Skip to main content
This page answers the questions procurement, legal, and security teams ask most often when evaluating botBrains. For anything not covered here, email legal@botbrains.io.

Which agreements govern botBrains?

DocumentPurpose
Commercial offerGoverns commercial terms (pricing, scope, SLAs), collateral agreements
Terms of ServiceThe contract governing your use of the platform
Data Processing AgreementGoverns how botBrains processes personal data on your behalf

Is botBrains a controller or processor?

You are the controller of the personal data in your conversations, and botBrains acts as your processor. botBrains in turn engages subprocessors to deliver the service. The Data Processing Agreement sets out the details of this relationship.

Where does botBrains store and process data?

botBrains stores all application data in Germany. We process your data within the EU, with our server infrastructure located in Germany. AI inference runs in the EU. No third-country transfer takes place. See Subprocessors for the full list of services and data locations. The primary hosting providers are Hetzner, AWS and DigitalOcean. We use Vercel for the static website serving, Hetzner for API and background workers servers, AWS for database and object storage, DigitalOcean for caching.

Where does botBrains run AI inference?

botBrains uses subprocessors to run AI inference. We enforce 3 requirements on all model hosting subprocessors:
  1. Data residency in the EU
    Data must be stored in the EU, and no third-country transfer may take place. We opt for Zero Data Retention Agreements where offered to minimize data retention. Context-caching and short-term caching for inference is allowed, but no long-term storage of data is permitted.
  2. Inference residency in the EU
    It’s not sufficient to proxy from an EU-intake server to a non-EU inference server. Processing must happen in the EU.
  3. Model training is prohibited
    Model training on botBrains-sent data is prohibited.
We currently run inference on OpenAI Enterprise EU data and inference residency and have a Zero Data Retention Agreement in place. We also use Azure OpenAI Service with regional endpoints for EU-bound storage and inference. We also run inference via AWS Bedrock in Frankfurt.

Is botBrains GDPR compliant?

Yes. botBrains supports GDPR and DSGVO compliance through EU data residency, a Data Processing Agreement, and documented security measures. See GDPR for the full Q&A.

Is botBrains EU AI Act compliant?

The EU AI Act sets obligations for providers and deployers of AI systems. botBrains designs its AI agents to support these obligations, including the transparency requirement to make clear when users are interacting with an AI agent rather than a human. See EU AI Act for details.

Which subprocessors does botBrains use?

The current list, including each subprocessor’s purpose and data location, is on the Subprocessors page.

Is botBrains ISO 27001 or SOC 2 Type II certified?

We’re preparing for ISO 27001. See ISO 27001 for our ISMS and policies, and Certification Roadmap for other standards.

How do I request security documentation?

To request a signed agreement, a completed security questionnaire, our policies, or our technical and organizational measures, email support@botbrains.io.

How do I report a security vulnerability?

See our Responsible Disclosure Policy for how to report a vulnerability.