Data Processing Agreement
This Data Processing Agreement (DPA) defines how Brainova AI processes personal data on behalf of our customers. It establishes binding obligations for data security, breach notification, sub-processor management, and compliance with Canadian and international privacy laws. Available to all Professional and Enterprise plan customers.
Agreement Overview
This DPA supplements the Brainova AI Terms of Service and applies whenever Brainova AI processes Personal Data on behalf of a Customer in connection with the use of Brainova Talk, Brainova AI Inventory, or AI Integration Services.
The DPA takes effect on the date both parties execute it and remains in effect for the duration of the Customer's service agreement. In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to the processing of Personal Data.
This agreement reflects the data protection commitments of Brainova AI Inc., a company incorporated in British Columbia, Canada. Legal notices may be sent to legal@brainova.ai.
Definitions
The following terms have specific meanings within this Data Processing Agreement.
Data Controller
The entity that determines the purposes and means of processing Personal Data. Under this DPA, the Customer is the Data Controller.
Data Processor
The entity that processes Personal Data on behalf of the Data Controller. Under this DPA, Brainova AI Inc. is the Data Processor.
Personal Data
Any information relating to an identified or identifiable individual, including but not limited to names, phone numbers, email addresses, voice recordings, and transaction records.
Processing
Any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
Sub-processor
A third party engaged by Brainova AI to process Personal Data on behalf of the Customer. All sub-processors are contractually bound to equivalent data protection obligations.
Data Subject
An identified or identifiable individual whose Personal Data is processed under this agreement. Examples include callers, customers, employees, and end users.
Supervisory Authority
An independent public authority responsible for monitoring the application of data protection laws. In Canada, this is the Office of the Privacy Commissioner of Canada (OPC).
Scope of Processing
The categories of Personal Data processed depend on which Brainova AI products the Customer uses. Processing is limited to what is necessary to deliver the contracted services.
Brainova Talk
AI voice agents for business phone systems. Data processed includes:
- Caller phone numbers and caller ID information
- Call recordings and voice transcripts
- Appointment scheduling data (names, dates, contact details)
- Lead qualification data collected during calls
- CRM synchronization data (contact records, call outcomes)
Brainova AI Inventory
AI-powered product research and listing automation. Data processed includes:
- Product data from supplier catalogs and brand sources
- E-commerce store data via Shopify API (product listings, inventory levels)
- Competitor pricing and product data from public sources
- Product images and media assets
- Shopify API authentication credentials (encrypted, access-controlled)
AI Integration Services
Custom AI automation and workflow integration. Data processed includes:
- Custom data categories as defined in the service agreement and statement of work
- API credentials and integration configuration data (encrypted)
- Business process data flowing through automated workflows
The specific data categories, processing purposes, and retention requirements for Integration Services are documented in each customer's statement of work.
Roles & Responsibilities
This DPA establishes clear roles for data protection accountability.
Customer (Data Controller)
- Determines the purposes and means of processing Personal Data
- Ensures a lawful basis exists for data processing (consent, contract, or legitimate interest)
- Provides processing instructions to Brainova AI
- Responds to Data Subject requests with Brainova AI's assistance
- Notifies relevant supervisory authorities of breaches where required by law
Brainova AI (Data Processor)
- Processes Personal Data only on documented Customer instructions
- Implements and maintains technical and organizational security measures
- Engages sub-processors only with prior notification and equivalent contractual protections
- Assists the Customer in fulfilling Data Subject rights requests
- Notifies the Customer within 72 hours of a confirmed Personal Data breach
Brainova AI does not process Personal Data for any purpose other than delivering the contracted services. Customer data is never used to train AI models, sold to third parties, or shared between customer accounts.
Security Measures
Brainova AI Inc. implements technical and organizational measures designed to protect Personal Data, proportional to the sensitivity of the data processed and consistent with generally accepted industry practice. These measures include:
Encryption of Personal Data in transit and at rest using industry-standard methods
Role-based access controls with principle of least privilege
Access logging and monitoring of production systems
Vulnerability management and regular third-party security assessments
Documented incident response and escalation procedures
Network segmentation and logical isolation between customer tenants
Encryption key management in accordance with industry practice
Security measures evolve over time. For current technical details and operational practices, see our Trust & Security page. Brainova AI Inc. may update specific controls from time to time, provided the overall level of protection is not materially diminished.
Sub-processors
Brainova AI engages the following categories of sub-processors to deliver its services. All sub-processors are bound by data processing agreements with security and confidentiality obligations equivalent to those in this DPA.
Cloud Infrastructure
Hosting, storage, and compute services for platform operation. Data centers located in the United States with SOC 2 Type II certification.
AI Model Providers
Large language model and speech processing services for voice agent and product research features. Data is processed in transit only and not retained by model providers for training.
Telephony Providers
Voice network services for inbound and outbound call handling in Brainova Talk. Call media is encrypted in transit using industry-standard methods.
Payment Processing
Subscription billing and payment handling. Payment processors are PCI DSS Level 1 certified. Brainova does not store credit card numbers.
Sub-processor Change Notification
Brainova AI Inc. will use reasonable efforts to notify Customers at least 30 days in advance before engaging a new sub-processor or making material changes to existing sub-processor arrangements. Notification is deemed given by email to the account's designated security contact or, if none has been designated, by email to the billing/account contact or by posting to our Trust & Security page.
Customers may submit a reasonable, written objection within 15 days of notification, specifying the grounds for the objection. If the parties cannot reasonably resolve the objection within 30 days, Customer's sole and exclusive remedy is to terminate the affected service without penalty. Continued use of the service after the 15-day period constitutes acceptance.
Cross-Border Data Transfers
Brainova AI Inc. is headquartered in British Columbia, Canada. Customer data is stored in data centers located in the United States.
For transfers between Canada and the United States, both countries maintain adequate commercial privacy frameworks. Canada's PIPEDA is recognized as providing adequate protection under multiple international frameworks, and the US-Canada data flow relationship is well-established for commercial purposes.
Where Customer data originates from jurisdictions requiring additional transfer safeguards (such as the European Economic Area or the United Kingdom), Brainova AI implements Standard Contractual Clauses (SCCs) as approved by the relevant authority. Enterprise customers may request execution of SCCs as an addendum to this DPA.
Brainova AI does not transfer Personal Data to any country or organization without ensuring appropriate safeguards are in place and documented.
Data Subject Rights
Brainova AI assists Customers in fulfilling their obligations to respond to Data Subject rights requests. The Customer remains responsible for responding to Data Subjects directly.
Right of Access
Brainova AI Inc. assists Customers in responding to Data Subject requests for access to Personal Data held within the platform.
Right of Correction
Customers can update or correct Personal Data directly through the platform. Brainova AI Inc. may assist with bulk corrections upon reasonable request.
Right of Deletion
Brainova AI Inc. deletes specific Personal Data upon written Customer instruction. Deletion propagates across production systems within 30 days, and across encrypted backups in accordance with our backup rotation.
Right of Portability
Brainova AI Inc. provides data export in standard machine-readable formats (CSV, JSON) to support Data Subject portability requests.
Right to Withdraw Consent
Where processing is based on consent, Brainova AI Inc. provides mechanisms for Customers to record and act on consent withdrawal by Data Subjects.
Brainova AI Inc. will use commercially reasonable efforts to respond to Customer assistance requests regarding Data Subject rights within a reasonable time, typically within 5 business days of receipt. For urgent requests, contact info@brainova.ai with "Urgent DSR" in the subject line. Brainova AI Inc. is not responsible for responding to Data Subjects directly; that responsibility remains with the Customer as Data Controller.
Data Retention & Deletion
Brainova AI retains Personal Data only for as long as necessary to deliver the contracted services, unless a longer retention period is required by law or requested by the Customer.
Default Retention Periods
- Call recordings: 90 days
- Call transcripts: 90 days
- Product research data: Duration of active subscription
- Audit logs: retained in accordance with our internal retention policies and applicable legal requirements
- Account data: Duration of active subscription
Custom Retention Policies
Professional and Enterprise customers can configure custom retention periods from 30 days to 1 year for call recordings and transcripts. Custom policies are set through the platform dashboard or by contacting support.
Deletion Upon Termination
Upon termination of the service agreement, the Customer has a 30-day export window to download its data in standard formats (CSV, JSON, or MP3 for call recordings). Brainova AI Inc. provides data export tools in the platform dashboard and may assist with bulk exports upon reasonable request.
After the 30-day export window, Customer Personal Data is deleted from production systems. Deletion from encrypted backups is completed within an additional 30 days in accordance with our backup rotation. Brainova AI Inc. will provide written confirmation of deletion upon reasonable Customer request.
Breach Notification
Brainova AI maintains a documented incident response plan and notifies affected Customers promptly in the event of a confirmed Personal Data breach.
72-Hour Notification
Brainova AI Inc. will notify the Customer's designated security contact without undue delay, and in any event within 72 hours after Brainova AI Inc.'s confirmation that a reportable Personal Data breach affecting Customer's Personal Data has occurred. A "reportable breach" means an event reasonably likely to result in material harm to affected Data Subjects; near-misses, unverified reports, suspected incidents under investigation, and incidents with no material impact are not reportable. Notification is sent via email to the designated security contact (or, if none has been designated, to the billing/account contact) and, where available, through the platform's notification system.
Notification Content
Each breach notification includes:
- Description of the nature and scope of the breach
- Categories and approximate number of Personal Data records affected
- Contact details of Brainova AI's privacy team for follow-up
- Measures taken and proposed to contain and mitigate the breach
- Recommended steps for the Customer to minimize potential harm
Cooperation
Brainova AI cooperates fully with the Customer's investigation and regulatory notification obligations. This includes providing additional information as it becomes available, assisting with forensic analysis, and supporting the Customer's communications with supervisory authorities and affected Data Subjects.
Audit Rights
Customers have the right to verify Brainova AI's compliance with the obligations set out in this DPA.
Third-party reports first: Brainova AI Inc. may satisfy audit requests by providing recent SOC 2 Type II or equivalent third-party audit reports, summary penetration-testing letters, or security questionnaire responses, in lieu of on-site access. Reports are made available to Enterprise customers upon reasonable request, subject to scope limitations and an executed non-disclosure agreement.
On-site or remote audits: Where third-party reports are not sufficient, Customers may conduct or commission an independent audit of Brainova AI Inc.'s data processing practices with at least 30 days' written notice. Audits are conducted during normal business hours, must not unreasonably disrupt operations, and are subject to a mutually agreed scope. Brainova AI Inc. may require that audits be performed by an independent, mutually agreed third-party auditor under NDA.
Audit costs: Customer bears its own costs and any reasonable costs Brainova AI Inc. incurs responding to the audit beyond providing standard third-party reports, unless the audit reveals a material breach of this DPA caused by Brainova AI Inc., in which case Brainova AI Inc. bears its own response costs.
Audit frequency: Customers may exercise audit rights up to once per calendar year, unless a confirmed data breach or specific regulatory requirement reasonably necessitates an additional audit.
Confidentiality: All audit findings, reports, and information accessed during an audit are treated as Brainova AI Inc.'s confidential information. Auditors must execute a non-disclosure agreement in a form reasonably acceptable to Brainova AI Inc. before accessing systems or documentation.
PIPEDA Compliance
As a Canadian company, Brainova AI Inc. complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our data processing practices align with PIPEDA's ten fair information principles.
Accountability
Brainova AI has designated a Privacy Officer responsible for compliance with privacy obligations. The Privacy Officer oversees data protection practices and can be reached at privacy@brainova.ai.
Consent
Brainova AI processes Personal Data based on the Customer's documented instructions. Customers are responsible for obtaining appropriate consent from Data Subjects where consent is the legal basis for processing.
Purpose Limitation
Personal Data is collected and processed only for the purposes specified in this DPA and the service agreement. Data is never used for secondary purposes without Customer instruction.
Safeguards
Technical and organizational security measures are proportional to the sensitivity of the data processed. Measures are reviewed and updated periodically and in response to identified risks.
Openness
Brainova AI makes its data protection policies and practices readily available. This DPA, our Trust & Security page, and our Privacy Policy document our commitments transparently.
Individual Access
Brainova AI supports Customers in responding to individual access requests within the timelines required by PIPEDA (typically within 30 days of receipt).
Brainova AI also monitors developments in Canadian privacy law, including the proposed Consumer Privacy Protection Act (CPPA) and the Artificial Intelligence and Data Act (AIDA), and will update this DPA as necessary to maintain compliance.
How to Request a DPA
Our Data Processing Agreement is available to all customers on Professional and Enterprise plans. To request a DPA, contact our team with your company name, plan type, and the Brainova products you use.
We send our standard DPA for review within 2 business days. Enterprise customers can request modifications to the standard terms. Executed DPAs are countersigned and returned within 5 business days.
Frequently Asked Questions
About the Service
A Data Processing Agreement (DPA) is a legally binding contract between a data controller (your business) and a data processor (Brainova AI) that defines the terms under which personal data is processed. It specifies security obligations, data handling procedures, breach notification timelines, and sub-processor requirements. DPAs are standard in B2B relationships where one party processes data on behalf of another.
Any business on a Professional or Enterprise plan that processes personal data through Brainova Talk, Brainova AI Inventory, or AI Integration Services should have a DPA in place. This is particularly important for businesses subject to PIPEDA, provincial privacy laws, or international data protection regulations. If your business handles customer phone numbers, call recordings, or e-commerce customer data through our platform, a DPA formalizes our data protection commitments.
Contact our team at info@brainova.ai or through the Contact page with the subject line "DPA Request." Include your company name, plan type, and which Brainova products you use. We will send you our standard DPA for review and signature within 2 business days. Enterprise customers can request modifications to the standard terms.
No. Brainova AI does not use customer data to train, fine-tune, or improve our AI models unless you provide explicit written opt-in consent. Customer data processed through our AI features (voice transcription, product research) is used solely to deliver the requested service and is not retained by AI model providers for any other purpose.
Getting Started
Customer data is stored in secure, SOC 2 Type II audited data centers in the United States. Data is encrypted in transit and at rest using industry-standard methods. Enterprise customers can discuss specific data residency requirements with our team.
Upon account termination, you have a 30-day window to export all your data in standard formats (CSV, JSON). After the 30-day export period, Personal Data including call recordings, transcripts, product data, and account information is deleted from production systems. Deletion from encrypted backups is completed within an additional 30 days in accordance with our backup rotation.
Brainova AI Inc. notifies the affected customer's designated security contact without undue delay, and in any event within 72 hours after we confirm that a reportable Personal Data breach has occurred. The notification includes the nature of the breach, categories of data affected, an estimated number of records involved, and the measures taken to mitigate the impact. We cooperate with customer investigations and regulatory notifications as reasonably required.
Yes. Brainova AI Inc. is a Canadian company and complies fully with the Personal Information Protection and Electronic Documents Act (PIPEDA). Our data handling practices align with PIPEDA's ten fair information principles, including accountability, consent, purpose limitation, and safeguards. We also monitor developments in Canadian privacy law, including the proposed Consumer Privacy Protection Act (CPPA).
Last updated: