Summary of our standard DPA. Full signable version available to enterprise customers under NDA. LGPD (Brazil), GDPR (EU), and CCPA (California) aligned.
This page summarises the standard Brainiall Data Processing Agreement. The full signable version is available to enterprise customers under mutual NDA. Request the executable DPA via legal@brainiall.com.
The DPA governs the processing of personal data by Brainiall ("Processor" / "Operador" under LGPD art. 39; "Processor" under GDPR art. 28) on behalf of the Customer ("Controller" / "Controlador"). It applies whenever the Customer submits personal data into Brainiall platforms — JurAI Pro, Speech AI, NLP, Image, or AI Autopilot.
The Customer determines the purposes and means of processing. Brainiall processes data only under documented Customer instructions, which include the subscription agreement, the specific product configuration, and any written instructions provided through enterprise support channels.
Brainiall processes Customer personal data solely to provide, maintain, and improve the contracted Services. This includes: running inference on Customer inputs, storing Customer artifacts (cases, documents, transcripts), generating audit logs, and supporting the Customer upon request.
Brainiall does not use Customer personal data to train Brainiall models or any third-party models. An explicit no-training clause is included in the executable DPA.
A current list of authorised sub-processors is maintained and available under NDA. Current sub-processors include AWS (compute/storage), Microsoft Azure (redundancy), Vercel (static asset delivery for marketing), and Latitude (AI gateway for app.brainiall.com).
Brainiall will provide the Customer with at least 30 days notice before adding or replacing sub-processors. The Customer has the right to object; if the parties cannot resolve the objection, the Customer may terminate the affected service.
For Brazilian customers, JurAI Pro data is processed in Brazil (AWS São Paulo region) by default and does not leave national territory unless explicitly configured. For international transfers, Brainiall relies on appropriate safeguards: ANPD-approved mechanisms for Brazil, Standard Contractual Clauses (SCCs) for EU-to-third-country transfers, and comparable mechanisms for other jurisdictions.
Brainiall implements technical and organizational measures appropriate to the risk: AES-256 encryption at rest, TLS 1.3 in transit, MFA for all staff, scoped least-privilege access, hardware security keys for admin access, continuous logging, and vulnerability management. Full security whitepaper available under NDA. See also /trust.
Brainiall will notify the Customer without undue delay — within 48 hours of confirmation — of any personal data breach affecting Customer data. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and mitigation measures taken or proposed.
Brainiall will assist the Customer in meeting its own notification obligations to supervisory authorities (ANPD, EU DPAs, state AGs) and, where required, to data subjects.
Brainiall will assist the Customer in responding to requests from data subjects exercising rights under LGPD art. 18 (access, correction, deletion, portability, anonymisation, information about sharing, revocation) and GDPR art. 15-22. Assistance is provided through documented API endpoints and, for enterprise customers, through a dedicated privacy support channel.
Brainiall provides audit rights to enterprise customers through: (a) the latest SOC 2 Type II report under NDA when available (target Q4 2026); (b) security and compliance questionnaires; (c) on-site audits at reasonable cadence with 30 days notice, at the Customer's cost unless a breach is identified.
Upon termination of the Services, Brainiall will, at the Customer's choice, return or delete all personal data. Standard retention after termination is 30 days for return requests and 90 days for backup purge completion, unless longer retention is required by law.
Liability under the DPA follows the Master Services Agreement, with carve-outs for (a) breach of confidentiality, (b) IP infringement, (c) gross negligence or willful misconduct, and (d) breach of data protection obligations — none of which are subject to the general liability cap.
To receive the signable DPA for your review, contact legal@brainiall.com with your legal entity name, jurisdiction, data residency requirements, and any specific clauses your legal team needs to negotiate.