Data Processing Agreement (DPA)

Last Updated: January 23, 2026

Compliant with GDPR (Standard Contractual Clauses) and CCPA.

Data Types Processed

Account information, persona configurations, conversation content, and usage data.

Sub-Processors

• OpenAI (United States) — AI provider
• Anthropic (United States) — AI provider
• Groq (United States) — AI provider
• Mistral (France/EU) — AI provider
• Render (United States) — Hosting
• Stripe (United States) — Payments

Security Measures

TLS 1.3 encryption in transit, AES-256 encryption at rest, PII masking (Enterprise), RBAC via OAuth 2.0, and audit logging.

Breach Notification

We will notify you within 72 hours of a confirmed data breach.

Data Retention on Termination

Data retained for 30 days after account termination, then permanently deleted.

Data Subject Rights

Supported. Contact privacy@personalabai.com.