Legal

Data Processing Agreement

The DPA describes how CentralbrAIn processes personal data on behalf of customers, the sub-processors we engage, and the safeguards that apply to international transfers.

Last updated · 2026-05-02

Template notice. This page is a working template intended to be replaced by counsel-reviewed copy before any commercial launch. Section headings, scope, and definitions are reasonable defaults - the substantive language must be adapted to the operating jurisdiction(s), customer profile, and applicable processor relationships.

1. Status of this page

This page constitutes the public-facing version of CentralbrAIn's standard Data Processing Agreement. A counter-signed PDF is provided on request and is incorporated by reference into your Terms of Service and Order Form.

2. Roles

Controller - the Customer, who determines the purposes and means of processing personal data submitted to the Service.
Processor - CentralbrAIn, processing on behalf of the Controller under documented instructions.
Sub-processors - the third parties we engage to operate parts of the Service. The current list is below.

3. Subject matter and scope

We process personal data only as needed to provide the Service, comply with the law, and follow your reasonable written instructions. We do not use customer personal data to train foundation models or for any purpose unrelated to the Service.

4. Categories of data subjects and personal data

Authorized Users - business contact information (name, work email, sign-in identifiers).
End-users of the Customer's connected systems - whatever personal data is present in the customer's CRM, billing, communication, knowledge, and execution systems that the Customer authorises us to read or act upon.
Authentication and security telemetry - IP address, user-agent string, audit-log metadata. Stored as ciphertext where applicable.

5. Sub-processors

The current list of sub-processors and the function each performs is shown below. Material additions are announced at least 30 days in advance via email to the primary account contact and via this page.

Sub-processor	Purpose	Location	Transfer mechanism
Supabase, Inc.	Authentication, Postgres database hosting, audit log storage.	United States / EU regions	EU SCCs + UK Addendum (where applicable)
Vercel Inc.	Front-end hosting, edge runtime, content delivery.	Global edge	EU SCCs + UK Addendum
Anthropic, PBC	Underlying foundation model for orchestration reasoning.	United States	EU SCCs + UK Addendum; zero-data-retention configuration
Cloudflare, Inc.	DNS, edge security, DDoS mitigation.	Global edge	EU SCCs + UK Addendum
Stripe, Inc.	Subscription billing and payment processing.	United States / EU regions	EU SCCs + UK Addendum
Iceland Data Centre Operator (Enterprise tier only)	Dedicated, air-gapped infrastructure for Enterprise tier customers electing Iceland-only hosting.	Iceland	Iceland is a member of the EEA - no transfer outside the EEA required.

6. International transfers

Where personal data leaves the EEA, the UK, or Switzerland, we rely on the EU 2021 Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss FDPIC's adapted SCCs as applicable. A signed copy of the SCCs is provided as part of the executed DPA on request.

7. Security

We maintain administrative, technical, and organisational measures appropriate to the risk of processing - including authenticated column-level encryption of sensitive fields, row-level security on every table, MFA for production access, and an append-only audit log. The security exhibit to the DPA describes these controls in detail.

8. Personal-data breaches

We will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data, providing such information as is reasonably available and updating as additional information becomes available.

9. Audits

On reasonable advance notice, and subject to confidentiality obligations, we will make available all information necessary to demonstrate compliance with this DPA, and contribute to audits - including inspections - conducted by Customer or an auditor mandated by Customer. We may satisfy this obligation through third-party certifications or attestation reports we make available.

10. Return and deletion

On termination, we will return or delete Customer Data in accordance with the terms described in the Terms of Service. Backups containing Customer Data are deleted on the standard backup retention schedule.

11. Changes

Material changes to this DPA - for example, the addition of a sub-processor in a new region, or a change to the transfer mechanism - are announced at least 30 days in advance and noted in the change history available on request.