Open Bee
Get started

Last updated Β· April 29, 2026

Data Processing Agreement

This DPA forms part of the Terms of Service between you ("Controller") and Open Bee AI ("Processor"). It applies automatically when you use Open Bee AI to process personal data subject to GDPR, UK GDPR, UU PDP (Indonesia), or equivalent law.

Need a counter-signed copy on enterprise letterhead? Email legal@openbee.ai.

1. Definitions

Capitalized terms not defined here have the meaning given in GDPR. "Personal Data" means any information relating to an identified or identifiable natural person processed via Open Bee AI under your instruction.

2. Roles

You are the Controller of all Personal Data you submit to Open Bee. We process that data only on your documented instructions, which the Terms of Service and the configuration you make in the product constitute.

3. Subject matter, duration, nature, and purpose

  • Subject matter: processing of Personal Data contained in chat messages, mission tasks, bridge events, and workspace metadata.
  • Duration: the term of your subscription, plus the 30-day soft-deletion grace period.
  • Nature and purpose: providing the multi-provider AI platform, including routing prompts to LLM sub-processors, storing history, and computing usage and billing.
  • Categories of data subjects: your end users, your employees, and any individuals whose data appears in your prompts.
  • Categories of Personal Data: identifiers (name, email), content of communications, usage telemetry. You decide whether to include any special-category data; we recommend against.

4. Sub-processors

We use the sub-processors listed in the Privacy Policy Β§4. You consent to their engagement. We will provide 30 days notice before adding a new sub-processor that handles message content; you may terminate (with prorated refund) if you object.

5. Security measures

We implement technical and organizational measures appropriate to the risk, described in the Security page: encryption in transit and at rest, workspace isolation, role-based access, hashed API keys, signature-verified webhooks, server log retention limits.

6. Data subject requests

We assist you in fulfilling Data Subject Requests via the export and deletion tooling in Settings β†’ Privacy and Settings β†’ Danger Zone. For bespoke requests, email privacy@openbee.ai and we will respond within 30 days.

7. Personal Data breaches

We will notify you without undue delay (and within 72 hours of confirmation) of any Personal Data breach affecting your data, including: what happened, categories and approximate volume affected, likely consequences, and measures taken.

8. International transfers

Where transfers of Personal Data leave the EEA, UK, or Indonesia, we rely on the relevant Standard Contractual Clauses or equivalent adequacy mechanism. Storage primary location is Singapore (ap-southeast-1).

9. Audits

Once per 12 months, you may request and we will provide our then-current SOC 2 / ISO 27001 reports under NDA. On-site audit rights are reserved for enterprise customers via separate written agreement.

10. Return and deletion

On termination, you may export data via Settings β†’ Privacy β†’ Export. We delete (or anonymize) all Personal Data within 30 days of termination, except where retention is required by law.

11. Contact

DPA-specific questions: legal@openbee.ai. General privacy: privacy@openbee.ai.