Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of, and is governed by, the Burooj Terms of Service (the “Agreement”) between Burooj (“Processor”) and the customer accepting these Terms (“Controller” or “you”). It applies where, and to the extent that, Processor processes Personal Data on behalf of Controller as part of providing the Service.

Where you use Burooj only to build or deploy a project for yourself and do not process Personal Data of third parties through the Service, this DPA does not apply and the Privacy Policy governs processing of your own Personal Data, for which Burooj is the controller.

1. Definitions

• GDPR means Regulation (EU) 2016/679; UK GDPR means the UK version of the GDPR as incorporated by the Data Protection Act 2018. References in this DPA to the GDPR include the UK GDPR where it applies.
• Personal Data, Processing, Controller, Processor, Sub-processor, Data Subject, Supervisory Authority, and Personal Data Breach have the meanings given in the GDPR.
• SCCs means the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
• UK Addendum means the UK International Data Transfer Addendum to the EU SCCs issued by the UK ICO (version B1.0, in force 21 March 2022) or such later version as the ICO may approve.
• DPF means the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) and the UK Extension to the DPF.
• Annexes are Annexes I, II, and III to this DPA, which are incorporated by reference.

2. Roles and Scope (GDPR Art. 28)

For Personal Data that Controller submits to the Service about individuals other than Controller itself (e.g., end users of Controller's generated product), Controller is the controller and Processor is the processor. The parties' respective obligations under Articles 28(3)(a)–(h) GDPR are set out in Sections 4–10 below. Subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex I.

3. Controller Obligations

• Controller is responsible for establishing and documenting a lawful basis for the Processing (GDPR Art. 6) and, where applicable, obtaining appropriate consent (GDPR Art. 7).
• Controller will give Data Subjects the transparency information required by Articles 13 and 14 GDPR.
• Controller warrants that its instructions to Processor (including the configuration of the Service) comply with applicable data-protection law.
• Controller will not submit special categories of Personal Data (GDPR Art. 9) or criminal-offence data (GDPR Art. 10) through the Service unless expressly agreed in writing with Processor and supported by additional safeguards.
• Controller is responsible for the security of its own credentials, access tokens, and export-controlled content.

4. Processor Obligations (Art. 28(3))

4.1 Documented Instructions (Art. 28(3)(a))

Processor shall process Personal Data only on Controller's documented instructions, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law (or UK law) to which Processor is subject; in such a case, Processor shall inform Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Agreement, this DPA, and Controller's configuration choices constitute Controller's complete and final instructions at the effective date. Additional instructions must be agreed separately and may be subject to fees.

Notice of infringing instructions. If Processor considers, in its reasonable opinion, that an instruction infringes the GDPR or other Union, Member State, or UK data-protection law, Processor shall immediately inform Controller (Art. 28(3), second sub-paragraph).

4.2 Confidentiality (Art. 28(3)(b))

Processor ensures that persons authorised to process Personal Data are bound by an appropriate obligation of confidentiality (contractual or statutory) and access Personal Data on a strict need-to-know basis.

4.3 Security Measures (Art. 28(3)(c) and Art. 32)

Processor implements the technical and organisational measures set out in Annex II and will keep them under review to address changes in risk.

4.4 Sub-processors (Art. 28(3)(d) and Art. 28(2) & (4))

Controller grants Processor general written authorisation to engage Sub-processors listed in Annex III. Processor will inform Controller of any intended change (addition or replacement) at least 30 days before the change takes effect, by updating the public list at burooj.ai/privacy §6 and, for subscribers, by email.

Controller may object for reasonable data-protection-related grounds within 15 days of notice. If Processor cannot offer a commercially reasonable alternative, Controller may terminate the affected part of the Service as its sole remedy; Sections 11 and 12 of the Terms govern the effect of such termination.

Processor will impose on each Sub-processor, by way of a written contract, data-protection obligations that provide the same level of protection as this DPA, insofar as applicable to the nature of the Sub-processor's services (in particular providing sufficient guarantees to implement appropriate technical and organisational measures in accordance with Article 32 GDPR). Processor remains fully liable to Controller for the performance of each Sub-processor's data-protection obligations.

Where Processor uses a Sub-processor's pre-signed processing terms (e.g., Google Cloud DPA, Anthropic Commercial Terms, Supabase DPA), Controller accepts those terms as the flow-down contract for the relevant Sub-processor, subject to Processor's continuing liability under this Section 4.4.

4.5 Assistance with Data-Subject Rights (Art. 28(3)(e))

Taking into account the nature of the Processing, Processor will assist Controller by appropriate technical and organisational measures — insofar as possible — to respond to requests to exercise rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection, automated decisions). The Service exposes self-service mechanisms for export (/gdpr/export) and deletion (/gdpr/delete) that cascade through all tables and object storage.

4.6 Assistance with Security, Breach, DPIA, and Prior Consultation (Art. 28(3)(f))

Processor will assist Controller in complying with its obligations under Articles 32–36 GDPR, taking into account the nature of Processing and the information available to Processor, including:

• implementing the measures in Annex II (Art. 32);
• notifying Controller of Personal Data Breaches (Art. 33) — see Section 7;
• providing information reasonably needed for Data Protection Impact Assessments (Art. 35) and prior consultations with Supervisory Authorities (Art. 36).

4.7 Return or Deletion on Termination (Art. 28(3)(g))

At Controller's choice, Processor will delete or return all Personal Data after the end of the provision of the Service and delete existing copies, unless Union or Member State (or UK) law requires storage (e.g., tax records under the Privacy Policy). If Controller does not make a choice within 30 days of termination, Processor will delete the Personal Data.

4.8 Information and Audits (Art. 28(3)(h))

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections. See Section 9.

5. International Transfers

Processor may transfer Personal Data outside the EEA and the UK to the Sub-processors listed in Annex III, subject to the following transfer mechanisms, applied in the order of priority stated:

1. Adequacy. If the recipient is located in, or certified under a mechanism within, a third country subject to a current European Commission adequacy decision (including the EU-US DPF, and its UK Extension where the recipient is additionally certified under the UK Extension), transfers are made on that basis.
2. SCCs / UK Addendum. Where adequacy is not available, Processor and Controller are deemed to have entered into Module 3 (Processor-to-Processor) of the SCCs, and the UK Addendum where the transfer is from the UK. The Annexes to the SCCs are completed using the corresponding information in Annexes I–III of this DPA. Module 2 (Controller-to-Processor) applies to the limited scope in which Controller acts as controller and Processor acts as processor for Controller's own Personal Data.
3. Transfer Impact Assessment. For destinations where the transfer mechanism's effectiveness may be affected by third-country law (in particular for MiniMax in the People's Republic of China), Processor performs a Transfer Impact Assessment consistent with EDPB Recommendations 01/2020 and applies supplementary measures including: contractual no-training, transient processing (no persistent storage on the AI provider), on-path encryption in transit, minimum-necessary data, logging of access requests, and vendor substitution if the assessment ceases to support the transfer.

If the Commission's adequacy decision in respect of the EU-US DPF is invalidated or suspended, the SCCs described in paragraph 2 apply automatically to transfers previously covered by it, without the need for further action by either party.

6. Records and Instructions

Processor maintains a record of Processing activities carried out on behalf of Controller pursuant to GDPR Art. 30(2) and will make it available to Controller or to a Supervisory Authority on request.

7. Personal Data Breach Notification (Art. 33)

Processor will notify Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Controller's Personal Data. The notification will describe, to the extent known:

• the nature of the breach, categories and approximate number of Data Subjects and records affected;
• likely consequences;
• measures taken or proposed to address the breach and mitigate its effects;
• name and contact details of Processor's privacy contact.

Where information is incomplete at first notice, Processor will provide further information in phases as it becomes available. Reach our security contact at [email protected].

8. Data Subject Requests and Regulatory Requests

Processor will promptly forward to Controller any request received directly from a Data Subject relating to Controller's Processing, without responding to the request itself unless authorised by Controller or legally compelled. Processor will similarly notify Controller of any binding request received from a public authority (including law enforcement) relating to Controller's Personal Data, unless prohibited by law from doing so.

9. Audits

Controller may audit Processor's compliance with this DPA, at Controller's expense, no more than once per 12-month period (except following a Personal Data Breach), on at least 30 days' written notice, during business hours, and subject to reasonable confidentiality obligations. Processor may satisfy an audit request by providing (a) a current SOC 2 Type II report, (b) an equivalent independent third-party certification, or (c) a written response to a standard information-security questionnaire. Where these responses are insufficient to address a specific, well-founded concern, Processor will cooperate with a proportionate on-site inspection by Controller or a mutually-agreed independent auditor.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement. Nothing in this DPA excludes or limits a party's liability to the extent such liability cannot be limited or excluded under mandatory law, including liability to Data Subjects under GDPR Art. 82.

11. Order of Precedence

In the event of conflict, the order of precedence is: (i) the SCCs (including the UK Addendum) as incorporated by Section 5; (ii) this DPA; (iii) the Agreement; (iv) any other document referenced in the Agreement.

12. Governing Law and Forum

This DPA is governed by and construed in accordance with the governing law of the Agreement, except that the SCCs (and, where applicable, the UK Addendum) are governed by the law chosen in those clauses. Where the SCCs apply, the forum selected in Clause 18 of the SCCs controls disputes arising under the SCCs.

13. Term and Termination

This DPA is effective for the duration of the Agreement. Obligations that by their nature extend beyond termination (including Section 4.7 on return or deletion, Section 7 on breach notification for breaches discovered after termination, and Section 10 on liability) survive.

---

Annex I — Processing Details

I.A List of Parties

Data exporter / Controller. The Burooj customer identified in the Agreement; contact as provided in the customer's account.

Data importer / Processor. Burooj. Contact: [email protected].

I.B Description of Processing

Item	Details
Subject matter	Provision of the AI-assisted software generation and deployment Service described in the Agreement.
Duration	For the term of the Agreement, plus any retention period required by law (see Privacy Policy §10).
Nature and purpose	Processing prompts, conversation transcripts, functional specs, and generated code to deliver the Service; storage, retrieval, transmission, analysis for quality/abuse, and deployment.
Types of Personal Data	Contact information (name, email), account identifiers, content submitted by Controller (which may include Personal Data of end users if Controller chooses to include it), usage/telemetry data, IP address and technical identifiers, payment metadata (no card data).
Categories of Data Subjects	Controller's employees, contractors, and end users whose data Controller chooses to process through the Service.
Frequency	Continuous, on Controller's instructions.
Competent Supervisory Authority	The authority determined under Clause 13 SCCs / Annex I(C). For UK transfers, the UK Information Commissioner's Office.

I.C Competent Supervisory Authority (SCC Clause 13)

Where the GDPR applies, the competent authority is that of the Member State in which Controller is established, or where Controller is not EU-established, the authority of the Member State where the Data Subjects are located (with the Irish DPC nominated where no other applies). For UK transfers, the ICO.

Annex II — Technical and Organisational Measures (Art. 32)

• Encryption in transit. TLS 1.3 for all API and web traffic; HSTS; strict TLS configuration on all edges.
• Encryption at rest. AES-256 for database (Supabase / PostgreSQL) and object storage (Google Cloud Storage).
• Access control. Row-Level Security on every database table; least-privilege IAM; MFA required for all administrative access; no standing production access.
• Authentication. Supabase Auth with bcrypt password hashing; no plain-text credentials stored.
• Network isolation. Build containers run in gVisor sandboxes on GKE Autopilot with network policies restricting egress.
• Secrets management. GCP Secret Manager; no secrets in code or logs; automatic rotation for supported secrets.
• Logging and monitoring. Centralised observability via Grafana Cloud; security-relevant events captured; alerting on anomalies.
• Vulnerability management. Trivy (images), Semgrep (SAST), TruffleHog (secrets) and dependency audits run on every build; weekly SCA; patch SLA 7 days for critical vulnerabilities.
• Change management. Version-controlled infrastructure as code; CI-gated deployments; mandatory code review.
• Backup and recovery. Automated database backups; documented restore procedure with annual recovery test.
• Personnel. Confidentiality obligations for all personnel; onboarding security training; offboarding revokes access within 24 hours.
• Incident response. Documented runbook; 72-hour breach notification commitment (Art. 33); post-incident review and disclosure.
• Data minimisation. Prompts and generated code are routed to AI providers transiently where possible; no retention by providers beyond contractual windows.
• Physical security. Inherited from sub-processors (Google Cloud, AWS via Supabase / Neon). No on-premises infrastructure.

Annex III — Sub-processors

The current list of Sub-processors is published and maintained at burooj.ai/privacy §6, which is incorporated here by reference. It includes, at the date of this DPA: Supabase, Google (Cloud and Gemini), Anthropic, OpenAI, MiniMax, Cloudflare, Sentry, Resend, Upstash, Grafana Labs, Temporal Technologies, and Neon. Paddle is a separate controller for payment and tax data and is not a Sub-processor under this DPA.

This DPA is a template incorporating Articles 28(3) and 32 GDPR, the 2021 SCCs (Module 3 primary; Module 2 where relevant), and the UK IDTA/Addendum regime. It has been reviewed by counsel familiar with SaaS data-processing terms. Material changes will be notified under Section 13 of the Privacy Policy.