Legal

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Ghostbase, Inc. ("Processor") and the Customer ("Controller") using the Service. It governs the processing of personal data by Ghostbase on the Customer's behalf and is automatically incorporated into the Terms of Service when you accept them.

Effective · April 28, 2026

1. Definitions

Capitalised terms used here have the meaning given in the EU General Data Protection Regulation (Regulation 2016/679) and, where applicable, the UK GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed under this DPA. "Sub-processor" means a third party engaged by Ghostbase to process Personal Data on the Customer's behalf.

2. Roles & scope

The Customer is the Controller of Personal Data submitted to the Service. Ghostbase acts as Processor and processes Personal Data solely on the documented instructions of the Customer — namely, the configuration and use of the Service (creating agents, connecting integrations, executing runs, storing memory, billing, and support). Each party will comply with its obligations under applicable data protection law.

3. Subject matter, duration & nature

Subject matter: the provision of the Ghostbase Service.

Duration: the term of the Customer's subscription, plus the deletion windows described below.

Nature & purpose: executing AI agent runs, integrating with third-party tools the Customer authorises, storing workspace content (prompts, knowledge, memory, run logs), processing payments, and providing support.

Categories of Personal Data: identifiers (name, email, organisation), authentication data, billing details, content the Customer or its agents read or write via integrations, and product usage telemetry.

Categories of Data Subjects: the Customer's administrators, end users of its workspace, and any individuals whose data is contained in the third-party tools the Customer connects (e.g. CRM contacts, email correspondents).

4. Sub-processors

The Customer authorises Ghostbase to engage the sub-processors listed below to provide the Service. Each is bound by data protection terms no less protective than this DPA.

  • Supabase — managed Postgres + authentication.
  • Vercel — application hosting + edge delivery.
  • Inngest — background job orchestration for agent runs.
  • Stripe — subscription billing + invoicing.
  • Resend — transactional email delivery.
  • Sentry — error monitoring + performance telemetry.
  • Anthropic, OpenAI, Google — LLM inference, with zero data-retention / no-training terms in place.
  • Composio — third-party tool integration broker for OAuth + tool execution.

We will give the Customer at least 30 days' notice (by email or in-product) before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds; if we cannot accommodate the objection, the Customer may terminate the affected parts of the Service.

5. Security measures

Ghostbase implements appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These are detailed at ghostbase.io/security and include encryption in transit and at rest, role-based access control with MFA, audit logging, least-privilege internal access, tenant-isolated agent runs, and automatic retention sweeps.

6. Data subject rights

Where a Data Subject contacts Ghostbase directly with a rights request relating to Personal Data we process for the Customer, we will redirect the request to the Customer without undue delay. To the extent permitted by applicable law, we will assist the Customer in responding to such requests by providing the relevant data, deletion, or restriction tooling within the Service.

7. Personal Data breach

Ghostbase will notify the Customer without undue delay (and in any event within 72 hours of confirming the incident) of any Personal Data breach affecting the Customer's data, including the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken to address it.

8. International transfers

Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, the parties rely on the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor) and, for transfers to the United Kingdom, the UK Addendum issued by the ICO. These clauses are incorporated into this DPA by reference.

9. Audits

Ghostbase will make available all information necessary to demonstrate compliance with this DPA. Once per year, on at least 30 days' written notice and during normal business hours, the Customer (or an independent auditor on its behalf, bound by confidentiality) may conduct an audit of Ghostbase's data protection practices, at the Customer's expense.

10. Deletion or return of data

Upon termination of the Service, Ghostbase will, at the Customer's choice, delete or return all Personal Data processed under this DPA. Production deletion completes within 30 days; backup deletion within 90 days. Anonymised aggregate analytics may be retained beyond this window.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations of liability set out in the main agreement (Terms of Service), except where law prohibits such limitation.

12. Contact

For DPA-related matters — including audit requests, sub-processor objections, or data-subject escalations — contact support@ghostbase.ai.