

This Data Processing Addendum ("DPA") supplements the Brainiall Terms of Service between you (the "Controller") and Brainiall (the "Processor"). It governs Brainiall's processing of Personal Data submitted to the API on your behalf and incorporates GDPR Article 28 and LGPD Article 39 obligations.

2. Subject matter and duration

Brainiall processes Personal Data for the limited purpose of running the API endpoints you call (Speech AI, NLP Suite, Image Processing, Background Removal, Audio Enhancement, Speaker Diarization, PDF-to-Markdown, Agent Memory). Processing duration matches your subscription term.

3. Nature, purpose, and types of data

  • Nature: Stateless inference on submitted media/text. Inputs are processed in-memory and discarded immediately after the response is returned.
  • Purpose: Provide the AI inference service requested via API call.
  • Categories of data: Whatever you submit — typically audio, images, documents, or text. Brainiall does not require, target, or extract specific data categories. Sensitive categories (Art. 9 GDPR) are at your discretion and lawful basis.
  • Categories of data subjects: Determined by you. Brainiall has no visibility into who the data subjects are.

4. Processor obligations (Art. 28(3))

  • Process Personal Data only on your documented instructions, including for transfers to third countries (we use SCCs where applicable).
  • Ensure persons authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Section 8).
  • Engage Subprocessors only with prior general authorization (see Section 6) and impose equivalent data-protection obligations.
  • Assist you (taking into account the nature of processing) with: data-subject requests, DPIAs, prior consultation with supervisory authorities, and breach notification.
  • Make available all information necessary to demonstrate compliance and allow audits (subject to reasonable confidentiality controls).
  • Inform you immediately if an instruction infringes the GDPR or other Union/Member State data protection provisions.

5. Data deletion

API request payloads are not retained — we process them in memory and discard them on response. For account-level data (email, hashed API keys, billing records), at the end of the contract you may instruct us to delete or return all Personal Data within 30 days, save where Union or Member State law requires retention (e.g., tax records).

6. Subprocessors

You provide general written authorization for Brainiall to engage Subprocessors. Current list:

  • Latitude.sh (Brazil/USA) — bare-metal compute hosting. SOC 2 Type II.
  • Microsoft Corporation (Marketplace billing, US/EU). Data Processing Agreement available at microsoft.com.
  • Stripe (US) — payment processing for non-Marketplace customers. PCI-DSS Level 1.
  • Plausible (self-hosted) — anonymous, cookieless analytics. No personal data shipped off-platform.

We will give 30 days' notice (via email or status page) of any new Subprocessor or replacement. You may object on reasonable data-protection grounds during that period, and we may either present an alternative or allow you to terminate the affected service with pro-rated refund.

7. International data transfers

For transfers outside the EEA / UK / Brazil to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor), which are incorporated by reference and deemed executed by both parties upon entry into the underlying agreement. We perform Transfer Impact Assessments and apply supplementary measures (encryption in transit and at rest) as required.

8. Technical and organizational measures

  • TLS 1.2+ on all customer-facing endpoints (Let's Encrypt auto-renewal).
  • API keys stored as SHA-256 hashes; never plaintext.
  • Access controls: principle of least privilege; no production access without 2FA.
  • Webhook integrity: Microsoft AD JWT signature validation against JWKS for Marketplace events.
  • Logical isolation between containers (Docker), per-tenant rate limits, internal X-Internal-Key gateway authentication.
  • Logging: errors and auth events centralized via Glitchtip; PII redaction in logs.
  • Backup, recovery, and monitoring: container healthchecks + auto-restart + status page.
  • Regular dependency audits via automated CI (npm audit / pip-audit).

9. Personal data breach notification

Without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach, Brainiall will notify the affected Controller(s) at the contact email on file with the following information: nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.

10. Audit and compliance

You may, at your expense and not more than once per year (unless required by a regulator following a breach), audit Brainiall's compliance with this DPA via a third-party auditor mutually agreed in good faith. Brainiall may meet audit obligations by providing existing certifications (e.g., SOC 2 Type II once obtained) and the platform's public security documentation.

11. Liability

Liability for breach of this DPA is governed by the limitation-of-liability clause in the underlying Terms of Service, except where applicable data protection law mandates a higher cap (e.g., Art. 82 GDPR).

12. Term and termination

This DPA enters into force on the date of acceptance of the Terms of Service and remains in force for the duration of the underlying agreement. Sections 5, 6, 7, 8, 9, and 11 survive termination as necessary to comply with applicable law.

13. Acceptance

You accept this DPA by continuing to use the Brainiall services after a request to do so (e.g., during enterprise procurement, your authorized signatory may countersign by email). For a counter-signed copy on Brainiall letterhead, email legal@brainiall.com.