Data Processing Agreement

How we process your company's data as a data processor.

Last updated: June 24, 2026

This Data Processing Agreement ("DPA") is between Index Brain ("Processor", "we", "us") and the customer organization ("Controller") that has accepted the Index.brain Terms of Service. This DPA applies wherever Index.brain processes personal data on behalf of the Controller and forms part of the Terms of Service.

Where this DPA conflicts with the Terms of Service on matters relating to the processing of personal data, this DPA takes precedence.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the service.

"Processing" means any operation performed on Personal Data, including reading, extracting, storing, and transmitting.

"Controller" means the customer organization that determines the purposes and means of processing Personal Data.

"Processor" means Index Brain, which processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by the Processor to assist in processing Personal Data.

"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including GDPR where applicable.

2. Scope and nature of processing

Index.brain processes data from integrations the Controller connects. This includes:

Email content from Gmail (sender, recipient, subject, body)
Messages from Slack (channel, author, content, timestamps)
Documents from Notion (page content, authors, metadata)
Code and activity from GitHub (commits, pull requests, issues)
Tasks and issues from Jira, Linear, and Asana
Meeting notes from Granola and Fathom
Public web pages from the Controller's website
AI conversation transcripts uploaded by the Controller

Important: Index.brain does not store raw source content. We read content from connected integrations, extract structured knowledge (facts, decisions, processes, ownership), and store only the extracted knowledge, not the original emails, messages, or documents. The purpose of processing is to build and maintain the Controller's company brain and deliver skills to authorized AI agents.

3. Controller obligations

The Controller agrees to:

Ensure they have a lawful basis under applicable data protection law for connecting each data source
Ensure individuals whose data is processed have been appropriately informed where required by law
Not connect data sources containing special categories of personal data (health, financial, legal, biometric records) without explicit written agreement with Index Brain
Maintain accurate records of the data sources connected and the purpose for doing so
Promptly inform Index Brain of any data subject requests received that relate to data processed by Index.brain

4. Processor obligations

Index Brain agrees to:

Process Personal Data only on documented instructions from the Controller, as set out in these Terms and DPA
Ensure all personnel with access to Personal Data are subject to appropriate confidentiality obligations
Implement and maintain appropriate technical and organizational security measures
Assist the Controller in responding to data subject rights requests
Delete or return all Personal Data upon termination of the service
Provide the Controller with information reasonably necessary to demonstrate compliance with this DPA
Not process Personal Data for any purpose other than providing the Index.brain service

5. Security measures

We implement the following technical and organizational measures to protect Personal Data:

Encryption in transit: all data transmitted using TLS 1.2 or higher
Encryption at rest: all stored data encrypted using AES-256
Access controls: least-privilege access, no employee has blanket access to customer data
Data isolation: complete logical separation between customer accounts, all database queries are scoped to the organization
OAuth token security: integration tokens stored encrypted, never in plain text
Audit logging: all data access and modification events are logged
Infrastructure security: hosted on AWS with standard cloud security controls

6. Sub-processors

Index.brain uses the following sub-processors. By accepting this DPA, the Controller provides general authorization for the use of these sub-processors. We will notify the Controller at least 30 days before adding or replacing any sub-processor.

Sub-processor	Purpose	Location
Amazon Web Services	Infrastructure, server hosting, and database storage	United States
Anthropic	Claude API for AI knowledge extraction. Content from connected integrations is sent to Anthropic's API for processing. Anthropic does not store or train on this content.	United States
Vercel	Frontend application hosting. No personal data stored.	United States
Sentry	Error monitoring. Metadata only, no personal data or source content included in error reports.	United States

7. Data subject rights

If Index.brain receives a request directly from a data subject regarding their personal data, we will promptly forward it to the Controller. The Controller is responsible for responding to data subjects. Index.brain will assist the Controller in fulfilling such requests by providing the technical means to access, correct, export, or delete relevant data within a reasonable timeframe.

8. Data retention and deletion

Extracted knowledge (skills and facts) is retained for as long as the Controller's account is active or until the Controller deletes it. Raw source content is never stored, only derived knowledge.

Upon account deletion or a written deletion request, all Personal Data associated with the account is permanently deleted within 24 hours. We will provide written confirmation of deletion upon request. If applicable law requires retention beyond that period, we will inform the Controller of the specific obligation.

9. Data breach notification

In the event of a confirmed Personal Data breach, Index.brain will notify the Controller without undue delay and in any case within 72 hours of becoming aware. The notification will include:

The nature of the breach and the categories of data affected
The approximate number of individuals and records affected
The likely consequences of the breach
The measures taken or proposed to address the breach and mitigate its effects

The Controller is responsible for notifying the relevant supervisory authority and affected individuals where required by applicable law.

10. International data transfers

Personal Data processed by Index.brain is stored and processed in the United States. By accepting this DPA, the Controller acknowledges and consents to this transfer. For transfers from the European Economic Area, the United Kingdom, or Switzerland, we rely on standard contractual clauses or other appropriate transfer mechanisms as required by applicable law. Controllers subject to GDPR may request a copy of the applicable transfer mechanism by contacting us.

11. Audits and compliance

Index.brain will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may request an audit of our data processing practices with reasonable notice of at least 30 days. Audits must be conducted in a manner that does not disrupt our operations or compromise the security or privacy of other customers. The Controller shall bear the costs of any such audit.

12. Termination

This DPA remains in effect for as long as Index.brain processes Personal Data on behalf of the Controller. Upon termination of the service agreement, Index.brain will permanently delete all Personal Data within 24 hours, unless retention is required by applicable law. The Controller may request a data export before deletion at no charge.

Contact

For DPA-related requests, data subject rights requests, or compliance questions, contact us at privacy@indexbrain.online.