Dobby

Data Processing Agreement (DPA)

Last updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between DataOps Valley Ltd., operating as Dobby AI ("Processor", "we"), and the customer organization ("Controller", "you") for the provision of the Dobby AI platform services.

This DPA applies to the extent that we process Personal Data on your behalf in connection with the Dobby AI platform, in accordance with applicable data protection laws including GDPR, CCPA, and other regional regulations.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Processing: any operation performed on Personal Data (collection, storage, use, disclosure, deletion).
  • Sub-processor: any third party engaged by Dobby AI to process Personal Data on behalf of the Controller.
  • Data Subject: the individual to whom Personal Data relates.

3. Scope of Processing

We process Personal Data solely for the purpose of providing the Dobby AI platform, including:

  • User authentication and session management
  • AI agent task execution and audit logging
  • Cost tracking and billing
  • Platform monitoring and security

Data Residency: You select your data region (Israel, EU, or US) during onboarding. All tenant and agent data is stored exclusively in the selected region. This selection is permanent and cannot be changed after workspace creation.

4. Data Security

  • Encryption at rest: Google Cloud Platform infrastructure encryption (FIPS 140-2 Level 3 HSMs)
  • Encryption in transit: TLS 1.2+ for all connections
  • Application-level encryption: AES-256-GCM for sensitive credentials with per-tenant key derivation
  • Access control: 3-level RBAC (Platform → Organization → Tenant), API key authentication with SHA-256 hashing
  • Audit trail: Immutable event log with 365-day retention
  • Key management: GCP Secret Manager with automated rotation schedule

5. Sub-processors

We use the following sub-processors:

Sub-processorPurposeLocation
Google Cloud PlatformInfrastructure, database (BigQuery), computeRegional (IL/EU/US)
UpstashRedis cachingEU (europe-west1)
StripePayment processingUS/EU
ResendTransactional emailEU (eu-west-1)
LLM Providers (via Gateway)AI model inference (routed through customer config)Varies by provider

6. Data Subject Rights

We support the following data subject rights through our platform:

  • Right to access: Data export available via API and admin dashboard
  • Right to erasure: GDPR deletion request with 30-day grace period, crypto-shredding ready
  • Right to rectification: Users can update their profile and organization data
  • Right to data portability: Data export in standard formats
  • Right to restrict processing: Kill-switch and account suspension controls

7. Data Retention

  • Audit logs: 365 days
  • Task data: Configurable per tenant (default: 90 days active, archived thereafter)
  • Gateway metering: 365 days
  • Security events: 365 days
  • Backups: 90 days (GCS lifecycle policy)

8. Breach Notification

In the event of a Personal Data breach, we will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, providing:

  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach

9. CCPA Compliance

For California residents, Dobby AI acts as a "Service Provider" under the California Consumer Privacy Act (CCPA). We do not sell Personal Information and process data solely for the business purposes specified in our service agreement.

10. Contact

For DPA inquiries, data protection questions, or to request a signed copy of this agreement: