Skip to content

DATA PROCESSING AGREEMENT (DPA)

Last Updated: 04 Mar 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and Innovatica Technologies FZ-LLC ("Brilio" or "Processor") and governs the processing of Personal Data as defined under applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

Company information and standard definitions: See Shared Legal Definitions

1. DEFINITIONS AND INTERPRETATION

1.1 Key Terms

In this DPA:

"Personal Data": Any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).

"Processing": Any operation performed on Personal Data, including collection, storage, use, disclosure, deletion, as defined under GDPR Article 4(2).

"Data Controller": The entity that determines the purposes and means of processing Personal Data (you, the Customer).

"Data Processor": The entity that processes Personal Data on behalf of the Data Controller (Brilio).

"Sub-processor": Any third-party data processor engaged by Brilio to process Personal Data on behalf of the Customer.

"Data Subject": The identified or identifiable natural person to whom Personal Data relates.

"Supervisory Authority": An independent public authority established by an EU Member State pursuant to GDPR Article 51.

1.2 GDPR References

References to GDPR articles refer to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

1.3 Interpretation

This DPA supplements the Terms of Service. In case of conflict between this DPA and the Terms of Service regarding data processing, this DPA prevails.

2. SCOPE AND ROLES

2.1 Scope of Processing

Brilio processes Personal Data on behalf of the Customer to provide the Brilio AI platform services, including: - User account management and authentication - Agent creation, configuration, and interaction management - Knowledge base storage and processing - Usage analytics and billing - Customer support and service improvement

2.2 Controller and Processor Roles

Customer (Data Controller): - Determines the purposes and means of processing Personal Data - Responsible for obtaining necessary consents from Data Subjects - Determines what Personal Data is uploaded to the platform - Ensures lawfulness of processing under applicable data protection laws

Brilio (Data Processor): - Processes Personal Data only on documented instructions from the Customer - Implements appropriate technical and organizational security measures - Assists Customer with GDPR compliance obligations - Maintains records of processing activities

2.3 Types of Personal Data

Personal Data processed may include:

User Data: - Name, email address, phone number - Account credentials (hashed passwords) - Profile information and preferences - IP addresses and device information - Usage logs and interaction history

Customer Content: - Knowledge base documents and content - Agent configurations and prompts - Conversation histories and interactions - Customer-uploaded files and data

Note: The Customer determines what Personal Data is uploaded. Brilio does not access or analyze Customer Content except as necessary to provide the services or as instructed by the Customer.

2.4 Data Subjects

Data Subjects may include: - Customer's employees and authorized users - End users interacting with Customer's AI agents - Individuals mentioned in Customer Content - Visitors to Customer's websites using Brilio widgets

3. PROCESSOR OBLIGATIONS

3.1 Processing Instructions

Brilio shall: - Process Personal Data only on documented instructions from the Customer (including via the Terms of Service, this DPA, and through the platform interface) - Immediately inform the Customer if asked to process data in a manner that violates applicable data protection laws - Not process Personal Data for its own purposes or sell Personal Data to third parties

Customer Instructions: Customer provides processing instructions through: - Platform usage (uploading data, creating agents, configuring settings) - API calls and integrations - Support requests and communications - This DPA and Terms of Service

3.2 Confidentiality

Brilio ensures that all personnel authorized to process Personal Data: - Are bound by appropriate confidentiality obligations - Receive adequate training on data protection requirements - Have access only to Personal Data necessary for their role - Are subject to disciplinary action for unauthorized disclosure

3.3 Security Measures

Brilio implements appropriate technical and organizational measures to protect Personal Data, including:

Technical Measures: - Encryption at rest (AES-256) and in transit (TLS 1.2+) - Access controls and authentication (multi-factor authentication for staff) - Network security and firewalls - Regular security testing and vulnerability scanning - Secure software development practices - Automated backup and disaster recovery

Organizational Measures: - Information security policies and procedures - Access management and least privilege principles - Employee background checks and training - Incident response and breach notification procedures - Business continuity and disaster recovery plans - Regular security audits and risk assessments

Infrastructure: - Hosted on Microsoft Azure with ISO 27001, SOC 2, and GDPR compliance - Data residency controls (EU data stored in EU regions where required) - Physical security managed by Azure data centers

3.4 Sub-processors

Brilio engages Sub-processors to assist in providing the services. Customer grants general authorization for Brilio to engage Sub-processors, subject to: - 30 days' advance notice of new Sub-processor addition or replacement - Customer right to object on reasonable data protection grounds - Termination right if Customer objects and Brilio cannot accommodate

Current Sub-processors: See Section 10 (Sub-processor List) below.

Sub-processor Obligations: - Brilio imposes data protection obligations on Sub-processors equivalent to this DPA - Brilio remains fully liable to Customer for Sub-processor performance - Sub-processors process data only as necessary to provide specific services

3.5 Data Subject Rights

Brilio shall, to the extent legally permitted and within reasonable timeframes: - Assist Customer in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) - Provide Customer with tools to enable Data Subject rights (account management, data export, deletion) - Notify Customer promptly of any Data Subject requests received directly by Brilio - Respond to Data Subject requests only as instructed by Customer

Customer Responsibilities: - Customer is responsible for responding to Data Subject requests - Customer should use platform tools to fulfill requests where possible - Customer may request Brilio assistance at support@brilio.ai (response times depend on request complexity)

3.6 Data Protection Impact Assessment (DPIA)

Brilio shall, upon Customer request and to the extent information is available, provide reasonable assistance with: - Conducting Data Protection Impact Assessments (DPIA) under GDPR Article 35 - Prior consultation with Supervisory Authorities under GDPR Article 36 - Providing information about processing operations, security measures, and Sub-processors

Limitations: - Brilio is not responsible for conducting DPIA on Customer's behalf - Assistance may be subject to additional fees for extensive requests - Brilio may require reasonable advance notice and scope definition

3.7 Deletion and Return of Data

Upon termination of services:

Customer Options: - Data Export: Customer may export all data via platform tools (available up to 30 days after termination) - Data Deletion: Customer may request deletion of all data

Brilio Actions: - Deletes or returns all Personal Data within 30 days of termination, except: - Data required for legal, regulatory, or audit purposes (retained only as long as required) - Backup copies (deleted within 90 days per automated retention policy) - Aggregated, anonymized data (no longer Personal Data)

Deletion Method: - Secure deletion rendering data unrecoverable - Database records permanently removed - Backup purging follows automated schedule

Certification: - Upon request, Brilio will provide written certification of data deletion

4. DATA TRANSFERS

4.1 International Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United Arab Emirates and the United States.

4.2 Transfer Mechanisms

For transfers of Personal Data from the EEA to third countries, Brilio relies on:

Microsoft Azure: - EU Data Boundary (for EU customers, data stored in EU regions) - Standard Contractual Clauses (SCCs) approved by the European Commission - Microsoft's data transfer compliance framework

Other Sub-processors: - Standard Contractual Clauses (SCCs) where required - Adequacy decisions where available - Supplementary measures as needed under Schrems II ruling

4.3 Data Residency

EU Customers: - Customer data stored in Microsoft Azure EU regions (West Europe, North Europe) - Processing occurs primarily within the EU - Remote support access from UAE (via secure access controls)

Other Regions: - Data stored in closest available Azure region - Processing may occur in multiple regions for performance and redundancy

Customer Control: - Enterprise customers may request specific region restrictions - Contact support@brilio.ai for data residency requirements

4.4 Government Access Requests

If Brilio receives a legally binding request from a government or law enforcement agency to access Customer Personal Data: - Brilio will notify Customer unless legally prohibited - Brilio will challenge overly broad or improper requests - Brilio will provide only the minimum data required by law - Brilio will redirect requests to Customer where legally permissible

5. DATA BREACH NOTIFICATION

5.1 Breach Definition

A "Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

5.2 Notification Timeline

To Customer: - Brilio will notify Customer without undue delay and where feasible within 72 hours of becoming aware of a Personal Data Breach affecting Customer data - Notification sent to Customer email address on file

To Supervisory Authorities: - Customer is responsible for notifying Supervisory Authorities within 72 hours of becoming aware of the breach (GDPR Article 33) - Brilio will assist Customer with preparing the notification

To Data Subjects: - Customer is responsible for notifying Data Subjects when required under GDPR Article 34 - Brilio will assist Customer in assessing whether Data Subject notification is required

5.3 Breach Notification Content

Brilio's breach notification to Customer will include, to the extent known: - Nature of the breach (categories and approximate number of affected Data Subjects and records) - Name and contact details of Brilio's data protection contact (security@brilio.ai) - Likely consequences of the breach - Measures taken or proposed to address the breach and mitigate its possible adverse effects

5.4 Investigation and Remediation

Following a breach, Brilio will: - Investigate the root cause and scope of the breach - Take immediate action to contain and mitigate the breach - Implement measures to prevent similar breaches - Provide Customer with reasonable assistance in breach response - Provide written incident report upon request (within 30 days of resolution)

5.5 Customer Responsibilities

Customer is responsible for: - Determining whether the breach requires notification to Supervisory Authorities or Data Subjects - Providing such notifications as required under applicable law - Maintaining records of breach notifications - Complying with all legal obligations arising from the breach

6. AUDITS AND INSPECTIONS

6.1 Audit Rights

Customer may audit Brilio's compliance with this DPA, subject to: - Reasonable advance notice (minimum 30 days) - Reasonable frequency (maximum once per year, unless required by Supervisory Authority) - Reasonable scope and duration (focused on specific compliance concerns) - Execution during business hours to minimize service disruption - Mutual execution of confidentiality agreement

6.2 Audit Alternatives

To minimize disruption, Brilio may satisfy audit obligations by: - Providing existing audit reports (SOC 2, ISO 27001, etc.) - Providing completed audit questionnaires - Arranging for independent third-party audits

Azure Compliance: - Microsoft Azure provides extensive compliance certifications - Customer may rely on Azure audit reports for infrastructure controls

6.3 Audit Costs

  • Customer bears all costs of audits initiated by Customer
  • If audit reveals material non-compliance, Brilio shall bear reasonable audit costs
  • Brilio may charge reasonable fees for extensive audit assistance beyond standard compliance documentation

6.4 Regulatory Audits

Brilio will cooperate with Supervisory Authority audits and investigations concerning processing of Customer Personal Data, subject to applicable legal constraints.

7. LIABILITY AND INDEMNIFICATION

7.1 Processor Liability

Under GDPR Article 82, Brilio is liable for damages caused by processing that violates GDPR only where it: - Has not complied with obligations specifically directed at processors under GDPR, or - Has acted outside or contrary to lawful instructions from Customer

7.2 Indemnification

Brilio Indemnification: Brilio will indemnify, defend, and hold harmless Customer from third-party claims arising from: - Brilio's violation of this DPA or applicable data protection laws - Brilio's unauthorized processing of Personal Data - Brilio's failure to implement appropriate security measures

Customer Indemnification: Customer will indemnify, defend, and hold harmless Brilio from third-party claims arising from: - Customer's violation of applicable data protection laws - Customer's processing instructions that violate data protection laws - Customer Content that violates third-party rights or laws

7.3 Limitation of Liability

Notwithstanding anything in the Terms of Service: - Neither party limits or excludes liability for: - Data protection law violations (to the extent non-excludable under law) - Fraud or willful misconduct - Death or personal injury caused by negligence - For all other losses, the limitations in the Terms of Service apply

8. TERM AND TERMINATION

8.1 Term

This DPA takes effect on the date Customer accepts the Terms of Service and continues as long as Brilio processes Personal Data on Customer's behalf.

8.2 Termination Effects

Upon termination of the Terms of Service or this DPA: - Brilio will cease processing Personal Data (except as required for data retention obligations) - Customer may export data within 30 days - Brilio will delete or return Personal Data as specified in Section 3.7 - Sections that by their nature should survive (confidentiality, indemnification, liability, data deletion) remain in effect

8.3 Customer Termination Rights

Customer may terminate this DPA if: - Brilio materially breaches this DPA and fails to cure within 30 days - Customer objects to a new Sub-processor and Brilio cannot accommodate the objection - Required by a Supervisory Authority due to Brilio's non-compliance

Termination Process: - Written notice to legal@brilio.ai - Opportunity to cure where applicable - Mutual cooperation on data transition

9. CHANGES TO THIS DPA

9.1 Modifications

Brilio may modify this DPA to: - Comply with changes in data protection laws or regulations - Reflect changes in Sub-processors or processing activities - Align with industry best practices and standards - Address guidance from Supervisory Authorities

Notice: - 30 days' advance notice via email and platform announcements - Significant changes highlighted in notification - Continued use of services constitutes acceptance

9.2 Customer Objection

If Customer objects to DPA changes: - Customer may terminate the Terms of Service within the 30-day notice period - No termination fees apply if terminated for DPA changes that materially reduce protections - Customer may export data before termination

10. SUB-PROCESSOR LIST

10.1 Current Sub-processors

Sub-processor Service Data Processed Location Safeguards
Microsoft Azure Cloud hosting, database, storage, AI services (Foundry) All Customer Data EU (West Europe, North Europe) for EU customers; other regions as applicable ISO 27001, SOC 2, GDPR-compliant, Standard Contractual Clauses, EU Data Boundary
Stripe, Inc. Payment processing, subscription management Name, email, payment method (tokenized) United States PCI DSS Level 1, SOC 2, Standard Contractual Clauses
Sentry Error monitoring and logging Error logs, IP addresses, user IDs (non-PII) United States SOC 2, Standard Contractual Clauses, data minimization
Google LLC Website analytics (Google Analytics), SSO authentication Website usage data (IP, browser, pages visited), email, name (SSO) United States Privacy Shield successor framework, Standard Contractual Clauses, data minimization
LinkedIn Corporation SSO authentication Email, name, profile information (SSO only) United States Standard Contractual Clauses, OAuth-based authentication

10.2 Sub-processor Changes

Notice Procedure: - Brilio will provide 30 days' advance notice to Customer via email when adding or replacing a Sub-processor - Notification will include: - Sub-processor name and location - Services to be provided - Data to be processed - Safeguards in place

Customer Objection: - Customer may object to a new Sub-processor on reasonable data protection grounds within 30 days of notice - Customer must provide specific, documented reasons for objection - Brilio will work with Customer to address concerns (alternative Sub-processor, additional safeguards) - If Brilio cannot reasonably accommodate the objection, Customer may terminate the Terms of Service without penalty

10.3 Sub-processor Responsibilities

For each Sub-processor, Brilio ensures: - Written contract imposing data protection obligations equivalent to this DPA - Sub-processor compliance with applicable data protection laws - Regular assessment of Sub-processor security and compliance - Right to audit Sub-processor compliance - Brilio remains fully liable for Sub-processor performance

10.4 Updates to List

The current Sub-processor list is maintained in this document. Customer may request the current list at any time by emailing legal@brilio.ai.

11. SPECIFIC PROCESSING DETAILS

11.1 Processing Purposes

Brilio processes Personal Data for the following purposes: - Providing the Brilio AI platform services - User authentication and account management - AI agent creation, training, and interaction processing - Knowledge base storage and retrieval - Usage monitoring and analytics - Billing and payment processing - Customer support and service improvement - Security monitoring and incident response - Compliance with legal obligations

11.2 Processing Duration

  • Active Accounts: Personal Data processed for the duration of the Customer account
  • Inactive Accounts: Data retained for 24 months of inactivity + 30-day notice period (see Terms of Service Section 10.4)
  • After Termination: Data deleted within 30 days (see Section 3.7)
  • Legal Retention: Some data retained longer for legal, audit, or regulatory purposes (e.g., billing records for tax compliance)
  • Backups: Backup copies automatically deleted within 90 days per retention policy

11.3 Processing Locations

Primary Processing: - EU: West Europe (Netherlands), North Europe (Ireland) for EU customers - Middle East: UAE North (Dubai) for Middle East customers - Other regions: Nearest Azure region

Secondary Processing: - Remote support access: UAE (Ras Al Khaimah) - AI model processing: Microsoft Azure AI regions (varies by model) - Error monitoring: United States (Sentry) - Analytics: United States (Google Analytics)

12. DATA PROTECTION CONTACT

12.1 Brilio Data Protection Contact

For all DPA-related inquiries, Data Subject requests, breach notifications, or compliance questions:

Email: legal@brilio.ai (Data Protection Officer) Alternative: security@brilio.ai (Security Team)

Response Time: - Data Subject requests: Within 72 hours (acknowledgment), within 30 days (fulfillment) - Breach notifications: Within 72 hours - General DPA inquiries: Within 5 business days

Address: Innovatica Technologies FZ-LLC VUNE0632, Compass Building - Al Hulaila Al Hulaila Industrial Zone-FZ Ras Al Khaimah, United Arab Emirates

12.2 Customer Contact

Customer shall designate a data protection contact and provide: - Name and role - Email address - Preferred language for communications

Customer may update contact information at any time via platform settings or by emailing support@brilio.ai.

13. STANDARD CONTRACTUAL CLAUSES

13.1 Incorporation

Where required under applicable data protection law for transfers of Personal Data from the EEA to third countries, the Standard Contractual Clauses (SCCs) approved by the European Commission are incorporated into this DPA by reference.

Applicable SCCs: - Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller-to-Processor)

13.2 SCC Details

Parties: - Data Exporter: Customer (Data Controller) - Data Importer: Brilio (Data Processor) - Module: Module Two (Controller-to-Processor) - Optional Clauses: As selected in this DPA

SCC Annex I (Parties): - See Section 12 (Data Protection Contact) for party details - Competent Supervisory Authority: As determined by Customer's location

SCC Annex II (Technical & Organizational Measures): - See Section 3.3 (Security Measures)

SCC Annex III (Sub-processors): - See Section 10 (Sub-processor List)

13.3 Conflict Resolution

In case of conflict between this DPA and the incorporated SCCs, the SCCs prevail to the extent required by law.

14. ENTIRE AGREEMENT

This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties concerning the processing of Personal Data. This DPA supersedes any prior data processing agreements or addenda.

For interpretation and enforcement, this DPA is governed by the laws specified in the Terms of Service, except where EU data protection law mandates otherwise.

This DPA is effective as of the date of your acceptance of the Terms of Service and forms an integral part of your agreement with Innovatica Technologies FZ-LLC.

Questions? Contact legal@brilio.ai

Download: You may download a PDF copy of this DPA from your account settings or request one at legal@brilio.ai.