Global Software AI
Global Software AI

Data Processing Agreement

Last updated: to be set on publication

Effective: automatically upon your acceptance of the Terms of Service.

This DPA forms part of the Terms of Service between Global Software AI (the "Processor") and you (the "Controller") and governs our processing of personal data on your behalf in our role as processor under GDPR Art. 28.

1. Subject matter and duration

We process Personal Data on your behalf to provide the GSAI Agent service for as long as your subscription is active.

2. Nature and purpose of processing

  • Execute actions the agent takes under your authorisation (reading, drafting, sending email; reading/creating calendar events).
  • Store the agent's working memory (vault) and transactional state.
  • Exchange messages between you and your agent via Telegram.
  • Call third-party APIs (Google, OpenAI, Telegram) as required.

We do not use your Personal Data for any other purpose, including training AI models.

3. Categories of Data Subjects and Personal Data

  • You — your Telegram messages with the agent, Google OAuth tokens, vault contents.
  • Your contacts — email addresses, names, message contents, calendar data contained in your mailbox.

4. Controller's instructions

You instruct us through your configuration (persona, autonomy preset, do-not rules, working hours, language), the OAuth scopes you grant, and the messages you send the agent. We only process on documented instructions.

5. Confidentiality

Personnel authorised to process Personal Data are bound by confidentiality obligations.

6. Security measures

  • TLS 1.2+ in transit; AES-256 at rest.
  • pgsodium application-layer encryption for Google refresh tokens, OpenAI keys, Telegram bot tokens.
  • RLS in Supabase for tenant isolation; audit log of all admin access.
  • One Docker container per customer; no shared application state.
  • 30-day rolling backups; 72-hour breach notification SLA.

7. Sub-processors

Current list maintained at /legal/sub-processors. 14-day advance notice of changes; objection right with termination-without-penalty fallback. Sub-processors are bound by equivalent obligations; we remain liable for their non-compliance.

8. International transfers

EU–US Data Privacy Framework for OpenAI / Resend; Stripe intra-group SCCs.

9. Data Subject rights

We assist you in responding to Data Subject requests. You can edit/delete most data directly in the dashboard. We forward requests received directly to us within 5 business days.

10. Deletion or return on termination

Default: delete within 30 days, except invoices and tax records retained 5 years (Latvian law). On request, we provide JSON export of structured data and a tar of the vault.

11. Audits

Audit right exercisable once per calendar year, 30 days notice, reasonable cost to you (unless audit finds material non-compliance). Our published security documentation may satisfy your audit needs.

12. Personal data breach

72-hour notification with nature, consequences, measures, and point of contact. We cooperate with your own obligations.

13. Liability

Liability provisions in the Terms of Service apply. This DPA prevails for data-protection-specific matters.

14. Governing law

Republic of Latvia.

15. Acceptance

Accepting the Terms accepts this DPA. For counter-signed paper or e-signed DPA, contact privacy@globalsoftware.ai.