Data Processing Agreement

1. Roles & scope

The Controller determines the purposes and means of processing personal data of its end users ("Visitor Data") and instructs the Processor to process Visitor Data solely to provide the Service. The Processor processes Visitor Data only on the documented instructions of the Controller, including these Terms, the documented configuration in the dashboard, and lawful written requests sent to help@bruno.support.

2. Processing on instructions

The Processor will not process Visitor Data for any purpose other than to provide and improve the Service, to maintain its security, and to comply with applicable law. If the Processor believes an instruction violates data-protection law, it will notify the Controller without undue delay.

3. Confidentiality

The Processor ensures that personnel authorised to process Visitor Data are bound by appropriate obligations of confidentiality and have received training in their data-protection responsibilities. Access to Visitor Data is granted on a need-to-know basis and is logged.

4. Security

The Processor implements appropriate technical and organisational measures to protect Visitor Data, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purpose of processing as well as the risks. Annex II describes the measures in force.

5. Subprocessing

The Controller authorises the Processor to engage the subprocessors listed in /legal/subprocessors.html and Annex III. The Processor will (a) impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and (b) remain liable to the Controller for the acts and omissions of subprocessors. The Processor will provide at least 30 days' prior notice of any new subprocessor by updating the published list and notifying account owners by email; the Controller may object on reasonable data-protection grounds.

6. Data subject requests

Taking into account the nature of the processing, the Processor will provide reasonable assistance to the Controller in responding to requests from data subjects to exercise their rights. The Controller may submit such requests, and request export or deletion of specific Visitor Data, by emailing help@bruno.support. If a data subject contacts the Processor directly, the Processor will refer them to the Controller.

7. Breach notification

The Processor will notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Visitor Data. The notice will include the available facts, the likely consequences, and the measures taken or proposed.

8. Audits

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Where the Controller reasonably requests an audit, it may be satisfied by the Processor's then-current third-party reports or self-assessments. On-site audits, if any, will be conducted at Controller's expense, on reasonable notice, during business hours, subject to confidentiality, and limited to once per 12 months unless required by a regulator.

9. Deletion or return

On termination of the agreement, the Processor will delete or return all Visitor Data, at the Controller's choice. Provider-managed backups are encrypted and retained briefly for disaster recovery; Visitor Data restored from a backup is purged again on the next normal cycle. Prior to termination the Controller may at any time request export or targeted deletion of Visitor Data by emailing help@bruno.support.

10. International transfers

Where Visitor Data is transferred outside the EEA / UK / Switzerland, the parties incorporate by reference (a) the SCCs (Module 2: Controller-to-Processor) and (b) the UK IDTA, supplemented by the technical measures in Annex II. Annex I.A identifies the parties and Annex I.B identifies the data and processing.

11. Liability

Each party's liability under this DPA is subject to the limitation of liability in the Terms.

Annex I - Description of processing

A. Parties

• Data exporter (Controller): the customer that signed up for the Service, identified by the account email and any organisation details provided in the dashboard.
• Data importer (Processor): Bruno, located in Massachusetts, United States.
• Contact for both: the data exporter via the email on file in the dashboard; the data importer at help@bruno.support.

B. Description of processing

• Categories of data subjects: end users of the Controller's website who interact with the Bruno widget.
• Categories of personal data: chat messages, page-context summaries (URL, title, headings, visible interactive elements, same-origin links), session identifiers, truncated IP addresses, coarse user-agent strings, request timestamps. The Service does not request or process special-category data and asks Controllers not to upload such data.
• Sensitive data: not requested. The widget refuses to read password fields and does not extract form values from the page.
• Frequency of processing: continuous, in response to visitor interactions.
• Nature of processing: hosting, retrieval, model inference, action proposal and consent capture, analytics, audit logging.
• Purpose: to provide the AI support assistant Service.
• Retention: Visitor Data is retained while the Controller's account and the corresponding website remain active, and is deleted on website or account deletion or earlier on the Controller's request. Provider-managed backups are encrypted and retained briefly for disaster recovery only.

C. Competent supervisory authority

The supervisory authority that is competent for the Controller, or as identified in the SCCs, will be the competent authority. For the UK IDTA, this is the UK Information Commissioner's Office.

Annex II - Technical and organisational measures

A. Encryption

• HTTPS (TLS 1.2+) for all public traffic. WSS for chat sockets.
• Database storage is encrypted at rest by the hosting provider. Object storage uses server-side encryption at rest.
• Secrets stored in a managed secret store; never logged.

B. Access control

• Production access is restricted to a small number of authorised Bruno personnel on a need-to-debug basis.
• Strong, unique passwords with modern memory-hard hashing for customer accounts; short-lived signed session tokens with rotating refresh tokens.
• Tenant scoping enforced at the application layer; every read and write keyed by website ID, including background jobs.

C. Integrity, availability, resilience

• Provider-managed backups for disaster recovery, encrypted at rest.
• Health checks and automated alerts for the API, worker, and storage.
• Rate limiting at the edge for authentication and write endpoints.

D. Logging & monitoring

• Application and internal audit logs are retained for the period necessary to operate and secure the Service, and access is restricted to authorised personnel.
• Security events are triaged by on-call personnel.

E. Personnel

• Staff sign confidentiality undertakings.
• Security awareness expectations are documented for all team members.

F. Data minimisation

• Page extraction excludes form values, password fields, and hidden inputs.
• The Controller may request deletion of specific Visitor Data, or of an entire website's data, at any time by emailing help@bruno.support.

G. Incident management

• Documented incident-response runbook.
• Breach notification within 72 hours of awareness.

H. Vendor management

• Subprocessors are vetted for security posture and contractually bound to equivalent obligations.

Annex III - Authorised subprocessors

The current list of authorised subprocessors, with purpose and region, is published at /legal/subprocessors.html. That list is incorporated into this DPA by reference and may be updated as set out in clause 5.