A Data Processing Agreement governs how a vendor processes personal data on your behalf. GDPR mandates it (Art. 28). More in the /glossary/dpa entry.

What data do you process?

Conversation content, IDs, timestamps, optionally authenticated user IDs. No SSNs, no payment data — we don't accept those even if the user types them in.

Where is data stored?

AWS Frankfurt (eu-central-1) for DB and logs. Hetzner Vienna as backup region. Conversation logs are deleted after 90 days (or per your settings). Audit logs separate, per legal requirements.

What happens on a breach?

GDPR Art. 33 mandates 72-hour notification to the supervisory authority. We notify you immediately and provide all technical details for your filing.

Can I request a DPIA?

Yes. On request we draft a Data Protection Impact Assessment with you — standard for regulated industries.

← Knowledge hub

GDPR & AI

GDPR-compliant AI: what actually matters.

Most AI vendors claim 'GDPR-ready'. We show you how to recognize it for real — and what Schrems II means in practice.

Lawful basis and purpose limitation

Before talking hosting, sub-processors and DPA, you need to know why you can process personal data. GDPR has six lawful bases (Art. 6(1)):<ul><li>Contract — e.g. order-status request by the buyer.</li><li>Legitimate interest — e.g. internal process optimization with pseudonymized data.</li><li>Consent — explicit, documented, revocable any time.</li></ul>Plus purpose limitation: data may only be used for the original purpose. A support bot using order data may not repurpose it for marketing profiling.

01features

hosting

Hosting & data location.

Schrems II made it clear in 2020: US cloud providers are GDPR-problematic. Here's what we made of it.

EU-only hosting
AWS Bedrock EU (Frankfurt), Hetzner Vienna. No replication outside the EU. Even logging (Loki + Grafana) runs on our own EU servers.
- AT
- DE
- EU
What we don't do
No direct data flows to OpenAI (US servers), Cohere or other US hosters. Want Claude or GPT? You get them via the EU region of the respective cloud.
- No US transfer

Sub-processor transparency

A sub-processor is any third party processing data on your behalf — e.g. Anthropic for LLM inference, AWS for hosting, Mistral as alternative. GDPR requires you to know who's in the chain.Our setup:<ul><li>Full list of every sub-processor in the DPA (see below).</li><li>Each sub-processor has its own DPA with us — chain is transparent.</li><li>Changes need your consent (or at least prior veto right with a clear timeline).</li></ul>

'Will my data be used for training?'

This is the question we get most — and the answer decides whether a vendor is even an option.For us: no, never. Neither your knowledge-base content nor your customers' conversations are used for training. This is fixed in the DPA and ensured by our sub-processor choices:<ul><li>AWS Bedrock: guarantees no model training on customer content.</li><li>Anthropic API (Enterprise tier): explicit training opt-out, contractually secured.</li><li>OpenAI API: standard API doesn't train on customer data (unlike ChatGPT-web!).</li></ul>If a vendor won't commit to that in writing — walk away.

02faq

dpa

Data Processing Agreement — what to include.

Tool-selection checklist

Before picking an AI vendor, walk this list:<ol><li>Is the server location in the EU? If yes: guaranteed without US replication?</li><li>Is there a written DPA with all sub-processors listed?</li><li>Is training on your data explicitly excluded?</li><li>How long are conversations stored? Can you configure it?</li><li>Are there audit logs, and who has access?</li><li>Which encryption in transit and at rest?</li><li>Is there a breach response plan?</li><li>Can the bot be fully uninstalled — including all data — on demand?</li></ol>If a vendor won't answer one of these clearly — go elsewhere. Including past us. That clarity is non-negotiable.

We deliver DPA + DPIA out of the box.

No upcharge, no negotiation. Want a sample DPA as PDF? Book 30 minutes and we'll walk through it together.

Book a call DPA in the glossary