Data Processing Agreement (DPA)

Data Controller ("Customer"): Name, organization number and contact details as per the customer agreement.

Data Processor ("Gothia AI"): Gothia AI Solutions, info@gothiaai.se

The Customer uses Gothia AI Portal ("the Service"), a SaaS platform with plugins for AI chat (HelperBot), bookings (TimeSlot), CRM (ClientDesk), tickets (SupportDesk) and AI assistance (Compass). This agreement governs Gothia AI's processing of personal data on behalf of the Customer in accordance with the EU General Data Protection Regulation (GDPR), Article 28.

Gothia AI processes personal data exclusively to provide the Service: CRM data, support tickets, document search (RAG), AI requests, bookings, and email notifications.

Processing continues as long as the customer agreement is in force. Upon termination, Customer data is deleted within 30 days.

Data subjects: Customer's employees, customers, contacts, website visitors and booking customers.

Personal data: Name, email, phone, organization number, address, message content, document content, booking details, IP address, session data.

TLS 1.2+ for all data in transit, AES-256-GCM for sensitive data, BCrypt-hashed passwords, two-factor authentication (TOTP), role-based access with per-tenant isolation, audit logging of all operations, automatic data retention (AI logs 90 days, notification logs 90 days), automatic account deletion 30 days after request.

See our complete sub-processor list. The Customer approves these by entering into this agreement. Gothia AI will notify the Customer at least 30 days in advance of any changes.

Customer data sent to Anthropic/Azure for AI processing is not used for model training.

Gothia AI assists the Customer in handling data subject rights through a data export function, account deletion with a 30-day grace period, and API access for managing CRM data.

In the event of a breach, Gothia AI will inform the Customer within 48 hours with all available information about the nature, scope, likely consequences, and measures taken.

Upon termination, Gothia AI deletes all Customer personal data within 30 days. Document content in the RAG service is deleted. The Customer may request data export before deletion. Exception: data that Gothia AI is legally required to retain.