Start free trialLogin
FeaturesPricingContact
Start free trialLogin

Data Processing Agreement

Controller–Processor DPA

This Data Processing Agreement (DPA) forms part of and is incorporated by reference into the Agreement between Bayescase GmbH (Processor) and the Customer identified in the applicable Order (Controller) for use of the Service.

1. Parties and Roles

  • Controller: The Bayescase customer identified in the Order.
  • Processor: Bayescase GmbH, Julius-Hatry-Straße 1, 68163 Mannheim, Germany.
  • Roles:
    • For Customer Personal Data processed within the Service on behalf of Controller, Bayescase acts as Processor.
    • For account, billing, communications, marketing and telemetry data for which Bayescase determines the purposes and means, Bayescase acts as an independent Controller (out of scope of this DPA and governed by Bayescase's Privacy Policy).
    • For model improvement/training activities described in Section 4.6, Bayescase acts as an independent Controller; Controller may opt out as set forth there.

2. Definitions

  • Customer Personal Data: any personal data (Art. 4(1) GDPR) provided by or on behalf of Controller to the Service for processing on Controller's behalf.
  • Service: Bayescase's hosted software service described in the Agreement.
  • Sub-processor: any Processor engaged by Bayescase to process Customer Personal Data.
  • EU GDPR, UK GDPR, and Swiss FADP have the meanings given under applicable law. Capitalized terms not defined here have the meanings in the Agreement or GDPR.

3. Subject Matter, Duration, Nature and Purpose

  • Subject matter and duration: Processing of Customer Personal Data as necessary to provide the Service during the Subscription Term and for 30 days thereafter for export, followed by deletion subject to backups as described below.
  • Nature and purpose: Hosting, storage, retrieval, transmission, analysis, transformation, and other processing necessary to provide, secure, maintain, and support the Service for Controller, including optional AI features and fraud/abuse prevention.
  • Categories of personal data: Typical B2B SaaS user/account data (e.g., name, business email, role, organization, user IDs), usage and event logs, and any personal data contained in Customer's inputs or datasets uploaded to/entered into the Service. Controller shall not input special categories of personal data (Art. 9 GDPR) or children's data without a written amendment.
  • Categories of data subjects: Authorized Users and Customer's business contacts whose personal data Controller inputs into the Service.
  • Sensitive data: Not intended. Controller will not submit health, biometric, genetic, or other special category data; no children's data.

4. Controller Instructions; Processor Obligations

4.1 Instructions. Bayescase shall process Customer Personal Data only on documented instructions from Controller, including as set out in the Agreement, this DPA, and Controller's configuration of the Service. If Bayescase is required by EU, Member State, UK, Swiss or other applicable law to process Customer Personal Data beyond Controller's instructions, Bayescase will inform Controller before processing unless the law prohibits such notice.

4.2 Confidentiality. Bayescase ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations.

4.3 Security. Bayescase implements technical and organizational measures (TOMs) appropriate to the risk, as described in Annex II, including encryption in transit and at rest, access controls, logging, and backups.

4.4 Assistance. Taking into account the nature of the processing, Bayescase assists Controller by appropriate technical and organizational measures insofar as possible for the fulfilment of Controller's obligations to respond to data subject requests under Chapter III GDPR, and to conduct data protection impact assessments and consultations with supervisory authorities (Articles 35–36 GDPR). Bayescase may charge reasonable fees for assistance that goes beyond basic configuration or self-service capabilities of the Service.

4.5 Personal data breaches. Bayescase will notify Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required by Controller to comply with Articles 33–34 GDPR as it becomes available. Notification will be sent to the admin email on the account unless Controller designates another address.

4.6 Model improvement/training (separate controllers). To improve and develop the Service, Bayescase may use Customer's inputs and Outputs to train, fine-tune, or otherwise improve algorithms, models, and features. For such improvement/training, Bayescase acts as an independent Controller, relies on legitimate interests (Art. 6(1)(f) GDPR), applies appropriate safeguards (e.g., de-identification where feasible), and honors Controller's opt-out at any time via email to privacy@bayescase.com. If Controller opts out, Bayescase will not include Controller's inputs/Outputs in training datasets after the opt-out effective date; this does not affect processing strictly necessary to provide the Service as Processor.

5. Sub-processing

5.1 Authorization. Controller grants Bayescase a general authorization to engage Sub-processors to process Customer Personal Data. The current list is available at https://bayescase.com/subprocessors and includes only processors engaged by Bayescase in its capacity as Processor for Service data. Vendors used by Bayescase in its own capacity as Controller (e.g., for billing or CRM) are not Sub-processors under this DPA.

5.2 Requirements. Bayescase shall:

  • impose on Sub-processors data protection obligations no less protective than those in this DPA (including TOMs and, where applicable, SCCs), and
  • remain responsible for Sub-processors' performance.

5.3 Changes. Bayescase will provide at least 30 days' prior notice of additions/replacements via the Sub-processor page or email. Controller may object on reasonable data protection grounds within that period. If the parties cannot resolve an objection in good faith, Controller may terminate the affected Service and receive a pro rata refund for prepaid, unused fees.

6. International Transfers

6.1 Locations. Bayescase primarily hosts and processes Customer Personal Data in the EU/EEA (AWS eu-central-1, Frankfurt). During the beta phase and until migration to Azure OpenAI in an EU region is completed, certain AI processing of inputs/outputs by Bayescase's AI provider may occur in the United States.

6.2 Safeguards. Where Customer Personal Data is transferred to a third country without an adequacy decision:

  • For EU GDPR: The EU Standard Contractual Clauses (SCCs) adopted by Commission Decision 2021/914 are incorporated by reference. Module 2 (Controller-to-Processor) applies to transfers from Controller to Bayescase; Module 3 (Processor-to-Processor) applies between Bayescase and Sub-processors. The parties populate the SCCs as set out in Annex I and Annex II to this DPA. In case of conflict, the SCCs prevail for the relevant transfer.
  • For UK GDPR: The UK International Data Transfer Addendum (IDTA) to the EU SCCs (version issued by the UK ICO and in force on the Effective Date) is incorporated and applies to relevant transfers; the EU SCCs as amended by the UK Addendum form the relevant transfer mechanism.
  • For Switzerland: The Swiss FDPIC's provisions apply. The EU SCCs are adapted so references to GDPR are read as references to Swiss law, and supervisory authority references include the FDPIC.

6.3 Supplementary measures. Bayescase will implement appropriate supplementary measures (e.g., encryption in transit and at rest, access controls, data minimization), assess laws/practices of the destination country where reasonably possible, and document a transfer impact assessment (TIA) upon request. Bayescase will notify Controller if it can no longer comply with the SCCs and, if feasible, will suspend the relevant transfer or propose a reasonable alternative.

6.4 EU-only option. Bayescase will notify Controller when EU-region AI processing is available and will provide a configuration or account option to restrict AI processing to the EU/EEA thereafter upon Controller's request.

7. Audits and Information Rights

  • Upon reasonable written request (not more than once in any 12-month period unless required by a competent authority or following a confirmed personal data breach), Bayescase will make available information necessary to demonstrate compliance with Article 28 GDPR, which may include: security whitepapers, policy summaries, responses to security questionnaires, and descriptions of TOMs.
  • Onsite audits are not permitted except where required by applicable law or a competent supervisory authority. Any audit will be conducted during normal business hours, in a manner that minimizes disruption, subject to confidentiality obligations, and at Controller's expense.

8. Data Retention, Return, and Deletion

During the Subscription Term and for 30 days after termination/expiry (provided all undisputed fees are paid), Controller may export Customer Personal Data via the Service or upon request. After that period, Bayescase will delete Customer Personal Data from active systems and processing schedules, subject to legal retention obligations and standard encrypted rolling backups with a maximum retention of 35 days. Data contained in backups will be overwritten in the ordinary course of backup rotation and is not restored except for disaster recovery.

9. Liability; Order of Precedence

  • The parties' respective liability under or in connection with this DPA is governed by the limitation of liability in the Agreement. Nothing in this DPA limits either party's liability where such limitation is not permitted by law, or under the SCCs for the relevant restricted transfers.
  • In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to processing of Customer Personal Data. In the event of a conflict with the SCCs for a restricted transfer, the SCCs prevail for that transfer.

10. Miscellaneous

  • Personnel; access. Bayescase ensures that access to Customer Personal Data is limited to personnel who require it for the purposes of the Service, and that such access is revoked when no longer needed.
  • Records. Bayescase will maintain records of processing activities as required by Article 30(2) GDPR and make them available to supervisory authorities upon request.
  • Government access requests. Where legally permissible, Bayescase will notify Controller of government or other third-party requests for Customer Personal Data and will challenge unlawful requests. Bayescase will disclose only the minimum required to comply with the law.
  • Term. This DPA remains in force for so long as Bayescase processes Customer Personal Data on behalf of Controller under the Agreement.

Annex II – Technical and Organizational Measures

Bayescase implements and maintains the following measures, proportionate to the risks of processing Customer Personal Data in the Service. Measures are reviewed periodically and updated as necessary.

Organization and governance: Security responsibilities are assigned to Bayescase's founder/management. Personnel with access to Customer Personal Data are bound by confidentiality. Basic security awareness practices are applied.

Access controls and authentication: Named, least privilege access to production systems and Customer Personal Data. Timely provisioning and deprovisioning (typically within 24–48 hours) when roles change or staff leave. Multi-factor authentication (MFA) for privileged access to production and cloud consoles.

Physical and infrastructure security: Use of leading cloud providers' data centers (e.g., AWS eu-central-1) with certified physical security. Bayescase does not operate its own data centers.

Encryption and key management: Encryption in transit (TLS 1.2+) for data flows under Bayescase's control. Encryption at rest for databases, storage, and backups using cloud provider managed encryption. Keys are managed using cloud-native key management in the primary region; access to keys is restricted and logged.

Network and application security: Cloud network security controls (e.g., security groups, managed firewalls) configured to restrict inbound access to necessary ports/services. Software dependencies and platforms are kept reasonably up to date; critical security patches are applied in a commercially reasonable timeframe. Basic logging of administrative actions and access to Customer Personal Data; monitoring of critical infrastructure/service health.

Data management and segregation: Logical separation of Customer Data by account/tenant identifiers. Data minimization and purpose limitation applied to reduce personal data exposure.

Backup and recovery: Regular encrypted backups of Customer Data with a typical retention of up to 35 days. Procedures to restore data from backups; restoration capability is reviewed from time to time.

Incident management: Incident response procedures covering detection, assessment, containment, and recovery. Notification to Controller without undue delay upon becoming aware of a personal data breach affecting Customer Personal Data, with updates as information becomes available.

Vendor and sub-processor management: Data processing agreements with Sub-processors, including appropriate safeguards for international transfers (e.g., SCCs). Risk-based onboarding and a maintained Sub-processor register with change notifications.

Business continuity: Use of cloud-native redundancy for critical components; commercially reasonable efforts to restore service in the event of a disruption.