AI Chatbot Compliance, Without the Vaporware Badges

Boei is GDPR-first by design, EU-hosted on Hetzner (Nuremberg, Germany), and ships a signed Data Processing Agreement on every paid plan, including the $19/mo Starter tier. This page is the single source of truth for how we handle your data, who we share it with, and where we honestly cannot help yet.

GDPR-compliant by design, EU/EEA data residency
Free DPA on every plan (Starter included)
Full public subprocessor list, 30-day change notice

Trusted by compliance-conscious teams in the EU

17,000+

Businesses use Boei

EU/EEA

Primary hosting (Hetzner, Nuremberg)

Free

DPA on every paid plan

30 days

Advance notice on subprocessor changes

Compliance is a buying signal, not a marketing badge

Most chatbot vendors bury their DPA behind an enterprise sales call, hide their subprocessor list, and slap a HIPAA logo on the homepage without signing a Business Associate Agreement. That may look reassuring, but it fails the first procurement review at any regulated buyer.

Boei takes the opposite approach: everything on this page is verifiable in one click, our DPA is free on every paid plan, and where we cannot honestly claim a certification (HIPAA is the big one), we say so in plain English.

The rest of this page walks through the five things procurement and privacy teams actually ask about: GDPR, our Data Processing Agreement, subprocessors, EU data residency, and our honest HIPAA stance.

What Boei Compliance Actually Covers

One card per topic. Every claim links back to its source-of-truth page.

GDPR by Design

EU/EEA hosting, data-subject rights (access, erasure, portability, export) exposed in the dashboard, configurable retention windows, and cookie-less analytics on our own marketing site (Plausible).

Free DPA on Every Plan

The Boei Data Processing Agreement is a public document. Sign it via /data-processing-agreement/ or your procurement can request a mutually countersigned copy. No enterprise-only gating.

Public Subprocessor List

Every third party that processes personal data on your behalf is listed on /legal/subprocessors/ with registered office, purpose, and processing region. Additions get 30 days advance notice.

EU Data Residency

Primary application servers, database, and backups run on Hetzner Online GmbH in Nuremberg, Germany. Static assets sit in AWS S3 EU-West (Ireland). No US region processing by default for Controller data.

HIPAA: Honest Scope

We do NOT hold a HIPAA certification and do NOT sign BAAs at standard tiers. For non-PHI scheduling and FAQ the widget works fine; for chatbot-mediated PHI, contact us before onboarding.

Auditability

Every conversation is logged and exportable. Your admin can review AI answers, correct patterns, tune escalation, and satisfy internal audit trails without a support ticket.

How Boei Handles EU Personal Data

Boei is a GDPR data processor for the personal data your visitors submit through the chatbot widget (name, email, phone, message content). You (the site owner) are the controller. We invest continuously in maintaining GDPR compliance and helping you comply with the framework you owe your users.

What GDPR compliance means at Boei

  • Lawful basis: we process Controller Personal Data solely to deliver the Service you subscribed to. No behavioral profiling, no ad targeting, no reselling to data brokers.
  • EU/EEA hosting: primary application, database, and backups run on Hetzner Online GmbH in Nuremberg, Germany. Backups live on a separate Hetzner Storage Box in the same region and are retained up to 90 days.
  • Data-subject rights: your admin dashboard lets you export a visitor's data (Article 15), erase a conversation on request (Article 17), or bulk-export the whole account. Configurable retention windows keep old chats from lingering.
  • Sub-processor governance: every third party that touches personal data is listed publicly on our subprocessors page, with 30-day advance notice on additions.
  • International transfers: where a US subprocessor is used (typically because you enabled a US-based AI model like OpenAI or Anthropic), we rely on Standard Contractual Clauses (SCCs) plus your explicit configuration choice.
  • Encryption: 256-bit AES TLS in transit; AES full-disk encryption at rest on every server holding user data. Static assets in AWS S3 use server-side encryption and HTTPS-only access.

Full detail is on the Security page.

Free DPA on Every Plan, Including Starter

Boei's Data Processing Agreement is a public, standalone document. You do not need to be on a specific tier, hit a seat threshold, or talk to sales to get one. The DPA is live at /data-processing-agreement/ and by using the Service under a paid subscription you are already covered by it.

If your procurement needs a countersigned copy

  • Download the DPA PDF from the DPA page.
  • Sign your part.
  • Email [email protected] and we send back a countersigned copy, usually within one business day.
  • Custom red-line requests are welcome on the Scale plan ($229/mo annual) which includes a custom DPA signed by our legal team as part of the tier.

The DPA references our subprocessors page as Annex 1, so any new subprocessor is automatically covered by the same agreement (with the 30-day advance-notice mechanism preserving your right to object).

Every Third Party That Touches Your Data

The authoritative list lives at /legal/subprocessors/ and is versioned via our legal changelog. Here is a snapshot as of 2026-04-17 grouped by purpose so you can see the scope at a glance:

Core infrastructure (EU/EEA)

  • Hetzner Online GmbH (Nuremberg, Germany) - primary servers, database, backups.
  • Weaviate B.V. (Amsterdam / Frankfurt) - vector database for chatbot knowledge base.
  • Amazon Web Services EMEA SARL (EU-West, Ireland) - static asset storage (S3).
  • Plausible Insights OU (Tallinn, Estonia; processed in Germany) - cookie-less analytics for boei.help only, not Controller data.

AI model providers (configurable per customer)

  • Mistral AI, SAS (Paris, France) - EU-hosted LLM option.
  • OpenAI, Inc. (USA) - opt-in, requires customer configuration.
  • Anthropic, Inc. (USA) - opt-in, requires customer configuration.
  • Google LLC (Gemini) (USA) - opt-in, requires customer configuration.

The AI model your chatbot actually uses depends on your account settings. EU-only setups can pin Mistral and never touch a US-region provider for LLM inference.

Operational (US, SCCs in place)

  • Cloudflare, Inc. - CDN, DDoS protection, WAF for public boei.help + widget traffic (EU-first routing where available).
  • Mailgun Technologies - transactional email (chat transcripts, notifications).
  • Firecrawl (Mendable, Inc.) - website crawling when you point Boei at your public content for knowledge-base training.
  • Stripe, Inc. - payment processing and subscription billing.

If a subprocessor changes we post it to /legal/subprocessors/ at least 30 days in advance and notify DPA-holding customers per the agreement.

Where Your Data Physically Lives

Boei production services run on Hetzner Online GmbH infrastructure in Nuremberg, Germany. All Controller personal data processed by the Service is stored inside the EU/EEA. Backups sit on a separate Hetzner Storage Box, also in Nuremberg, and are retained up to 90 days.

Hetzner's data centers are ISO/IEC 27001 certified and operate with 24/7 on-site staff, video surveillance, biometric and multi-factor access control, redundant power and cooling, and fire suppression.

Static assets served alongside the widget (images uploaded through the admin) sit in the EU-West (Ireland) region of AWS S3 via Amazon Web Services EMEA SARL, with server-side encryption enabled.

Public-facing traffic to boei.help, app.boei.help, and the widget is served through Cloudflare's global edge (EU-first routing where available). Cloudflare processes minimal metadata (IP for routing, TLS termination) - it does not persist Controller personal data.

For teams that need to point to a specific procurement checklist item: this configuration satisfies the standard EU/EEA data-residency requirement most European public-sector and healthcare procurement bodies apply.

Our Honest Position on HIPAA

Boei is not currently HIPAA-certified and does not sign Business Associate Agreements at standard tiers. Some competitor sites display a HIPAA badge without ever signing a BAA, which is misleading. We prefer to be direct.

What this means in practice

  • Non-PHI use cases work fine: appointment booking, hours, cost, prep instructions, insurance FAQ, general triage FAQ. None of these require the chatbot to touch protected health information.
  • Symptom triage flows always include a non-medical-advice disclaimer so visitors are not misled into treating the chatbot output as clinical guidance.
  • PHI-touching workflows: if your chatbot needs to intake symptoms tied to identifiable patients or coordinate care, and you need a signed BAA, contact us before onboarding to discuss the Scale plan and our current compliance roadmap.

See /for/healthcare/ for the vertical write-up aimed at clinics evaluating Boei.

Compliance at a glance

Boei vs Typical US-Hosted Chatbot Vendors

The compliance-posture questions procurement actually asks.

Compliance FAQ

Is Boei GDPR compliant?

Yes. Boei is GDPR-first by design: EU/EEA hosting (Hetzner, Nuremberg), free Data Processing Agreement on every paid plan, data-subject rights exposed directly in the admin dashboard (export, erasure, portability), configurable retention windows, and a public subprocessor list with 30-day change notice. Full detail is on the Security page.

Where can I download Boei's Data Processing Agreement?

At /data-processing-agreement/. The DPA is a public document, free on every paid plan (Starter $19/mo included). If your procurement needs a mutually countersigned copy, email [email protected] after signing your part and we send it back, usually within one business day.

Who are Boei's subprocessors?

The authoritative list is at /legal/subprocessors/ and forms Annex 1 of the DPA. Core infra is EU-based (Hetzner in Nuremberg, Weaviate in Amsterdam, AWS S3 in Ireland). AI model providers are opt-in per customer (Mistral EU, OpenAI US, Anthropic US, Google Gemini US). Operational subprocessors (Cloudflare, Mailgun, Firecrawl, Stripe) are US-based under Standard Contractual Clauses.

Can I run Boei with only EU-based AI models?

Yes. In your account settings you can pin the chatbot to Mistral AI (Paris, France) as the LLM provider. In that configuration no chatbot inference traffic reaches a US-region AI model. Vector search runs on Weaviate (Amsterdam/Frankfurt), so end-to-end you stay inside the EU/EEA for the AI pipeline.

Is Boei HIPAA compliant?

No. Boei is not currently HIPAA-certified and does not sign Business Associate Agreements at standard tiers. For non-PHI use cases (appointment booking, hours, cost, prep instructions, insurance FAQ) the chatbot works fine. If you need a signed BAA for chatbot-mediated PHI, contact us before onboarding to discuss the Scale plan and our current compliance roadmap.

Where does my data physically live?

Application, database, and backups: Hetzner Online GmbH data centers in Nuremberg, Germany (EU/EEA). Static asset images: AWS S3 EU-West (Ireland). Public-traffic edge: Cloudflare global network with EU-first routing. Backups retained up to 90 days on a separate Hetzner Storage Box in the same region.

How do you handle right-to-erasure requests?

Your admin dashboard lets you delete individual conversations or bulk-export before deletion (Article 15 + Article 17 workflow). For a full account termination, we retain data only as long as legally required (billing records) and purge Controller Personal Data within the deletion window described in the DPA.

Do you sign custom DPAs with red-line changes?

Yes, on the Scale plan ($229/mo annual). Scale includes a custom DPA signed by our legal team as part of the tier, alongside 99.5% uptime SLA, priority support, dedicated onboarding, and quarterly review calls. Standard-plan customers use the mutually countersigned version of our public DPA.

What certifications does Boei's hosting provider have?

Hetzner's data centers are ISO/IEC 27001 certified. Physical controls include 24/7 on-site staff, video surveillance, biometric and multi-factor access control, access logs, redundant power and cooling, and fire suppression. Boei itself does not currently hold an ISO 27001 badge at the company level - we rely on the underlying hosting certification plus our own encryption, access, and change-management practices.

Explore More

Ready to talk to a chatbot vendor that shows its compliance work?

Start the 7-day free trial (no credit card) or send our compliance stance to your privacy team first.