Skip to main content
EduGPT
Data Processing Agreement

Data Processing Agreement (DPA)

Data Processing Agreement for CivAI AI services

Last updated: February 2026
Version: 1.0

1. Parties

This Data Processing Agreement ("DPA") is entered into between the customer organization ("Controller") and CivAI B.V., located at Hoge Zand 39, 2512 EL The Hague, registered with the Chamber of Commerce under number 98956221 ("Processor").

2. Subject and Duration

The Processor processes personal data on behalf of the Controller in connection with the provision of AI services (GovGPT, EduGPT, OrgGPT, and/or Veilige AI Hosting). This DPA applies for the duration of the service agreement between the parties.

3. Nature and Purpose of Processing

Personal data is processed for the purpose of providing AI-assisted services, including but not limited to: text generation, document analysis, question answering, and information retrieval. Processing occurs exclusively based on the documented instructions of the Controller.

4. Categories of Data Subjects and Personal Data

Data subjects

Employees and staff of the Controller
End users of the services
Citizens, students, or clients whose data may be entered into the services

Categories of personal data

Account data (name, email, role, organization)
Usage data (prompts, queries, generated outputs)
Technical data (IP address, log data)
Any personal data entered into the AI services by end users

5. Obligations of the Processor

Process personal data only on documented instructions from the Controller.
Ensure that persons authorized to process personal data have committed to confidentiality.
Implement appropriate technical and organizational security measures (Article 32 GDPR).
Assist the Controller in fulfilling data subject rights requests.
Notify the Controller without undue delay of any data breach.
Delete or return all personal data upon termination of services, at the choice of the Controller.
Make available all information necessary to demonstrate compliance.
Customer data is never used for model training.

6. Sub-processors

The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. A current list of sub-processors is available at civai.eu/subprocessors.

The Controller will be informed of any intended changes concerning the addition or replacement of sub-processors, with the opportunity to object.

7. International Transfers

All personal data is processed and stored within the European Economic Area (EEA). CivAI does not transfer personal data to countries outside the EEA unless appropriate safeguards are in place as required by Chapter V of the GDPR, and only with prior notification to the Controller.

8. Security Measures

Encryption in transit (TLS 1.2+) and at rest (AES-256).
Role-based access control and multi-factor authentication.
Regular security audits and penetration testing.
Automated backup and disaster recovery procedures.
Logging and monitoring of access to personal data.
Tenant isolation between different client organizations.

9. Audits

The Controller has the right to conduct audits, including inspections, to verify compliance with this DPA. The Processor shall cooperate with such audits. The costs of audits initiated by the Controller shall be borne by the Controller, unless the audit reveals non-compliance by the Processor.

10. Liability

The liability of the Processor under this DPA is subject to the limitations set forth in the underlying service agreement between the parties.

Request a signed DPA

To receive a signed Data Processing Agreement tailored to your organization, please contact us at info@civai.eu.