Data Processing Agreement

1 · Roles

For Customer Data uploaded into the ROSS workspace, the Controller determines the purposes and means of processing; the Processor processes it only on the Controller’s documented instructions (including those given through use of the service), unless required otherwise by EU or Member State law, in which case it informs the Controller first unless that law prohibits it.

2 · Processor obligations

• Process personal data only per the Controller’s instructions and this DPA.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement appropriate technical and organisational measures (art 32) — see §4.
• Assist the Controller with data-subject requests and with arts 32–36 (security, breach, DPIA) duties.
• Make available the information needed to demonstrate compliance and allow reasonable audits (§7).

3 · Sub-processors

The Controller gives general authorisation for the Processor to engage sub-processors to deliver the service. The current list is published in the Privacy Policy. The Processor imposes data-protection terms on each sub-processor no less protective than this DPA and remains liable for their performance. We give notice of intended additions or replacements before they take effect, allowing a reasonable window to object on reasonable data-protection grounds.

4 · Security measures

• Per-tenant isolation via Postgres Row-Level Security; no shared data across tenants.
• Encryption in transit (TLS) and at rest.
• Least-privilege access controls and authentication for staff and systems.
• Immutable SHA-256-chained audit log of agent actions for traceability.
• Backups, monitoring, and a documented incident-response process.

Current security posture and roadmap (ISO 27001, SOC 2) are described on the Trust page.

5 · International transfers

Primary processing and storage take place in the EU (Supabase, Frankfurt). Where a sub-processor is located outside the EEA, transfers are made under the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) together with any supplementary measures required, ensuring an essentially equivalent level of protection.

6 · Data-subject requests & breach notice

The Processor promptly forwards any data-subject request it receives relating to the Controller’s data and assists the Controller in responding. The Processor notifies the Controller without undue delay after becoming aware of a personal-data breach affecting Customer Data, with the information reasonably available to support the Controller’s own notification obligations (arts 33–34).

7 · Audits

The Processor makes available information necessary to demonstrate compliance with art 28 and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, on reasonable notice and subject to confidentiality, no more than once per year except where required by a supervisory authority or following an incident.

8 · Return & deletion

On termination, at the Controller’s choice, the Processor returns or deletes Customer Data within 30 days and deletes existing copies, unless EU or Member State law requires storage. Immutable audit logs may be retained for up to 7 years for compliance and forensic integrity, then deleted.

9 · AI processing note

AI inference used to deliver the service is performed by the sub-processors listed in the Privacy Policy. Customer Data is not used to train third-party foundation models. AI interactions are disclosed (EU AI Act art 50) and synthetic audio is watermarked (art 52). This complements, and does not replace, the Controller’s own AI Act obligations as a deployer.

Annex A · Details of processing