Trinity markOpsBrain

Data Processing Agreement

Last updated: April 11, 2026

1. Scope

This Data Processing Agreement (“DPA”) supplements the OpsBrain Terms of Service and applies when OpsBrain processes personal data on behalf of the customer (“Controller”) in the course of providing the service.

2. Roles

  • Controller — you, the customer, who determines the purposes and means of processing personal data by uploading documents to OpsBrain.
  • Processor — OpsBrain (Argen Pojani), which processes personal data solely on your instructions to provide the service.

3. Data processed

OpsBrain processes only the data you upload or enter:
  • Document content (PDFs containing contractual text, which may include names, dates, amounts, and other terms).
  • User account data (name, email) for team members you invite.
OpsBrain does not actively seek or collect personal data beyond what is uploaded.

4. Processing instructions

OpsBrain processes personal data only as necessary to:
  • Store and encrypt uploaded documents.
  • Extract text and identify obligations using AI models.
  • Display extracted information within the application.
  • Generate risk alerts and audit logs.
We do not process personal data for any other purpose (marketing, profiling, resale) unless you explicitly instruct otherwise in writing.

5. Security measures

  • AES-256 encryption at rest with per-tenant keys (PBKDF2-HMAC-SHA256, 480k iterations, random salt).
  • TLS in transit for all API and web traffic.
  • Tenant isolation — every database query is scoped to the authenticated company. No cross-tenant data access is possible.
  • Non-root container execution, rate limiting, HMAC-signed worker jobs.
  • Immutable audit trail of all data access events.

6. Sub-processors

We use the following sub-processors:
  • Stripe, Inc. — payment processing (US). Privacy policy
  • Groq, Inc. — LLM inference for document extraction (US). Only document text is sent; never credentials or account data. Customers may opt to use their own LLM provider instead (BYOK).
  • Your SMTP provider — transactional email, configured by the operator.
We will notify you before adding or replacing a sub-processor. You may object within 14 days; if we cannot resolve the objection, you may terminate the agreement.

7. Data subject rights

If a data subject contacts OpsBrain directly, we will refer them to you (the Controller) unless legally required to respond. We will assist you in fulfilling data subject requests (access, rectification, deletion, portability) without undue delay.

8. Data breach notification

In the event of a personal data breach, we will notify you within 72 hours of becoming aware, providing:
  • Nature of the breach and categories of data affected.
  • Estimated number of data subjects affected.
  • Measures taken or proposed to address the breach.

9. Data deletion

Upon termination of your subscription, we will delete all personal data within 30 days unless retention is required by law. You may request data export before termination.

10. Governing law

This DPA is governed by the same law as the Terms of Service (Republic of Albania). For customers in the EU/EEA, GDPR provisions take precedence where applicable.