Data Processing Agreement (DPA)
Reference document
This is niil's default, EU-first Data Processing Agreement (Art. 28 GDPR / Auftragsverarbeitungsvertrag), provided for your review. For the hosted niil service (niil.ai / app.niil.ai), the Provider is Gradient Zero Deutschland GmbH (gzero.ai), which supplies the binding version. For a self-hosted deployment, the organisation operating the instance is the Provider and supplies the binding version — with its operating legal entity, contact details, and any deployment-specific values — reviewed by qualified counsel. This page is not legal advice.
Art. 28 GDPR · Version 1.0
This DPA governs the processing of personal data by the Provider — for the hosted niil service, Gradient Zero Deutschland GmbH (gzero.ai); for a self-hosted deployment, the entity operating your niil instance — on behalf of the Customer (you) when using niil (the "Services"). It supplements the main agreement and prevails over it for matters of personal-data processing.
1. Subject matter & roles
The Provider processes personal data on behalf of the Customer solely to provide the Services, and only on the Customer's documented instructions (including through the Service's functionality). Where the Customer is itself a processor, the Provider acts as a sub-processor.
2. Nature, purpose & duration
- Purpose — provision of a multi-model secure chat and document-chat service.
- Nature of processing — storage, retrieval, transmission to AI sub-processors for inference, and deletion.
- Duration — the term of the main agreement; processing ends on termination per §8.
3. Categories of data subjects & data (Annex 1)
- Data subjects — the Customer's authorised users and persons referenced in the content they submit.
- Data types — names and email addresses; the content of chats and uploaded documents; usage and billing metadata.
- Special categories — only if submitted by the Customer's users; the Customer is responsible for the lawful basis.
4. Customer instructions
The Provider processes personal data only on documented instructions and informs the Customer if an instruction appears to infringe data-protection law. The Provider does not use customer data to train AI models and contracts Zero Data Retention with AI sub-processors where supported (see Zero Data Retention).
5. Sub-processors
The Customer grants general authorisation to engage the sub-processors listed in the Sub-processors annex. The Provider imposes equivalent data-protection obligations on each, notifies the Customer of intended changes at least 15 days in advance, and allows reasoned objection.
6. International transfers
Processing occurs within the EU/EEA. Any transfer to a third country relies on an adequacy decision, the EU Standard Contractual Clauses, or another Chapter V safeguard. Inference endpoints are region-pinned to the EU — see EU sovereignty & residency.
7. Technical & organisational measures
The Provider maintains the measures in the Technical & Organisational Measures, including AES-256-GCM encryption at rest, TLS in transit, tenant isolation, least-privilege access, and audit logging. Measures may be replaced by equivalent or stronger ones.
8. Assistance, breach notification, audit
- The Provider assists the Customer with data-subject requests — the Service provides self-service access-export and erasure — and with Art. 32–36 obligations.
- The Provider notifies the Customer without undue delay after becoming aware of a personal-data breach.
- The Provider makes available the information needed to demonstrate compliance and permits audits (at most once per year with reasonable notice, or via certifications and reports where available).
9. Deletion & return
On termination the Provider deletes or returns customer data at the Customer's choice within 30 days, subject to statutory retention. Deletion includes crypto-erasure of encrypted content — see Encryption.
10. Liability & term
Liability follows the main agreement. This DPA takes effect with the main agreement and ends when processing concludes.
Annexes: Annex 1 (processing details — §3 above), Annex 2 (Sub-processors), Annex 3 (Technical & organisational measures — TOM).