Last updated: March 2026
This Data Processing Agreement (the "DPA") is incorporated into and forms part of the General Terms and Conditions or Master Subscription Agreement, as applicable (the "Agreement") entered into by and between Customer and Aiqaramba. All capitalised terms used but not defined in this DPA shall have the meanings set forth in the Agreement. In the event of a conflict between the Agreement and the DPA, the terms of the DPA shall prevail.
| GDPR | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data. |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, which is processed by Aiqaramba as part of the Services under the Agreement. |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data. |
| Sub-processor | Any third party engaged by Aiqaramba to process Personal Data on behalf of the Customer. |
| Integration | A Controller-enabled connection between the Platform and a third-party service (such as Microsoft 365, a webhook endpoint, or a GitHub repository) through which Personal Data may be transmitted or accessed. |
The terms "controller", "processor", "data subject", "process" and "supervisory authority," and their derivatives and analogous terms shall have the same meaning as set out in the GDPR.
For the purposes of this DPA, Customer acts as the Data Controller and Aiqaramba acts as the Data Processor with respect to the Personal Data processed under the Agreement. The processing of Personal Data happens only on instruction from the Customer and not for any other purpose. It shall only last for the duration of the use by Customer of the Products and Services as set out in the Agreement, after which the Personal Data will be deleted in accordance with Section 11.
| Subject matter | Automated browser-based testing and quality assurance of the Controller's web applications |
|---|---|
| Duration | For the term of the Agreement, plus any retention period specified in Section 11 |
| Nature and purpose | AI agents navigate the Controller's application in isolated browser sessions, capturing screenshots, page content, interaction logs, and optionally video recordings, in order to produce test reports and identify defects |
The Controller may enable Integrations that extend the scope of processing. Each Integration is activated at the Controller's sole discretion and constitutes a documented instruction to the Processor to process the additional categories of Personal Data described below.
| Integration | Data processed | Direction |
|---|---|---|
| Microsoft 365 (email) | Email messages from Controller-specified mailboxes: sender name and address, recipient addresses, subject, body content, timestamps, and extracted links. Access is scoped by the Controller's OAuth credentials and mailbox configuration. | Third-party to Platform |
| Webhooks | Agent and discovery completion events: agent identifiers, project names, test results (pass/fail), summary text, duration, video URLs. Sent to Controller-specified HTTP endpoints, signed with HMAC. | Platform to Controller |
| GitHub App | Agent failure details: error summaries, test step descriptions, project identifiers. Used to create issues in Controller-specified repositories. | Platform to Controller |
The Processor processes Integration data solely for the purpose of performing the service the Integration is designed for. The Controller is responsible for ensuring that it has a lawful basis for making the relevant Personal Data available through each Integration it enables.
The Controller may disable any Integration at any time through the Platform settings, which will immediately stop the associated processing.
Integrations are not Sub-processors. When the Controller enables an Integration, the third-party service acts as a separate controller or processor under the Controller's own agreement with that service. Aiqaramba facilitates the data transfer on the Controller's instruction but does not determine the purposes of processing by the third-party service.
4.1 Processing instructions. The parties agree that the Agreement and this DPA shall constitute the Customer's instructions for the processing of Personal Data. Each Party shall comply with its respective obligations under the GDPR. Aiqaramba shall inform Customer if it becomes aware that Customer's instructions infringe the GDPR, but without obligation to actively monitor Customer's compliance therewith.
4.2 Confidentiality. Personal Data received by Aiqaramba under the scope of this DPA will only be used for the purposes of the Agreement and Aiqaramba will not reproduce, disseminate, or disclose this Personal Data to any person, except to its employees and authorised representatives (e.g. temporary employees, consultants, and contractors) who need to know for the purposes of the Agreement and are bound by confidentiality obligations at least as restrictive as those in this section. Aiqaramba will treat the received Personal Data with the same degree of care as it treats its own information of similar sensitivity, but never with less than reasonable care. The obligations in this section survive for three (3) years following expiration or termination of the Agreement. Any Personal Data retained in backup media will continue to be subject to this section until it is deleted.
4.3 Permitted Disclosure. Aiqaramba may disclose received Personal Data (i) as approved in writing and signed by Customer; (ii) as necessary to comply with any law or valid order of a court or other governmental body; or (iii) as necessary to establish the rights of Aiqaramba, but in the case of (ii) and (iii), only if Aiqaramba promptly notifies Customer of the details of the required disclosure and gives Customer all assistance reasonably required to enable Customer to take available steps to prevent the disclosure or to ensure that disclosure occurs subject to an appropriate obligation of confidence.
4.4 Liability. Aiqaramba's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall increase or expand Aiqaramba's liability beyond what is provided in the Agreement.
Aiqaramba shall, taking into account the nature of the processing, provide reasonable assistance to Customer in responding to requests from data subjects exercising their rights under the GDPR (access, rectification, erasure, restriction, portability, objection).
If Aiqaramba receives a data subject request directly, it shall promptly redirect the request to the Customer and shall not respond to the request without the Customer's prior written authorisation, unless legally required to do so.
6.1 Customer grants Aiqaramba general authorisation to engage third parties to process the Personal Data ("Sub-processors"). The current Sub-processors are:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure hosting (Compute Engine, Cloud SQL) | EU (Belgium) |
| Google Vertex AI | LLM inference for agent intelligence | EU |
| Stripe | Payment processing | EU/US |
6.2 Aiqaramba shall provide Customer with at least fourteen (14) days' prior written notice of its intent to add or replace a Sub-processor. If Customer does not object in writing to the proposed change within fourteen (14) days of receipt of such notice, Customer shall be deemed to have consented to the change. If Customer objects to the proposed change within the 14-day period and Aiqaramba does not agree with the objection, Customer shall be entitled to terminate the Agreement by providing written notice to Aiqaramba.
6.3 Aiqaramba shall ensure each Sub-processor is appointed pursuant to a written contract conferring materially the same obligations with respect to Personal Data as this DPA and shall be responsible for ensuring each such Sub-processor complies with all such obligations.
7.1 All core processing infrastructure is located in the EU (Google Cloud, Belgium region). Customer acknowledges that certain Sub-processors (e.g. Stripe) may process Personal Data outside the EEA.
7.2 Where transfers of Personal Data outside the EEA are necessary, Aiqaramba shall ensure that such transfers are made in compliance with the GDPR, relying on the EU Standard Contractual Clauses (Module 2: Controller to Processor) or adequacy decisions, as applicable.
7.3 For the purposes of the EU SCCs, the governing law (Clause 17) shall be Belgium, and the competent supervisory authority shall be the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit).
7.4 Integrations enabled by the Controller may result in transfers to third countries. The Controller is responsible for ensuring an appropriate transfer mechanism is in place with the Integration provider.
Aiqaramba implements and maintains the following measures pursuant to Art. 32 GDPR:
Aiqaramba may update or modify its Technical and Organisational Measures from time to time, provided such updates do not result in a material reduction of the protection provided for Personal Data.
Aiqaramba shall notify the Controller without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Personal Data Breach. The notification shall include:
If it is not possible to provide all information at the same time, Aiqaramba shall provide it in phases without further undue delay. Aiqaramba shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.
A notification under this section shall not be construed as an acknowledgement of fault or liability by Aiqaramba.
As required by the GDPR, Aiqaramba shall keep a written record of its processing activities with respect to Personal Data. Upon reasonable prior notice, Aiqaramba shall make available to Customer all information necessary to demonstrate compliance with this DPA.
Aiqaramba will allow and contribute to audits (including on-site inspections) by Customer or an independent auditor mandated by Customer, to verify Aiqaramba's compliance with its obligations under this DPA. Such audits shall be at Customer's expense, subject to appropriate confidentiality, conducted no more than once annually (unless a Data Breach or suspected material non-compliance has occurred), and carried out in a manner that minimises disruption to Aiqaramba's business.
In lieu of or prior to an on-site audit, Aiqaramba may first provide current compliance certificates, attestation reports, summary audit reports, or other relevant documentation to address the information requests. Customer agrees to review these materials in good faith before requesting any further audit.
Upon termination of the Agreement, or upon the Controller's earlier written request, Aiqaramba shall:
Aiqaramba may retain Personal Data beyond termination only to the extent required by applicable law or regulation, and only for as long as such law or regulation requires. Aiqaramba shall inform the Controller of any such retention requirement and shall continue to protect the retained data in accordance with this DPA.
Retention during the Agreement: Agent session data (screenshots, conversation logs, test results) is retained for ninety (90) days after creation, after which it is automatically deleted. Video recordings, if enabled, follow the same retention period. The Controller may request earlier deletion of specific agent data at any time.
The Controller shall:
In the event Aiqaramba becomes subject to a request from a public authority to disclose any Personal Data, Aiqaramba shall review the legality of such a request prior to acceding to it. To the extent permitted by law, Aiqaramba shall promptly notify Customer in writing of any such request. Aiqaramba shall comply with such requests only in the event and to the extent that it is lawfully compelled to do so. Aiqaramba shall in respect of any such request only disclose the minimum amount of Personal Data required.
This DPA shall remain in force for the duration of the Agreement and shall automatically terminate upon termination or expiry of the Agreement, without prejudice to any obligations that by their nature survive termination (including the confidentiality obligations in Section 4.2 and any pending data deletion obligations under Section 11).
15.1 Governing Law. Unless otherwise required, the parties agree that the Agreement is governed by and construed under the laws of Belgium, without regard to any conflict of law rules or principles, and excluding the application of the United Nations Convention on Contracts for the International Sale of Goods. The Parties irrevocably submit to the exclusive jurisdiction of the courts of competent jurisdiction in Ghent, Belgium. Parties will first try to settle any dispute between them amicably in good-faith negotiations prior to seeking enforcement from a court.
15.2 Updates. Aiqaramba may modify this DPA as a result of (a) changes in applicable data protection laws; (b) a merger, acquisition, corporate reorganisation, or other similar occurrences; or (c) the release of new features, functions, products or services or material changes to any of the existing Services. Aiqaramba may make such modifications by posting a revised version of this DPA at aiqaramba.com/dpa or by otherwise notifying the Customer. The modified version of the DPA will become effective upon posting. By continuing to use the Services after the effective date of any modifications to this DPA, the Customer agrees to be bound by the modified DPA.
For DPA-related inquiries: alexander.rogiers@alex-ai.eu
To request a signed copy of this DPA, email us with your company details and subscription reference.