Data Processing Agreement (DPA) — BStone AI
Last updated: 13 July 2026
Service: https://bstoneai.com
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service and applies when the User (as Controller) enters personal data into BStone AI for which they or their client is the controller.
Polish version: Umowa powierzenia (PL)
§1. Parties and roles
- Processor: BearStone sp. z o.o., ul. Czarnuszki 6, 05-071 Grabina, Poland, VAT ID (NIP) 822-241-91-52, KRS 0001196088.
- Controller: The User of the Service who enters personal data.
- The Processor processes data solely on behalf of and on documented instructions from the Controller; instructions include the Terms, this DPA, and actions the Controller performs in the Service.
§2. Subject matter, duration, and nature of processing
- The subject matter, purpose, nature of processing, categories of data and data subjects are set out in Annex A.
- This DPA applies for as long as the Controller uses the Service.
§3. Processor obligations
The Processor shall:
- process data only on documented instructions from the Controller, including regarding transfers outside the EEA;
- ensure that persons authorised to process data are bound by confidentiality;
- implement appropriate technical and organisational measures (GDPR Art. 32) as described in Annex B;
- comply with conditions for engaging sub-processors (§5);
- assist the Controller, where reasonably possible, with requests from data subjects (access, rectification, erasure, portability, etc.);
- assist the Controller with obligations under GDPR Arts. 32–36 (security, breach notification, impact assessments);
- upon termination of services, delete or return data in accordance with §9;
- make available information necessary to demonstrate compliance and allow audits (§7).
§4. Controller obligations
- The Controller represents that it has a lawful basis for processing entrusted data and that its instructions are lawful.
- The Controller is responsible for the lawfulness of data entered into the Service, including third-party personal data.
§5. Sub-processors
- The Controller grants the Processor general authorisation to use sub-processors.
- The current list is available at https://bstoneai.com/podprzetwarzajacy.
- The Processor will notify the Controller at least 15 days before adding or changing a sub-processor. The Controller may raise a reasoned objection on data-protection grounds within that period; if no agreement is reached, the Controller may terminate the agreement in respect of the disputed service.
- The Processor enters into agreements with each sub-processor ensuring protection no less than under this DPA and remains liable for their actions.
§6. Transfers outside the EEA
Transfers outside the European Economic Area are made under GDPR-compliant mechanisms, in particular Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.
§7. Audit
- The Controller may verify the Processor’s compliance with this DPA no more than once per year (and after a breach), upon reasonable prior notice.
- The Processor may satisfy this obligation by providing existing certifications, reports, or security documentation.
§8. Personal data breaches
The Processor will notify the Controller without undue delay after becoming aware of a breach of entrusted personal data, providing information the Controller needs to fulfil its obligations (including notification to the supervisory authority within 72 hours where required).
§9. Termination and deletion
Upon termination of services, the Processor will, at the Controller’s choice, delete or return personal data and delete existing copies, unless law requires further retention. Account deletion is described at Data deletion.
§10. Liability and final provisions
- Liability of the parties is governed by the GDPR and the Terms of Service.
- Polish law and the GDPR apply to matters not covered herein.
- In case of conflict between this DPA and the Terms regarding entrusted personal data, this DPA prevails.
Annex A — Processing details
- Subject matter: processing data entered by the Controller to provide BStone AI services (content generation, analytics, integrations).
- Nature and purpose: storage, organisation, analysis, and content generation on the Controller’s instructions.
- Categories of data subjects: the Controller’s customers, recipients, and contacts whose data the Controller enters.
- Categories of data: identification and contact data and other data contained in content entered by the Controller (Controllers should not enter special categories of data without separate arrangements).
- Duration: for as long as the Controller uses the Service.
Annex B — Technical and organisational measures (TOMs)
The table below reflects measures implemented in the BStone AI product (as of publication).
| Area | Measures |
|---|---|
| Encryption in transit | All traffic to the Service uses HTTPS (TLS). API communication (database, AI, payments) uses encrypted channels. |
| Encryption at rest | Database hosted on Supabase (PostgreSQL on AWS in the EU — Frankfurt region); disk and backup encryption provided by the infrastructure provider. |
| Access control | User authentication via Supabase Auth (hashed passwords; session tokens). Application access limited to the logged-in User. |
| Data isolation | Row Level Security (RLS) in PostgreSQL — users see only their own brands, brandbooks, conversations, and account-related data. Admin operations require an admin role. |
| Secrets and keys | API keys and environment variables stored server-side (Vercel). OAuth tokens of connected services (incl. Meta, LinkedIn, Google, Upload-Post, Shopify, WordPress) stored in the database with RLS isolation and, where implemented, in Supabase Vault (field-level encryption). Secrets are not exposed in client code. |
| Payments | Stripe handles payments under PCI DSS; the Service does not store full card numbers. |
| Backups | Automated database backups (Supabase); recovery after failure. |
| Logging | Server and application logs (Vercel, Supabase) for diagnostics and security; minimisation of personal data in logs. |
| Staff access | Production access limited to authorised personnel on a need-to-know basis; confidentiality obligations. |
| Data deletion | Account and content deletion procedure described at Data deletion. |
Annex C — Sub-processors
Current list: Sub-processors
Related documents: Privacy policy · Terms of Service
Polish version: Umowa powierzenia (PL)