Data Processing Agreement

GDPR Article 28 contract between you (Controller) and Xalerate AB (Processor).

Brain Orchestra — Data Processing Agreement

Effective date: April 25, 2026 Last updated: 2026-04-25

1. Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

  • Xalerate AB, Stockholm, Sweden ("Processor", "Brain Orchestra"); and
  • the Customer identified in the Brain Orchestra account ("Controller", "Customer").

Both parties acknowledge that the Customer is the data "controller" within the meaning of Article 4(7) of Regulation (EU) 2016/679 ("GDPR") for the personal data processed through the Service, and that Brain Orchestra is the data "processor" within the meaning of Article 4(8) GDPR acting on the Customer's documented instructions.

2. Subject matter and scope

2.1 Subject matter

This DPA governs the processing of personal data by Brain Orchestra on behalf of the Customer in connection with the Service.

2.2 Duration

This DPA remains in force for the duration of the underlying Terms of Service, and continues to apply to any personal data Brain Orchestra retains after termination until such data has been deleted or returned in accordance with Section 10.

2.3 Nature and purpose of processing

Brain Orchestra processes personal data solely to:

(a) route Customer-submitted prompts to the third-party LLM provider selected by the Customer's routing configuration; (b) enforce the Customer's territorial tier, rate limit, spending cap, trace contract, and PII policy; (c) generate per-request audit logs for the Customer's governance purposes; (d) bill the Customer for service use; (e) protect the integrity and security of the Service; and (f) comply with applicable law.

Personal data shall not be used for any other purpose without the Customer's prior written instruction.

2.4 Categories of data subjects

The Customer's end users, employees, contractors, or other natural persons whose personal data is submitted to the Service by the Customer.

2.5 Types of personal data processed

The Customer controls what is submitted to the Service. Processing may include, depending on the Customer's use:

  • Identifiers: user emails or internal IDs passed via the X-User-Id header (trusted mode) or X-Actor-Token header (strict mode);
  • Free-text content embedded in LLM prompts submitted by the Customer, which may include names, email addresses, phone numbers, IBANs, Swedish personal identity numbers (personnummer), and other direct or indirect identifiers in plain text;
  • Metadata: request timestamps, model selections, provider routing, tokens consumed, request costs, territorial tier applied, request IP addresses (for actor-binding security);
  • PII-detection outputs: counts and types of entities detected by the Presidio-based PII service (but not the plaintext values, which are redacted or pseudonymized before storage).

The Customer is solely responsible for determining whether any particular category of personal data is appropriate for processing through the Service, and for obtaining any necessary consents or legal bases from data subjects before submitting their data to the Service.

The prohibition on special-category data without prior agreement is set out in Section 3.3 below.

3. Controller instructions

3.1 Processing on documented instructions

Brain Orchestra shall process personal data only on the documented instructions of the Customer, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which Brain Orchestra is subject. In such case, Brain Orchestra shall inform the Customer of that legal requirement before processing, unless that law prohibits such notice on important grounds of public interest.

3.2 Sources of instructions

The Customer's documented instructions are established by:

(a) the Terms of Service and this DPA; (b) the Customer's configuration of its projects (territorial tier, content retention, PII policy, rate limits, spending caps, trace contracts, allowed models); (c) the contents of the API requests the Customer submits to the Service; (d) written instructions the Customer provides from time to time through the dashboard, the Customer account contact email, or written correspondence.

3.3 No special-category data without explicit agreement

The Customer undertakes not to submit special categories of personal data within the meaning of Article 9 GDPR (health, biometric, genetic, political opinion, religious belief, trade union membership, sexual life or orientation, racial or ethnic origin), nor personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, through the Service without first obtaining Brain Orchestra's express written agreement and completing any additional protections that may be required.

4. Obligations of Brain Orchestra

4.1 Confidentiality

Brain Orchestra ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Technical and organizational measures

Brain Orchestra has implemented the technical and organizational measures described in Annex II and shall maintain them for the duration of this DPA. Brain Orchestra may update the measures from time to time provided the level of protection is not reduced.

4.3 Sub-processors

Brain Orchestra uses the sub-processors listed in Annex III to assist in providing the Service. The Customer authorizes this engagement upon execution of this DPA.

Brain Orchestra shall:

(a) impose written contractual obligations on each sub-processor providing at least the same level of data protection as this DPA; (b) remain fully liable to the Customer for any breach by a sub-processor; and (c) provide the Customer with at least 14 days' prior notice by email of any intended addition or replacement of a sub-processor, during which time the Customer may object on reasonable data-protection grounds.

If the Customer reasonably objects on data-protection grounds within the notice period, Brain Orchestra will use commercially reasonable efforts to make available a change in configuration or alternative processing arrangement that avoids the use of the objected-to sub-processor. If no reasonable alternative is available within thirty (30) days of the objection, the Customer may terminate the affected Service component without penalty and receive a pro rata refund of any prepaid unused fees attributable to the terminated component.

4.4 Assistance with data-subject requests

Taking into account the nature of the processing, Brain Orchestra shall assist the Customer, by appropriate technical and organizational measures, in the fulfillment of the Customer's obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including requests for:

  • access (Art. 15);
  • rectification (Art. 16);
  • erasure (Art. 17) — implemented via the 30-day hold + transactional cascade purge documented in the Terms of Service §5.4;
  • restriction (Art. 18);
  • data portability (Art. 20); and
  • objection (Art. 21).

If a data subject contacts Brain Orchestra directly regarding personal data processed on behalf of a Customer, Brain Orchestra will refer the data subject to the Customer and will not respond to the request substantively without the Customer's instructions.

4.5 Assistance with compliance obligations

Brain Orchestra shall assist the Customer, insofar as possible and taking into account the nature of the processing and the information available to Brain Orchestra, in ensuring compliance with the Customer's obligations under Articles 32 to 36 GDPR (security of processing, breach notification, DPIA, prior consultation).

Brain Orchestra maintains internal data-protection risk assessments for the Service and will provide reasonable assistance, including a summary of relevant risk-assessment information under confidentiality, to support the Customer's DPIA obligations under Articles 35 and 36 GDPR.

4.6 Data breach notification

Brain Orchestra shall notify the Customer without undue delay and in any event within 48 hours after becoming aware of a personal data breach affecting Customer Data. The initial notice shall include the information then reasonably available to Brain Orchestra, and Brain Orchestra shall provide further information in phases without undue further delay as it becomes available, including:

(a) the nature of the breach, including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its adverse effects; and (d) the contact point for further information.

4.7 Audit rights

Upon the Customer's written request and no more than once per calendar year (absent a data breach or regulatory requirement), Brain Orchestra shall make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including independent audit reports (such as SOC 2 Type II, ISO 27001, or equivalent) if and when such reports become available.

The Customer may also, at its own cost and on reasonable prior notice (at least 30 days), conduct an on-site audit of Brain Orchestra's compliance with this DPA, subject to reasonable confidentiality obligations and during normal business hours.

The annual frequency limit and 30-day notice requirement do not apply to audits conducted in response to a confirmed personal data breach, a regulatory investigation, or a request by a supervisory authority. Such audits shall be conducted on reasonable notice given the circumstances and subject to reasonable confidentiality obligations regarding Brain Orchestra's other customers' information.

5. Obligations of the Customer

The Customer shall:

(a) process personal data in compliance with applicable data protection law; (b) have a valid legal basis for processing under Article 6 GDPR and, where applicable, Article 9 GDPR; (c) provide all notices and obtain all consents required from data subjects before submitting their personal data to the Service; (d) not instruct Brain Orchestra to process personal data in a manner that violates applicable law; (e) configure its projects' territorial tier, content retention, and PII policy appropriately for the categories of personal data it submits to the Service; and (f) maintain the confidentiality and integrity of the credentials issued to it (API keys, actor tokens, dashboard passwords).

6. International data transfers

6.1 Processing location

The Service is hosted in the European Union (Railway europe-west4, the Netherlands). Customer Data stored by Brain Orchestra remains in the EU unless the Customer's territorial tier configuration permits otherwise.

6.2 Transfers to third countries

When the Customer's project uses the unrestricted territorial tier or otherwise configures Brain Orchestra to route requests to LLM providers hosted outside the European Economic Area, personal data included in those requests will be transferred to those providers' locations. These transfers are made under the appropriate transfer mechanisms set out in Chapter V of the GDPR, including:

  • the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) where applicable; and
  • any additional safeguards reasonably necessary to address the findings of the Schrems II ruling.

The eu_cloud, eu_strict, and eu_sweden territorial tiers are designed to eliminate or minimize third-country transfers. Customers concerned about international transfers should configure their projects to use one of these tiers.

The applicable SCC modules are specified in Section 6.4 and the Transfer Mechanism Matrix in Annex III. The unrestricted territorial tier is not the default — Customers must affirmatively select it in their project configuration.

6.3 Sub-processor transfers

For sub-processors that may receive personal data outside the EEA, Brain Orchestra has entered into the EU Standard Contractual Clauses or otherwise ensured an equivalent level of protection.

6.4 Transfer Mechanism Matrix

Transfers to sub-processors outside the EEA are made under the mechanism identified in the Transfer Mechanism Matrix in Annex III, which may include:

(a) an EU adequacy decision (Article 45 GDPR); (b) the transferee's participation in the EU-US Data Privacy Framework where applicable; (c) EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller → Processor) or Module 3 (Processor → Sub-processor) as specified; or (d) such other mechanism as may be approved under Chapter V GDPR.

Annex III shall include for each sub-processor: role, processing location, applicable transfer mechanism, SCC module (if any), DPF participation status, and whether a Transfer Impact Assessment has been conducted.

7. Security of processing

Brain Orchestra shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

(a) the pseudonymization and encryption of personal data (TLS in transit, at-rest encryption at the storage layer); (b) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services; (c) the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

The current set of measures is described in Annex II.

8. Records of processing

Each party shall maintain records of processing activities as required by Article 30 GDPR. Brain Orchestra's records are maintained internally and will be made available to supervisory authorities on request and to the Customer as part of the audit rights in Section 4.7.

9. Data Protection Officer and supervisory authority

The Controller's supervisory authority for the purposes of this DPA is the Integritetsskyddsmyndigheten (IMY) in Sweden, unless the Customer is established in another EU or EEA Member State, in which case the supervisory authority of that Member State applies.

Xalerate AB has designated a data protection point of contact reachable at support@xalerate.com.

10. Return and deletion of personal data

Upon termination or expiry of the Terms of Service, or at the Customer's written request at any time, the Customer may export Customer Data or request return of personal data for thirty (30) calendar days via the dashboard export API or by written request. Brain Orchestra shall, at the Customer's choice:

(a) return all personal data processed on behalf of the Customer in a commonly used electronic format (CSV, JSON); or (b) delete all personal data processed on behalf of the Customer.

After the 30-day export period, Brain Orchestra will delete personal data in accordance with its deletion procedures (30-day hold + transactional cascade purge across audit logs, trace records, and supporting tables). Backup media is overwritten within 90 days.

Brain Orchestra may retain personal data solely to the extent required by applicable law (including invoicing records, receipts, and related accounting documentation (räkenskapsinformation) as required by bokföringslagen (1999:1078) Chapter 7 §2), and such retained data shall continue to be subject to the confidentiality and security obligations of this DPA.

11. Liability and indemnification

Liability under this DPA is governed by the Terms of Service, subject to any mandatory allocation of liability imposed by the GDPR and by the EU Standard Contractual Clauses where those apply.

12. Order of precedence

In case of conflict between the provisions of this DPA and the Terms of Service with respect to the processing of personal data, this DPA shall prevail. In case of conflict between the provisions of this DPA and the EU Standard Contractual Clauses (where they apply), the Standard Contractual Clauses shall prevail.

13. Governing law

This DPA is governed by the laws of Sweden, consistent with the Terms of Service. The EU Standard Contractual Clauses, where they apply, are governed by the law of the EU Member State specified therein.

14. Execution

This DPA is incorporated into and forms part of the Terms of Service. The Customer enters into this DPA by accepting the Terms, executing an Order Form that references this DPA, or otherwise using the Service after being presented with the Terms. Upon request, Brain Orchestra will make available a countersignable copy of this DPA.

Xalerate AB (Processor)Customer (Controller)
Name: ________________________Name: ________________________
Title: ________________________Title: ________________________
Date: ________________________Date: ________________________
Signature: ________________________Signature: ________________________

Annex I — Description of the Processing

A. List of parties

Data Exporter (Controller): the Customer Data Importer (Processor): Xalerate AB — Stockholm, Sweden

B. Description of the processing

Subject matter: routing Customer-initiated LLM requests through a governance layer and returning LLM responses; per-request audit logging; per-project billing; per-project security and rate-limit enforcement.

Duration: for the duration of the Terms of Service, plus retention periods described in Section 10.

Nature and purpose: as set out in Section 2.3 of this DPA.

Types of personal data: as set out in Section 2.5 of this DPA.

Categories of data subjects: as set out in Section 2.4 of this DPA.

Frequency of transfer: continuous, triggered by the Customer's API requests.

Retention period: as set out in Section 10 and Terms of Service §5.4.

C. Competent supervisory authority

For data exports where the Controller is established in Sweden: Integritetsskyddsmyndigheten (IMY).

For data exports where the Controller is established in another EEA Member State: the supervisory authority of that Member State.

Annex II — Technical and Organizational Measures

1. Pseudonymization and encryption

  • TLS 1.2+ in transit for all API and dashboard traffic.
  • At-rest encryption at the PostgreSQL storage layer managed by Railway.
  • API key hashing: API keys are stored as SHA-256 hashes; plaintext is shown to the customer exactly once at creation time.
  • Actor token hashing: actor tokens are stored as SHA-256 hashes with a 5-minute rotation grace period.
  • Session token hashing: dashboard session tokens are stored as SHA-256 hashes with configurable expiry.
  • PII pseudonymization (optional, per-project): when enabled, the Presidio-based PII service replaces personally identifiable values in prompts with session-scoped tokens (e.g. PERSON_1) before the prompt reaches the LLM provider. Original values are re-hydrated in the response on return and are never stored in the audit log.

2. Confidentiality, integrity, availability

  • Access controls: dashboard access requires authenticated sessions with server-side session validation; API access requires customer-issued API keys hashed at rest; administrative access requires an is_admin flag enforced at both the frontend routing layer and the backend middleware layer.
  • Role-based authorization: project-level operations are gated by owner/admin/member/viewer roles; mutation and credential operations require owner or admin role (see src/api/dashboard.ts verifyProjectAdminAccess).
  • Terms acceptance gate: gateway requests are blocked for accounts that have not accepted the Terms of Service and this DPA (see src/billing/enforce.ts checkPlan terms_required gate).
  • Territorial tier enforcement: requests are routed only to LLM providers compliant with the project's configured territorial tier; incompatible model + tier combinations return HTTP 400 model_not_compliant with no fallback.
  • Audit durability: every request produces a durable audit record, even on failure or mid-stream client disconnect, via a transactional outbox pattern.
  • Rate limiting: per-project, per-minute request limits and per-IP auth throttling with trusted-proxy-aware X-Forwarded-For extraction.
  • Spending caps: per-project daily and monthly EUR caps prevent runaway LLM spend.

3. Physical security

Hosting is provided by Railway (europe-west4 region, the Netherlands). Physical security controls are Railway's responsibility and are documented in Railway's own security statement. Brain Orchestra does not operate or host physical infrastructure.

4. Backup and recovery

PostgreSQL backups are managed by Railway in the europe-west4 region. Backups are encrypted at rest.

5. Logging and monitoring

  • Prometheus metrics exposed at /internal/metrics for gateway health, audit outbox depth, request cost, trace state, and per-customer spend rank. Metrics are served via the in-app admin dashboard; a Prometheus-compatible endpoint is available for optional external integration.
  • Structured JSON logging with OpenTelemetry-compatible fields for all application events.
  • Audit log retention: per-project configurable, default 365 days.

6. Personnel measures

  • Personnel are bound by confidentiality obligations.
  • Access to production systems is limited to personnel with a need-to-know basis.

Brain Orchestra is evaluating SOC 2 Type II and ISO 27001 certification and will update this section when certification is achieved.

7. Process for regular testing and evaluation

Brain Orchestra conducts internal security reviews and has commissioned independent audit reviews (most recently, a launch-readiness audit by Codex in April 2026). Findings are tracked and remediated on a prioritized schedule.

Results of independent security reviews are available to Customers upon request under confidentiality, as part of the audit rights in Section 4.7.

Annex III — Sub-processors and Transfer Mechanism Matrix

See legal/SUBPROCESSORS.md for the current list of sub-processors, including for each sub-processor: role, processing location, applicable transfer mechanism, SCC module (if any), DPF participation status, and whether a Transfer Impact Assessment has been conducted. The list is updated as sub-processors are added or changed, and Customers are notified by email in accordance with Section 4.3.

Contact: Xalerate AB — support@xalerate.com — Stockholm, Sweden

Terms of ServicePrivacy PolicyData Processing AgreementSub-processorsQuestions about these terms? support@xalerate.com