BackLast updated: 04/05/2026
Request Signed PDF

DPA - Data Processing Agreement

This Agreement governs the processing of personal data by Godia.ai as a data processor (GDPR) on behalf of its clients (data controllers).

Definitions

Personal Data: any information relating to an identified or identifiable natural person.

Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

Instructions: documented directives from the Client to Godia.ai regarding the processing of personal data.

Sub-processor: any third-party engaged by Godia.ai to carry out part of the data processing.

Identification of the Parties

Data Controller (Client): the client entity identified in the order form.

Data Processor (Godia.ai): 777 Industries Luxembourg S.à r.l., 24 Route d'Arlon, L-8008 Strassen, Luxembourg (RCS B302454). Contact: support@godia.ai, legal@godia.ai.

Scope & Duration

  • Scope

    Provision of the Godia.ai SaaS platform: secure web client portal, conversational AI agents accessible via embedded widget and outbound emails, optional Godia Pilot module connecting to Gmail and Microsoft 365 mailboxes (reading inbound emails to suggest reply drafts, sending conditional on explicit human validation), automation system (trigger rules, transactional emails, prospect records).

  • Duration

    Effective upon signature of the main agreement; terminates upon its expiry or termination. End-of-contract: complete data export available upon request within 30 days; definitive deletion within 60 days after termination (except legal retention obligation). Attestation of deletion available upon request.

Data Categories & Purposes

  • Categories

    Conversations (messages, timestamps, pseudonymized session identifiers), prospect data (name, email, phone, company, free-text fields, attachments), technical data (IP addresses for security purposes, logs, metrics), authentication and SIEM logging events, developer API keys (SHA-256 hashes only), and - for clients activating the Godia Pilot module - email metadata and content (body, subject) read on demand via Gmail/Microsoft Graph APIs (not persisted), encrypted OAuth tokens.

  • Data Subjects

    End users (visitors, prospects, customers) and the Client's internal users.

  • Purposes

    Service delivery, improvement and support, legal obligations, security and abuse prevention.

  • DPIA Reference

    Five processings are formally documented in DPIA-GODIA-2026-001 v1.1 (April 2026): (1) AI conversations, (2) prospect data, (3) authentication and SIEM logging, (4) developer API keys, (5) email reading and sending via Godia Pilot (Gmail / Microsoft 365). Available upon request to legal@godia.ai.

Instructions & Support Access

Godia.ai processes personal data solely on the basis of the Client's documented instructions, in compliance with GDPR Art. 28 and Art. 29. Any access to Client data by Godia.ai support personnel is logged in the audit trail (table access_logs, retention 90 days). Records of support operations are available to the Client upon written request.

Security Measures

  • Authentication & Access Controls

    JWT RS256 with automatic 7-day rotation, bcrypt 12 rounds for passwords, MFA TOTP mandatory for Godia administrator accounts and recommended for all client accounts, RBAC with three native roles (Owner, Admin, Member) plus eight configurable granular permissions.

  • Multi-tenant Isolation

    Three cumulative levels: clientId column on all tables (mandatory WHERE filter on every SQL query), authentication middleware injecting and verifying clientId on each API call, ownership verification on every endpoint (HTTP 403 on cross-tenant attempt). Real-time SIEM alerts on isolation violation attempts.

  • Encryption

    Sensitive data (CRM credentials, OAuth tokens, prospect attachments) encrypted with AES-256-GCM at the application level. PostgreSQL encrypted at rest at infrastructure level (Neon). TLS 1.2 / 1.3 enforced on all connections, HSTS preload. MASTER_KEY annual rotation (Q4) with immediate rotation on security event.

  • Backups

    Daily AES-256 encrypted backups managed by Neon, EU multi-zone replication, point-in-time restoration capability. RTO contractual: 4 hours. RPO: 24 hours.

  • Audit Trail

    Append-only logging tables (auth_events, access_logs, client_activity_logs, alert_history) with retentions of 30 to 90 days. Native SIEM export available in JSON/CSV format from the client portal (compatible with Elastic, Splunk, QRadar, Microsoft Sentinel). Anti-exfiltration rate limit (10 exports per hour). Records of support operations available upon request.

Hosting & Sub-processors

Godia.ai uses the following sub-processors, all formally documented in our ICT Register (compliant with DORA Art. 28). Any significant addition or replacement of a sub-processor will be notified 30 days in advance, with the Client's right to raise a reasoned objection.

Sub-processorRoleLocationDPA
Railway CorporationApplication hosting (PaaS, compute, network, deployment)europe-west4 (Amsterdam, Netherlands / EU)Available
Neon, LLC (Databricks)Managed PostgreSQL databaseeurope-west4 (EU)Available
Mistral AI SASLanguage model inference (conversational AI). Data not used for model training.France (EU)Available
Mailjet (Sinch)Transactional email delivery and notificationsFrance (EU)Available
Google LLCOAuth 2.0 SSO authentication; Gmail API (gmail.modify scope) for the Godia Pilot module - upon explicit Client activationUnited States (GDPR SCCs)Available
Microsoft CorporationOAuth 2.0 SSO authentication; Microsoft Graph API (Mail.Read, Mail.Send scopes) for the Godia Pilot module - upon explicit Client activationEU / United States (GDPR SCCs)Available

International Data Transfers

The core infrastructure (compute and database) is hosted within the European Union. Transfers outside the EU are limited to:

  • Google LLC - only if the Client activates the Godia Pilot integration with Gmail (gmail.modify scope). Covered by GDPR Standard Contractual Clauses (SCCs) and the Google Cloud Data Processing Addendum.
  • Microsoft Corporation - only if the Client activates the Godia Pilot integration with Microsoft 365 (Microsoft Graph API, Mail.Read / Mail.Send scopes). Covered by GDPR SCCs and the Microsoft Online Services DPA.

For any processing outside the EU, Godia.ai implements appropriate safeguards (SCCs) and informs the Client where necessary.

Data Subject Rights & Assistance

Mechanisms enabling the Client to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). Conversation deletion via the platform interface, full data export in JSON/CSV from the client portal. Additional assistance available upon request to legal@godia.ai.

Incidents & Notifications

In case of a personal data breach, Godia.ai notifies the Client without undue delay after becoming aware of the incident, with available information enabling assessment (nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken). Notification SLA: 4 hours for critical incidents. Notification of competent supervisory authorities (CNIL France, CNPD Luxembourg) within 72 hours pursuant to GDPR Art. 33, where applicable. Email notifications sent via the administration portal (Mailjet). Each incident is documented with timeline, impact and corrective measures (PIR module integrated into the client portal, compliant with DORA Art. 11).

Audits & Compliance

Godia.ai favours the provision of documentary evidence: security policy (godia.ai/legal/security), DPIA-GODIA-2026-001 v1.1, ICT Register (DORA Art. 28), internal OWASP Top 10:2025 + LLM Top 10 audit (score 100/100, April 2026), and responses to security questionnaires. On-site audits are not offered by default; they may be conducted where required by applicable law/regulation, or by mutual agreement (prior notice, defined scope, confidentiality), at the requester's expense.

Retention & Deletion

CategoryRetention Period
Conversations and attachmentsFor the contract duration; data export available within 30 days after termination, definitive deletion within 60 days
Authentication and access logs (auth_events, access_logs)90 days
Client activity logs (client_activity_logs)30 days
Alert history (alert_history)90 days
Encrypted backupsAccording to the subscribed Neon plan (rolling cycles)
Aggregated analytical metadata12 months (anonymised beyond)

Return / Deletion at End of Contract

Upon contract termination: complete data export provided upon written request within 30 days (JSON/CSV format, standard PostgreSQL portability). Definitive deletion of all Client data within 60 days after termination, except where a legal retention obligation requires otherwise. Attestation of deletion issued within 15 days following effective deletion, upon written request from the data controller. No proprietary lock-in.

Governing Law & Jurisdiction

Luxembourg law (as per the master agreement). Jurisdiction of the courts at the Client's registered office unless otherwise stipulated.

Contact & Signed PDF

Privacy / Legal: legal@godia.ai. Support: support@godia.ai. To obtain a signed PDF version of this DPA, please send your request by email.

Stay up to date with the latest news
Godia.ai logoGodia.ai

Conversational AI assistants for customer service, sales and operations.

24, route d'Arlon 8008 Strassen, Luxembourg, UE

Solutions by industry

© 2026 Godia.aiHosted in the EUGDPR Compliant
Made with ❤️ in Luxembourg