Data Processing Agreement
Last updated: 1 March 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Controller") and Giorgio Gilestro operating as Berengario ("Processor"). It governs the processing of personal data by the Processor on behalf of the Controller in connection with the Berengario hosted service ("Service").
This DPA is entered into to ensure compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, in particular Article 28 of the UK GDPR.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as processed by the Service on behalf of the Controller.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
2. Scope of Processing
2.1 Subject Matter
The Processor processes Personal Data to provide the Service, which includes document ingestion, knowledge base management, AI-powered query answering, and email integration.
2.2 Categories of Personal Data
The following categories of Personal Data may be processed:
- Email addresses and contact information (of Users and email correspondents)
- Email content (headers, body text, attachments)
- Document content uploaded to the Knowledge Base
- Query text and AI-generated responses
- Usage logs and metadata
2.3 Categories of Data Subjects
- The Controller's employees and authorised Users
- Individuals whose data appears in documents or emails processed by the Service
2.4 Duration
Processing continues for the duration of the Terms of Service. Upon termination, Section 10 of this DPA applies.
3. Obligations of the Processor
The Processor shall:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required by law.
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organisational security measures as described in Section 6.
- Comply with the conditions for engaging Sub-processors as described in Section 5.
- Assist the Controller in responding to data subject requests as described in Section 8.
- Assist the Controller in ensuring compliance with obligations relating to security, breach notification, data protection impact assessments, and prior consultation.
- At the Controller's choice, delete or return all Personal Data upon termination as described in Section 10.
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations and allow for audits as described in Section 9.
- Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the UK GDPR or other data protection provisions.
4. Obligations of the Controller
The Controller shall:
- Ensure that there is a lawful basis for processing Personal Data through the Service.
- Provide clear and documented instructions for the processing of Personal Data.
- Ensure that data subjects have been informed about the processing in accordance with Articles 13 and 14 of the UK GDPR.
- Comply with the Acceptable Use Policy, including restrictions on special category data.
5. Sub-processors
5.1 Authorised Sub-processors
The Controller provides general written authorisation for the Processor to engage Sub-processors. The current list of Sub-processors is:
| Sub-processor |
Purpose |
Location |
| OpenRouter Inc. |
LLM inference for query answering, query optimisation, and document enhancement |
United States |
| OpenAI LLC |
Text embeddings for vector search |
United States |
| Paddle.com Market Limited |
Payment processing and invoicing |
United Kingdom |
5.2 Notification of Changes
The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of Sub-processors, providing the Controller with an opportunity to object.
If the Controller objects to a new Sub-processor on reasonable grounds relating to data protection, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the Terms of Service.
5.3 Sub-processor Obligations
The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.
6. Security Measures
The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 UK GDPR):
6.1 Technical Measures
- Encryption in transit: All data transmitted between the Controller and the Service is encrypted using TLS 1.2 or higher.
- Encryption at rest: Stored data is encrypted using AES-256 or equivalent. Each tenant's data is encrypted with its own unique private key (envelope encryption), ensuring that one tenant's data can never be decrypted using another tenant's key.
- Tenant isolation: Each Controller's data is stored in a separate database, ensuring logical separation from other tenants.
- Access controls: Role-based access controls with authentication required for all service components.
- Backups: Regular encrypted backups with tested recovery procedures.
- Monitoring: System monitoring and logging for security events.
6.2 Organisational Measures
- Confidentiality: All personnel with access to Personal Data are bound by confidentiality obligations.
- Least privilege: Access to Personal Data is limited to those who require it for their role.
- Incident response: Documented procedures for identifying, reporting, and responding to security incidents.
7. Data Breach Notification
In the event of a Data Breach involving the Controller's Personal Data:
- The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
- The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
- The name and contact details of the point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach and mitigate its effects.
- The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
8. Data Subject Requests
The Processor shall:
- Promptly notify the Controller if it receives a request from a data subject to exercise their rights under the UK GDPR (access, rectification, erasure, portability, restriction, or objection).
- Not respond to the data subject directly, unless instructed by the Controller.
- Provide the Controller with reasonable assistance in fulfilling data subject requests, taking into account the nature of the processing.
- Provide technical capabilities to support data export (portability) and deletion (erasure) upon request.
9. Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and Article 28 of the UK GDPR.
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to:
- Reasonable advance notice (at least 30 days, except in the case of a Data Breach or regulatory investigation).
- Audits being conducted during normal business hours and in a manner that minimises disruption to the Processor's operations.
- The auditor being bound by appropriate confidentiality obligations.
- A maximum of one audit per 12-month period, unless required by a supervisory authority or triggered by a Data Breach.
10. Data Return and Deletion
Upon termination of the Terms of Service, at the Controller's choice:
- Data return: The Processor shall provide the Controller with a complete export of their data in a structured, commonly used, and machine-readable format. The Controller shall have at least 30 days to request and complete the export.
- Data deletion: After the export period (or immediately if the Controller requests deletion), the Processor shall delete all Personal Data from its systems, including backups, within 90 days.
- Certification: Upon request, the Processor shall provide written confirmation that deletion has been completed.
The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor ensures confidentiality and processes such data only for the purpose required by law.
11. International Transfers
Where Personal Data is transferred to Sub-processors outside the United Kingdom, the Processor shall ensure that appropriate safeguards are in place, including:
- The UK-US Data Bridge (UK extension of the EU-US Data Privacy Framework), where the recipient is certified.
- Standard Contractual Clauses (SCCs) approved by the ICO, incorporated into agreements with Sub-processors.
The Processor shall inform the Controller of any transfer of Personal Data to a third country and the safeguards in place.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales.
14. Contact
For any questions about this DPA:
Giorgio Gilestro
Email: support@berengar.io
ICO registration: ZC098928