Legal

Data Processing Agreement (DPA)

Effective: [Effective date]

The terms under which PetroBrain processes customer data on your behalf as a processor.

Placeholder — not legal advice

This is template scaffolding to define structure only. The real, binding text must be drafted and reviewed by qualified legal counsel before launch. Do not rely on this content.

[PLACEHOLDER] Structural template only. A DPA is a binding contract with specific regulatory requirements — it must be drafted and reviewed by qualified legal counsel for your jurisdiction(s) before use.

1. Definitions

[PLACEHOLDER — controller, processor, sub-processor, personal data, processing, etc.]

2. Roles & scope

The customer is the controller; PetroBrain is the processor and processes customer data only to provide the service and on documented instructions. [PLACEHOLDER — confirm.]

3. Customer data ownership

The customer owns its data. PetroBrain claims no ownership of customer data and processes it solely within the customer’s tenant and on the customer’s behalf.

4. Processing instructions & confidentiality

[PLACEHOLDER — scope of instructions; personnel confidentiality obligations.]

5. Security measures

Technical and organisational measures are described on our security page and to be annexed here. [PLACEHOLDER — attach the measures schedule.]

6. Sub-processors

Current sub-processors are listed on the security page. We will give notice of material changes and an opportunity to object. [PLACEHOLDER — confirm mechanism.]

7. International transfers

[PLACEHOLDER — transfer mechanisms and safeguards.]

8. Data-subject requests & breach notification

[PLACEHOLDER — assistance with requests; breach-notification timelines and process.]

9. Audit

[PLACEHOLDER — audit rights and how they’re exercised.]

10. Return & deletion

[PLACEHOLDER — return/deletion of customer data on termination.]

11. Anonymized & aggregated data

DRAFT CLAUSE — must be drafted and reviewed by counsel

This clause is the legal foundation for building anonymized benchmarks. Get it right: a sloppy version erodes customer trust and may be unenforceable. The text below is a placeholder sketch of intent only — not binding language.

[DRAFT — intent only] Subject to the customer’s consent and the safeguards below, the customer grants PetroBrain a limited licence to create and use anonymized and aggregated data derived from customer data to build benchmarks and improve the service, provided that:

Data is irreversibly de-identified and aggregated so it cannot reasonably be re-identified or attributed to the customer, any individual, or any specific asset or well.
No raw customer data, and no customer-identifying or asset-identifying information, is disclosed.
Aggregation thresholds (e.g. minimum number of contributors per benchmark) prevent re-identification by inference.
The customer may opt out of contributing to aggregates without losing access to the service.
[PLACEHOLDER — governing-law specifics, survival, and audit of de-identification, per counsel.]

12. Term

[PLACEHOLDER — duration, and which clauses survive termination.]

Questions about this document? Contact [legal@petrobrain.example].