Data Processing Addendum (DPA)

GUST-AI

Updated February 2026

We are SLIMCLOUD B.V., doing business as “GUST-AI”, and also as “GUST Armada by SlimCloud” (“Company,” “we,” “us,” “our”, “GUST”, SlimCloud), a company registered in the Netherlands at Sarphatipark 45-3, Amsterdam, Noord Holland 1073CR (Chamber of Commerce number 81245084). Our VAT number is NL862013240B01.

This Data Processing Addendum (“DPA”) governs access to and use of the GUST Platform and Services (the “Platform” and “Services”) provided by SLIMCLOUD B.V.

We operate the websites https://slimcloud.tech/ and https://gustai.app/ (the “Site”), as well as any other related products and services that refer or link to these legal terms (the “Legal Terms”) (collectively, the “Services”).

You can contact us by phone at +31682681326, email at info@slimcloud.net, or by mail to Sarphatipark 45-3, Amsterdam, Noord Holland 1073CR, Netherlands.

This Data Processing Addendum (“DPA”) forms part of SlimCloud’s Master Subscription Terms of Service (“Agreement”) between:

  • SlimCloud B.V., Sarphatipark 45-3, 1073 CR Amsterdam, The Netherlands (“Processor”)
  • The User or Customer entity identified in the Agreement (“Controller”)

This DPA applies where Processor processes Personal Data on behalf of Controller in connection with the Platform.

1. Definitions


Unless otherwise defined herein, terms such as:

  • Personal Data
  • Processing
  • Controller
  • Processor
  • Data Subject
  • Supervisory Authority
  • Personal Data Breach

have the meanings given in Regulation (EU) 2016/679 (“GDPR”).

  • Customer Data (or “User Content”) means any data, text, prompts, files, code, configurations, credentials, integrations, or other materials submitted, uploaded, transmitted, or otherwise provided by Controller to the Platform.
  • Scopes (or “Context Containers”) means the defined isolated knowledge and memory container configured within the Platform that governs the data, instructions, memory, permissions, and operational parameters available to Agents.

2. Role of the Parties


Controller determines:

  • The purposes of Processing
  • The categories of Personal Data uploaded
  • The configuration of Scopes and Agents

Processor:

  • Processes Personal Data solely on documented instructions from Controller.
  • Shall not determine the purposes and means of Processing.

3. Subject Matter and Duration


3.1 Subject Matter

Processing of Personal Data in connection with provision of the Platform and the Services, including:

  • Storage within Scopes
  • Structured memory retention
  • Agent orchestration
  • Logging and audit trails
  • Integration with connected systems
  • Technical support

3.2 Duration

Processing continues for the duration of the Agreement and any agreed retention period thereafter.

4. Nature and Purpose of Processing


Processing may include:

  • Collection
  • Storage
  • Organization
  • Structuring
  • Retrieval
  • Consultation
  • Transmission
  • Logging
  • Deletion

Purpose:

  • To provide AI-driven orchestration, automation, and workflow services as configured by Controller.
  • Processor does not use Personal Data to train foundation models unless explicitly agreed in writing.

5. Types of Personal Data


Personal Data processed may include, depending on Customer use:

  • Names
  • Email addresses
  • User identifiers
  • Role information
  • Communication content
  • Code comments referencing individuals
  • Ticketing metadata
  • Operational logs
  • Any data uploaded into Scopes

Processor does not require special categories of data and Controller shall not upload such data unless legally permitted and configured appropriately.

6. Categories of Data Subjects


May include:

  • Customer employees
  • Contractors
  • End users
  • Clients
  • Business partners
  • Developers
  • System users

7. Processor Obligations


Processor shall:

  1. Process Personal Data only on documented instructions.
  2. Ensure personnel are bound by confidentiality.
  3. Implement appropriate technical and organizational measures (Article 32 GDPR).
  4. Not sell Personal Data.
  5. Not use Personal Data for independent purposes.
  6. Notify Controller of legally binding data disclosure requests unless prohibited by law.

8. Security Measures


Processor implements appropriate safeguards, including:

  • Encryption in transit (TLS)
  • Encryption at rest (where applicable)
  • Logical isolation of Scopes
  • Role-based access control
  • Access logging
  • Multi-tenant segregation
  • Infrastructure hosted in secure cloud environments
  • Audit trail functionality
  • Versioning and rollback mechanisms
  • Prompt injection mitigation safeguards (where applicable)

Security measures are reviewed periodically. Controller acknowledges that no system is completely secure.

9. Subprocessors


Processor may engage Subprocessors to provide infrastructure and related services.

These may include:

  • Cloud infrastructure providers (e.g., Microsoft Azure)
  • LLM service providers
  • Hosting providers
  • Monitoring providers

Processor shall:

  • Enter into written agreements with Subprocessors
  • Impose GDPR-compliant obligations
  • Remain liable for Subprocessor performance

A current list of Subprocessors shall be made available upon request. Controller may object to a new Subprocessor on reasonable data protection grounds.

10. International Data Transfers


Where Personal Data is transferred outside the EEA:

  • Standard Contractual Clauses (SCCs) shall apply, where required.
  • Additional safeguards shall be implemented as appropriate.

Processor shall provide transfer mechanism documentation upon request.

11. Assistance to Controller


Processor shall assist Controller, where reasonably required, with:

  • Data Subject access requests
  • Rectification
  • Erasure
  • Restriction
  • Data portability
  • Objections
  • DPIAs
  • Prior consultation with Supervisory Authorities

If Processor receives a request directly from a Data Subject, it shall notify Controller unless legally prohibited.

12. Personal Data Breach


Processor shall:

  • Notify Controller without undue delay after becoming aware of a Personal Data Breach.
  • Provide available information necessary for Controller’s GDPR obligations.
  • Take reasonable steps to mitigate and remediate the breach.

Notification shall include:

  • Nature of breach
  • Categories of data affected
  • Likely consequences
  • Measures taken or proposed

13. Data Retention & Deletion


Upon termination of the Agreement:

  • Controller may request return or deletion of Personal Data.
  • Processor shall delete Personal Data unless retention is legally required.

Backups may persist temporarily under standard retention cycles but remain protected. Controller is responsible for exporting data prior to termination if desired.

14. Audit Rights


Controller may:

  • Request written information regarding compliance.
  • Conduct audits or appoint an independent auditor at Controller’s own expense.

Audits shall:

  • Occur during business hours
  • Not disrupt operations
  • Be limited to once per year unless required by law

15. Liability


Liability under this DPA is subject to the limitation of liability provisions in the Agreement.

16. Records of Processing


Processor shall maintain records of Processing activities under Article 30 GDPR.

17. AI-Specific Processing Clarification


Processor provides a platform enabling Controller to:

  • Configure autonomous Agents
  • Retain structured memory within Scopes
  • Execute automated workflows

Controller is responsible for determining lawful basis for processing and supervising automated decision-making.

18. Governing Law


This DPA shall be governed by the same law as the Agreement.

19. Order of Precedence


In case of conflict:

  1. This DPA
  2. The Master Subscription Terms of Service
  3. Any Order Form

Annex I – Processing Details


  • Controller: Customer entity
  • Processor: SlimCloud B.V.
  • Nature of Processing: AI orchestration, memory storage, automation
  • Categories of Data Subjects: As described above
  • Types of Personal Data: As described above
  • Retention: Duration of Agreement + configured retention

Annex II – Technical & Organizational Measures


  • Encryption in transit (TLS 1.2+)
  • Role-based access control
  • Logical Scope isolation
  • Multi-tenant segregation
  • Secure cloud hosting
  • Monitoring & logging
  • Incident response process
  • Regular vulnerability scanning
  • Secure development lifecycle
  • Prompt injection mitigation practices
  • Access review procedures
SlimCloud logo

Copyright © SlimCloud BV 2025. All Rights Reserved.

Quick Links