1. Parties
This DPA is entered into between:
Controller: The Customer who has accepted the Terms of Service and uses the Service in the capacity of data controller.
Processor: Alpha Digital B.V., trading as Custos AI — Stationsplein 26, 6512 AB Nijmegen, NL · KvK 72313129
This DPA forms part of and is incorporated into the Terms of Service. It is entered into in accordance with Article 28 GDPR.
2. Definitions
- "Data Subject" — an identified or identifiable natural person whose Personal Data is processed under this DPA.
- "Personal Data" — any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service.
- "Processing" — any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
- "Security Incident" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
- "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Scope and Roles
This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Service. The Controller determines the purposes and means of the Processing. The Processor processes Personal Data solely on behalf of the Controller and in accordance with the Controller's documented instructions.
Note on LLM Providers (BYOK): This DPA does not apply to the processing of Personal Data by third-party LLM Providers. Under the BYOK model, the Controller maintains a direct contractual relationship with each LLM Provider through the Controller's own API Keys. The Processor acts solely as a technical conduit transmitting the Controller's requests to the LLM Provider's API; the Processor does not determine the purposes or means of processing performed by LLM Providers.
4. Details of the Processing
Subject matter
The provision of a multi-LLM chat platform, including user account management, chat functionality, file upload and storage, team collaboration features, and associated support services.
Categories of Data Subjects
The Controller's employees, contractors, representatives, and any other individuals whose Personal Data is submitted to the Service by or on behalf of the Controller.
Types of Personal Data
| Category | Examples |
|---|---|
| Account data | Name, email address, hashed password, language preference, MFA configuration |
| Usage data | Login timestamps, session identifiers, IP addresses, device and browser metadata |
| Chat data | Conversation history, prompts, AI-generated responses, selected LLM model per conversation |
| Uploaded files | PDF, DOCX, XLSX, images, CSV and TXT files uploaded by Data Subjects |
| Billing metadata | Subscription plan, billing cycle, Stripe customer identifier |
| Team and workspace data | Organisation name, workspace membership, user roles, shared prompt templates |
| Budget and cost data | Configured API budget limits, estimated token usage and cost per user and provider |
Special categories of data
The Processor does not intentionally process special categories of Personal Data as defined in Article 9 GDPR. The Controller must not submit special categories of Personal Data to the Service unless the Controller has ensured a valid legal basis and appropriate safeguards under Article 9 GDPR.
5. Obligations of the Controller
- The Controller warrants that it has a valid legal basis under the GDPR for the Processing of Personal Data through the Service.
- The Controller is responsible for providing appropriate privacy notices to Data Subjects and for responding to Data Subject requests, with the assistance of the Processor.
- The Controller is responsible for ensuring the lawfulness of any data transmitted to third-party LLM Providers through the Service, including the conclusion of appropriate data processing agreements with those providers.
- The Controller shall provide documented instructions to the Processor regarding the Processing. The Agreement and this DPA constitute the Controller's initial documented instructions.
6. Obligations of the Processor
- The Processor shall process Personal Data only on documented instructions from the Controller.
- The Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality.
- The Processor shall implement and maintain appropriate technical and organisational security measures.
- The Processor shall not engage another processor (Sub-processor) without meeting the conditions set out in Section 8.
- The Processor shall assist the Controller in fulfilling obligations to respond to Data Subject rights requests.
- The Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 GDPR.
- At the choice of the Controller, the Processor shall delete or return all Personal Data after the end of the provision of services.
7. Technical and Organisational Measures
The Processor implements and maintains the following security measures:
| Domain | Measure |
|---|---|
| Encryption at rest | AES-256 for all stored data via Supabase; AES-256-GCM for API Keys |
| Encryption in transit | TLS 1.2 or higher on all connections |
| Authentication | Email + password with mandatory TOTP multi-factor authentication |
| Access control | Least-privilege, role-based access; multi-tenant isolation enforced via Supabase Row Level Security (RLS) at the database layer |
| Network security | HTTPS only; HSTS; Supabase-managed network isolation at the database layer |
| Security headers | HSTS, X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy |
| Backup | Daily automated encrypted backups via Supabase; point-in-time recovery available; monthly restore tests |
| Recovery | Target RTO: 4 hours; Target RPO: 24 hours (non-contractual operational targets) |
| Monitoring | Application monitoring via Vercel observability |
| Vulnerability management | OWASP Top 10 assessment; automated dependency scanning (Dependabot); CodeQL static analysis |
| Budget enforcement | LiteLLM-based hard budget limits blocking API calls before transmission to LLM Providers |
| Incident response | Notification to Controller within 48 hours of a Security Incident |
| Data hosting | Exclusively within the EU: Frankfurt, Germany (Supabase) and Amsterdam, Netherlands (TransIP) |
8. Sub-Processors
The Controller grants the Processor general authorisation to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | Frankfurt, Germany (EU) |
| TransIP B.V. | VPS hosting for LiteLLM proxy (budget enforcement, LLM request routing) | Amsterdam, Netherlands (EU) |
| Vercel, Inc. | Frontend and edge compute (website and application) | EU edge network |
| Lettermint | Transactional email delivery | EU |
| Stripe Payments Europe, Ltd. | Payment processing and Stripe Tax | Dublin, Ireland (EU) |
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes. Notification shall be provided at least 30 days before the change takes effect via the sub-processor list at custosai.eu/sub-processors.
9. Data Subject Rights
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III GDPR (including access, rectification, erasure, restriction, portability, and objection). Where technically feasible, the Processor shall provide the Controller with the means to fulfil such requests, including through self-service functionality in the platform.
10. Security Incidents
- The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting Personal Data processed on behalf of the Controller.
- The notification shall include: a description of the nature of the Security Incident; the name and contact details of the point of contact; a description of the likely consequences; and a description of the measures taken or proposed.
- If it is not possible to provide all information at once, the Processor shall provide the information in phases without further undue delay.
- The notification of a Security Incident shall not be construed as an acknowledgement of fault or liability by the Processor.
11. Audits
- The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR.
- The Controller may conduct an audit subject to: at least 30 days' prior written notice; a maximum of once per calendar year (unless a Security Incident has occurred); audits conducted during business hours; and costs borne by the Controller.
- The Processor may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g. ISO 27001, SOC 2 Type II) where available.
12. Return and Deletion of Data
- During the term of the Agreement, the Controller may export Personal Data at any time using the self-service export functionality (JSON and CSV formats).
- Upon termination, the Processor shall retain the Controller's Personal Data for 30 calendar days to allow data export.
- After the 30-day retention period, the Processor shall delete all Personal Data and confirm the deletion in writing upon the Controller's request.
- Uploaded files are subject to automatic deletion 30 calendar days from upload by default. Administrators may pin individual files to prevent automatic deletion; pinned files remain until explicitly removed. Enterprise customers may arrange custom retention policies via their contract.
- Backup copies containing Personal Data shall be deleted in accordance with the backup retention schedule (30 days).
13. International Data Transfers
The Processor stores and processes all Customer application data (account data, chat data, uploaded files) exclusively within the EEA: database and file storage in Frankfurt, Germany (via Supabase); LLM request proxy and budget enforcement in Amsterdam, Netherlands (via TransIP).
Certain Sub-processors (Stripe, Vercel, Lettermint) may process limited categories of data outside the EEA. In each case, the Processor ensures that appropriate transfer mechanisms are in place, including Standard Contractual Clauses adopted by the European Commission.
14. Miscellaneous
- Conflict: In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
- Amendments: This DPA may be amended by the Processor to reflect changes in applicable data protection law, with at least 30 days' notice of material changes.
- Governing law: This DPA is governed by the laws of the Netherlands. Any dispute shall be submitted to the competent court in Amsterdam.
- Language: This DPA is drafted in English. In the event of a conflict between any translated version and the English version, the English version shall prevail.
15. Contact
For questions about this DPA, contact:
Alpha Digital B.V., trading as Custos AI
Stationsplein 26, 6512 AB Nijmegen, The Netherlands
Email: