Data Processing Agreement

Rheba Intelligence Systems Limited

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Data Controller") and Rheba Intelligence Systems Limited ("Data Processor", "Rheba") for the provision of the Rheba platform and related services ("Services").

This DPA is entered into in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

1. Definitions

Terms used in this DPA have the meanings given in the GDPR unless otherwise defined. "Personal Data" means any personal data processed by Rheba on behalf of the Customer in connection with the Services. "Sub-processor" means a third party engaged by Rheba to process Personal Data.

2. Scope and Roles

The Customer is the Data Controller. Rheba is the Data Processor. Rheba processes Personal Data solely on documented instructions from the Customer and only for the purpose of providing the Services.

3. Categories of Data Processed

Category	Data Types	Data Subjects
Account Data	Name, email address, role, site location	Customer's authorised users (maintenance personnel, administrators)
Usage Data	Questions asked (hashed), search queries, feedback, session metadata	Customer's authorised users
Customer Content	Technical manuals and documentation uploaded by the Customer	Not applicable (technical documents, not personal data)
Authentication Data	Login timestamps, IP addresses, MFA status	Customer's authorised users

4. Processing Instructions

Rheba shall process Personal Data only in accordance with the Customer's documented instructions, which include:

Providing the Rheba platform (AI-assisted maintenance intelligence)
Authenticating and authorising users
Storing and indexing Customer-uploaded technical documents
Generating AI-assisted answers from Customer documents
Maintaining audit logs for security and compliance

Rheba shall not process Personal Data for any other purpose, including marketing, profiling, or training general-purpose AI models, unless explicitly instructed in writing by the Customer.

5. Data Location and Transfers

All Customer data is processed and stored within the European Union, specifically in Google Cloud's europe-west1 (Belgium) region.

Rheba does not transfer Personal Data outside the EEA. In the event that any sub-processor requires data transfer outside the EEA, Rheba will ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decision) and will notify the Customer in advance.

6. Sub-processors

The Customer authorises Rheba to engage the following sub-processors:

Sub-processor	Purpose	Location
Google Cloud Platform (Google LLC)	Cloud infrastructure: compute (Cloud Run), storage (Cloud Storage), database (Cloud SQL), AI/ML services (Vertex AI, Document AI), search (Vertex AI Search), logging (Cloud Logging)	EU (europe-west1, Belgium)
Firebase / Google Identity Platform	User authentication, multi-factor authentication, session management	EU / Global (authentication tokens only)

Rheba shall notify the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object. Rheba ensures all sub-processors are bound by data protection obligations no less protective than those in this DPA.

7. Security Measures

Rheba implements appropriate technical and organisational measures, including:

Encryption at rest: All data encrypted using Google-managed or customer-managed encryption keys (Cloud KMS)
Encryption in transit: TLS 1.2+ for all communications
Access control: Role-based access control (RBAC) with five permission levels; multi-factor authentication (TOTP)
Tenant isolation: Separate data stores per customer; no cross-tenant data access possible at any layer
Audit logging: Immutable audit trail of all data access events
Vulnerability management: Container-based deployment with minimal attack surface; non-root execution
Data minimisation: Questions logged as hashes only; no unnecessary data retention

8. Data Subject Rights

Rheba shall assist the Customer in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by the GDPR. Rheba shall notify the Customer promptly if it receives a data subject request directly.

9. Data Breach Notification

Rheba shall notify the Customer without undue delay, and no later than 48 hours, after becoming aware of a personal data breach. The notification shall include:

Nature of the breach, including categories and approximate number of data subjects affected
Name and contact details of Rheba's point of contact
Likely consequences of the breach
Measures taken or proposed to address the breach

10. Data Retention and Deletion

Upon termination of the Services or upon the Customer's written request, Rheba shall delete or return all Personal Data within 30 days, unless retention is required by law. Rheba shall provide written confirmation of deletion upon request.

Backup copies are purged on normal rotation cycles (no longer than 90 days after deletion).

11. Audit Rights

The Customer has the right to audit Rheba's compliance with this DPA. Rheba shall make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. Audits shall be conducted with reasonable notice and during normal business hours.

12. Liability

Each party's liability under this DPA is subject to the limitations set out in the main service agreement between the parties.

13. Governing Law

This DPA is governed by Irish law. The Irish courts shall have exclusive jurisdiction over any disputes arising from this DPA.

14. Contact

For any queries regarding this DPA or data protection, contact:

Rheba Intelligence Systems Limited
Coosan, Athlone, Co. Westmeath, Ireland
Email: conor@rheba.ai
Phone: 086 179 4830

Last updated: April 2026