Data Processing Agreement
Verwerkersovereenkomst · GDPR Article 28
Template for transparency. This is the standard Data Processing Agreement (DPA) we use with clients, published so you can review it in advance. The DPA is finalised and signed per engagement; the version that applies to you is the one executed alongside your service agreement.
This DPA forms an addendum to the service agreement between Pretrain and its client. It sets out how Pretrain processes personal data on the client's behalf, as required by Article 28(3) of the GDPR.
Parties and structure
The Client — the organisation that engages Pretrain and determines the purposes and means of the processing.
Axonn B.V. (trading as Pretrain)
Winklerlaan 367-18, 3571 KE Utrecht, NL
KvK 89366298 · BTW NL864960256B01
wesley@axonn.ai
In respect of personal data, this DPA prevails over any conflicting terms in the main service agreement. It takes effect on signature, or on acceptance of the main service agreement, whichever is earlier, and remains in force for as long as Pretrain processes personal data on the Client's behalf.
1. Subject matter and details of processing
| Subject matter | Processing of personal data by Pretrain (Processor) on behalf of the Client (Controller) in order to build and operate the agreed AI systems. |
|---|---|
| Duration | For the term of the main service agreement and until all personal data is deleted or returned under section 7 below. |
| Nature & purpose | Building and operating AI systems for the Client, which may include lead scoring, meeting intelligence, CRM assistants, transcription, and messaging bots. |
| Types of personal data | For example: names, contact details, communications and transcripts, CRM records, and lead data — as relevant to the specific build. |
| Categories of data subjects | The Client's customers, leads, prospects, and staff. |
2. Obligations of the Processor (Article 28(3))
Pretrain shall comply with each of the following.
(a) Processing on documented instructions
Pretrain processes the personal data only on the Controller's documented instructions, including with regard to transfers of personal data to a third country, unless required to do otherwise by EU or Member State law (in which case Pretrain informs the Controller of that legal requirement before processing, unless the law prohibits it). The service agreement and this DPA constitute the Controller's initial documented instructions.
(b) Confidentiality
Pretrain ensures that persons authorised to process the personal data are bound by an obligation of confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Security of processing (Article 32)
Pretrain implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- encryption of personal data in transit and at rest;
- access control and least-privilege access to systems and data;
- logging of access and relevant activity;
- regular backups and the ability to restore availability;
- isolation of each client's data (separate environments per client);
- ongoing review of the effectiveness of these measures.
(d) Sub-processors
The Controller gives Pretrain general written authorisation to engage the sub-processors listed in the Annex below. Pretrain will give notice of any intended change (adding or replacing a sub-processor), giving the Controller the opportunity to object. Pretrain imposes the same data-protection obligations on each sub-processor by written contract, and remains fully liable to the Controller for the sub-processor's performance.
(e) Assistance with data-subject requests
Taking into account the nature of the processing, Pretrain assists the Controller by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights under the GDPR.
(f) Assistance with security, breaches and DPIAs (Articles 32–36)
Pretrain assists the Controller in ensuring compliance with its obligations under Articles 32 to 36. In particular, Pretrain notifies the Controller of a personal data breach affecting the Client's data without undue delay after becoming aware of it, with the information the Controller needs to meet its own 72-hour notification duty, and assists with data protection impact assessments (DPIAs) and prior consultation where required.
(g) Deletion or return on termination
At the Controller's choice, on termination of the services Pretrain deletes or returns all personal data and deletes existing copies, unless EU or Member State law requires the data to be retained.
(h) Audits and demonstrating compliance
Pretrain makes available to the Controller all information necessary to demonstrate compliance with Article 28, and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates.
3. International transfers
Where a sub-processor is located outside the European Economic Area, transfers rely on the EU‑U.S. Data Privacy Framework (for certified recipients) and/or EU Standard Contractual Clauses. The list of safeguards is available on request.
4. Sub-processor annex
The Controller authorises the following sub-processors. Only those relevant to the Client's specific build are actually engaged for that Client.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Anthropic (Claude) | LLM text / transcript processing | United States | EU‑U.S. DPF / SCCs |
| OpenAI | LLM (where used) | United States | SCCs / DPF |
| Google (Gemini) | Transcription / LLM | United States | EU‑U.S. DPF |
| Supabase | Database | EU region | Within EEA (SCCs if US region used) |
| Hetzner | VPS hosting | Germany (EU) | None needed (EEA) |
| Vercel | Website hosting | US parent | DPA / SCCs |
| Calendly | Scheduling | United States | EU‑U.S. DPF + SCCs |
| Runpod | Transcription compute (Whisper) | United States | SCCs |
Build-specific tools — Pipedrive, CloudTalk, Brevo, Kapso, Channable, Trello, Metabase, Wix — are added per engagement, and only those relevant to a given Client's build apply to that Client. Their locations and transfer mechanisms are documented in the relevant signed DPA.
5. Liability
Liability under this DPA is subject to the limitations of liability set out in the main service agreement between the parties.
6. Governing law
This DPA is governed by Dutch law. Disputes are submitted to the competent court of the Rechtbank Midden-Nederland in Utrecht.
7. Signatures
Axonn B.V. (trading as Pretrain)
To execute this DPA, contact wesley@axonn.ai.
See also: Privacy Policy · Cookie Statement · Terms of Use.