SymbiSymbi

Data Processing Agreement

Last updated: March 9, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Symbi AS ("Processor") and the customer ("Controller") for the use of the Symbi platform. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (GDPR) and applies to all processing of personal data by Symbi on behalf of the customer.

1. Scope of Processing

Symbi processes personal data on behalf of the Controller to provide the platform services described in the Terms of Service. The categories of data processed include end-user names, email addresses, support ticket content, AI interaction logs, and any personal data contained in content processed by the customer's AI digital employees. Processing is limited to what is necessary to provide the agreed services.

2. Roles and Responsibilities

The customer is the Data Controller and determines the purposes and means of processing personal data through the platform. Symbi is the Data Processor and processes personal data solely on behalf of and according to the documented instructions of the Controller. Symbi will not process personal data for any other purpose unless required by EU or Norwegian law, in which case Symbi will inform the Controller before processing unless prohibited by law.

3. Processing Instructions

Symbi shall only process personal data in accordance with the Controller's documented instructions, which include:

  • Providing and maintaining the Symbi platform and AI digital employee services
  • Processing support tickets, emails, and other content through AI digital employees as configured by the Controller
  • Storing and retrieving data necessary for the operation of the platform
  • Generating analytics and reports for the Controller about their AI employees' performance

4. Security Measures

Symbi implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of personal data at rest (AES-256) and in transit (TLS 1.2+)
  • Multi-tenant data isolation with tenant-scoped database queries
  • OAuth-based authentication with no password storage
  • Regular security audits and vulnerability assessments
  • Access controls with role-based permissions and the principle of least privilege

5. Sub-Processors

Symbi engages the following sub-processors to deliver the platform services. The Controller is deemed to have given general written authorization for the use of these sub-processors:

  • Neon (database hosting) — EU region, US company with EU-US DPF certification
  • Vercel (application hosting) — EU region, US company with EU-US DPF certification
  • Stripe (payment processing) — EU region, US company with EU-US DPF certification
  • OpenRouter (AI model routing) — US company with DPA
  • Mistral AI (AI model provider) — French company, EU-based

6. International Transfers

Where personal data is transferred outside the EEA, Symbi ensures that appropriate safeguards are in place in accordance with GDPR Chapter V. This includes reliance on the EU-US Data Privacy Framework, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms. A list of current transfer safeguards is available upon request.

7. Data Breach Notification

Symbi will notify the Controller without undue delay after becoming aware of a personal data breach. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach. Symbi will cooperate with the Controller in fulfilling their obligations under Articles 33 and 34 of the GDPR.

8. Data Deletion and Return

Upon termination of the agreement or upon request, Symbi will delete or return all personal data processed on behalf of the Controller within 90 days, unless retention is required by EU or Norwegian law. The Controller can use the platform's data export functionality to retrieve their data before termination. Consent records are retained in anonymized form for legal compliance purposes.

9. Contact

For DPA inquiries, to request a signed copy, or to report a data protection concern, please contact contact@symbi.no.