Definitions
Personal Data: any information relating to an identified or identifiable natural person.
Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
Instructions: documented directives from the Client to Godia.ai regarding the processing of personal data.
Sub-processor: any third-party engaged by Godia.ai to carry out part of the data processing.
Identification of the Parties
Data Controller (Client): the client entity identified in the order form.
Data Processor (Godia.ai): 777 Industries Luxembourg – 24, Route d'Arlon L-8008 Strassen – Contact: support@godia.ai · legal@godia.ai.
Scope & Duration
- Scope
Provision of the Godia.ai SaaS platform (AI agents, conversation collection and routing, administration, analytics).
- Duration
Effective upon signature of the main agreement; terminates upon its expiry or termination. Data deletion within 30 days (attestation available upon request).
Data Categories & Purposes
- Categories
Conversations (messages, timestamps, identifiers), contact data (name, email, phone, company, free-text fields), technical data (IP addresses for security purposes, logs, metrics), configurations (agent settings, knowledge bases).
- Data Subjects
End users (visitors, prospects, customers) and the Client's internal users.
- Purposes
Service delivery, improvement & support, legal obligations, security and abuse prevention.
Instructions & Support Access
Godia.ai processes data solely based on the Client's instructions. Support access is only possible through a temporary secure key generated by the Client, time-limited, logged and revocable.
Security Measures
- Access & Permissions
Token-based authentication, access controls, tenant isolation by clientId.
- Encryption
Sensitive data encrypted at rest (AES-256-GCM) and in transit (TLS 1.2+). OAuth tokens for email integrations encrypted in the database.
- Backups
Daily encrypted backups managed by Neon, with regular restore testing.
- Audit Trail
Logging of all support operations; records available upon request.
Hosting & Sub-processors
Godia.ai uses the following sub-processors. Any significant addition or replacement will be notified in advance (30 days) with the Client's right to raise a reasoned objection.
| Sub-processor | Role | Location | DPA |
|---|---|---|---|
| Railway | Infrastructure hosting (compute, network, deployment) | Europe (EU) | Available |
| Neon | Managed PostgreSQL database | Europe (EU) | Available |
| Mistral AI | Language model inference (conversational AI) | France (EU) | Available |
| Mailjet (Sinch) | Transactional email delivery and notifications | France (EU) | Available |
| OAuth 2.0 authentication / Gmail API (optional, upon Client activation) | United States (SCCs) | Available | |
| Microsoft | OAuth 2.0 authentication / Outlook API (optional, upon Client activation) | EU / United States (SCCs) | Available |
International Data Transfers
The core infrastructure (compute and database) is hosted within the European Union. Transfers outside the EU are limited to:
- Google — only if the Client activates the Gmail integration. Covered by GDPR Standard Contractual Clauses (SCCs) and the Google Cloud DPA.
- Microsoft — only if the Client activates the Outlook/Microsoft 365 integration. Covered by GDPR SCCs and the Microsoft DPA.
For any processing outside the EU, Godia.ai implements appropriate safeguards (SCCs) and informs the Client where necessary.
Data Subject Rights & Assistance
Mechanisms enabling the Client to respond to data subject requests (access, rectification, erasure, objection). Conversation deletion via the platform interface and additional assistance upon request.
Incidents & Notifications
Notification to the Client without undue delay after becoming aware of a breach; acknowledgement within 24 business hours with available information for assessment and, where applicable, notification to supervisory authorities and/or data subjects.
Audits & Compliance
Godia.ai favours the provision of documentary evidence (policies, control descriptions, internal test reports) and responses to security questionnaires. On-site audits are not offered by default; they are only possible where required by law/regulation or by mutual agreement (prior notice, defined scope, confidentiality) and at the requester's expense.
Retention & Deletion
| Category | Indicative Retention Period |
|---|---|
| Conversations & attachments | Until deleted by the Client or end of contract (max 30 days after termination) |
| Technical logs | 30 to 90 days |
| Encrypted backups | Rolling cycles <= 30 days |
| Analytical metadata | 12 months (aggregated/anonymised beyond) |
Return/Deletion at End of Contract
Upon contract termination, data is deleted within 30 days (unless a legal obligation requires otherwise). Return of data is available upon prior request. Attestation of deletion available upon request.
Governing Law & Jurisdiction
Luxembourg law (as per the master agreement). Jurisdiction of the courts at the Client's registered office unless otherwise stipulated.
Contact & Signed PDF
Privacy/Legal: legal@godia.ai · Support: support@godia.ai.
To obtain a signed PDF version, please send your request by email.