Ghost BIGhost BI

Data Processing Agreement

Effective: February 2026 · Last Updated: February 21, 2026

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between the customer ("Controller" or "you") and Ghost BI, Inc. ("Processor" or "we") and supplements the Terms of Service. This DPA governs the processing of personal data by Ghost BI on behalf of the Controller in connection with the Ghost BI platform.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable data protection laws including GDPR, CCPA, and equivalent regulations.
  • "Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion.
  • "Sub-processor" means any third party engaged by Ghost BI to process personal data on behalf of the Controller. See our Sub-processors list.

3. Data Processing Details

3.1 Categories of Data Subjects

  • Customer account holders and authorized users
  • End users whose data is submitted via API calls

3.2 Types of Personal Data Processed

  • Account data: Name, email address, IP addresses, user-agent strings
  • API metadata: Request timestamps, process identifiers, latency metrics
  • Billing data: Payment method details (processed by Stripe, not stored by Ghost BI)

Important: Ghost BI does NOT store customer API input or output data. All LLM processing is transient — data is sent to the AI provider and the response is returned directly to the customer. No input/output content is persisted.

3.3 Purpose of Processing

Personal data is processed solely for the purpose of providing the Ghost BI product intelligence platform, including user authentication, API request processing, billing, security monitoring, and customer support.

4. Processor Obligations

Ghost BI shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process personal data are bound by obligations of confidentiality
  • Implement appropriate technical and organizational measures to ensure the security of personal data (see Section 5)
  • Not engage another processor without prior written authorization from the Controller
  • Assist the Controller in responding to data subject access requests (DSARs)
  • Delete or return all personal data upon termination of the service agreement, subject to legal retention requirements
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Security Measures

Ghost BI implements the following technical and organizational measures:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-tenant data isolation at the database level with tenant-scoped queries
  • Role-based access controls and principle of least privilege
  • API key hashing (SHA-256) — plaintext keys are never stored
  • Rate limiting and concurrency controls to prevent abuse
  • Audit logging of all significant user and system actions
  • Regular security assessments and vulnerability scanning
  • Environment isolation (sandbox/production) to prevent data cross-contamination

6. Sub-processors

The Controller authorizes Ghost BI to engage the sub-processors listed on our Sub-processors page. Ghost BI will notify the Controller of any intended changes to sub-processors, providing reasonable opportunity to object.

7. AI/LLM Data Processing

Ghost BI uses Anthropic Claude as its primary AI provider for generating structured intelligence from customer-submitted data. The following safeguards apply:

  • Customer data sent to Anthropic is processed transiently and is not used to train AI models
  • Anthropic acts as a sub-processor under the terms of this DPA
  • Ghost BI does not store LLM input/output content — only metadata (timestamps, latency, success/failure) is logged
  • Customers may configure prompt settings and output schemas to control what data is sent to the AI provider

8. International Data Transfers

Ghost BI processes data in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, Ghost BI relies on Standard Contractual Clauses (SCCs) as approved by the European Commission. Ghost BI also complies with the EU-US Data Privacy Framework where applicable.

9. Data Retention and Deletion

  • API call logs: Retained for 90 days, then permanently deleted
  • Account data: Retained for the duration of the service agreement, plus 30 days after account deletion request (GDPR right to erasure grace period)
  • Audit logs: Retained for 1 year for compliance purposes
  • Billing records: Retained as required by tax and accounting regulations

10. Data Breach Notification

In the event of a personal data breach, Ghost BI shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification shall include:

  • The nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to mitigate the breach

11. Data Subject Rights

Ghost BI will assist the Controller in fulfilling data subject rights requests including:

  • Right of access (GDPR Art. 15)
  • Right to rectification (GDPR Art. 16)
  • Right to erasure / right to be forgotten (GDPR Art. 17)
  • Right to data portability (GDPR Art. 20)
  • Right to restriction of processing (GDPR Art. 18)

Data subjects may exercise these rights through their Ghost BI account settings or by contacting privacy@ghostbi.com.

12. Contact

For questions about this DPA or data processing activities, contact our Data Protection Officer at privacy@ghostbi.com.