Skip to main content
The Data Protection Policy sets out how botBrains processes personal data lawfully and in line with the GDPR (DSGVO), including the AI conversation data that flows through the platform. It defines our processing roles, the technical controls that protect personal data, and how we help customers meet their obligations as controllers.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.

Scope

This policy covers all personal data that botBrains processes, whether as a processor or a controller, and every production system that creates, receives, stores, or transmits it.

Processing roles

DatabotBrains roleCustomer role
Conversation and end-user personal data sent to the platformProcessorController
Account and billing data for the customer’s teamControllerData subject
When botBrains acts as a processor, it processes personal data only on the customer’s documented instructions under the Data Processing Agreement. The GDPR page covers the full processing roles, data subject support, and lawful-basis questions; this policy doesn’t restate them. botBrains documents its processing activities in a Record of Processing Activities Employees Only: RoPA under GDPR Article 30, covering both its controller and processor roles. The record is an internal ISMS register that botBrains maintains and makes available to the supervisory authority on request.

Processing principles

botBrains applies the GDPR principles of lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality. Two product defaults support these principles. Privacy-by-default settings limit collection to what each feature needs, and the three enforced rules on every model subprocessor keep inference inside the EU: EU data residency, EU inference residency, and no model training on botBrains data. botBrains classifies and handles data per the Data Classification Policy and retains it per the Data Retention Policy. This policy doesn’t duplicate those rules.

Protecting personal data

botBrains stores all Customer Data in the EU and runs AI inference on it within the EU, so no third-country transfer takes place for the conversation and end-user personal data customers send to the platform. Where botBrains acts as a controller, it may process personal data classified Confidential or below, such as account, billing, and business-contact data, outside the EU under a valid GDPR transfer mechanism: an adequacy decision, the EU-US Data Privacy Framework, or standard contractual clauses. Production systems enforce the following:
  • Encryption. The platform encrypts personal data at rest and in transit per the Cryptography Policy.
  • Tenant separation. The platform is multi-tenant with logical separation by tenant ID, enforced at the API layer through RBAC. One customer can’t reach another customer’s data.
  • Least-privilege access. Application users have no direct database access. Personnel access production personal data only for support, operations, and recovery, governed by the Access Control Policy.
  • Logging and monitoring. The platform logs and monitors access and system events per the Logging and Monitoring Policy.
  • Subprocessors. botBrains engages only subprocessors that meet our data protection requirements, listed at Subprocessors and managed under the Supplier Management Policy.
The detailed technical and organizational measures form Annex 2 of the DPA, which botBrains publishes as Technical and Organizational Measures.

Supporting data subjects

As a processor, botBrains gives customers the in-platform controls to honour their end users’ rights, including search, export, and deletion of conversation data. Where botBrains is the controller, data subjects exercise their rights directly with us. Requests reach us at legal@botbrains.io. botBrains handles a personal data breach under the Breach Notification Policy and GDPR Articles 33 and 34.

ISO 27001 mapping

This policy supports Annex A 5.34 (privacy and protection of personal identifiable information) and 8.11 (data masking), and aligns with GDPR Articles 5, 24, 25, 28, 30, and 32.

Review

The CISO owns this policy and reviews it at least annually and on any material change.