Data Processing Addendum.

Capitalized terms used but not defined here have the meanings given in the Terms of Service or applicable data protection law.

• Customer Personal Data means personal data contained in Customer Data.
• Data Protection Laws means GDPR, UK GDPR, the California Consumer Privacy Act, and other applicable data protection legislation.
• SCCs means the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914.
• UK Addendum means the International Data Transfer Addendum issued by the UK ICO.

Where we process Customer Personal Data on your behalf, you are the controller (or processor acting on behalf of your controller) and we are the processor (or sub-processor). We will process Customer Personal Data only on documented instructions as reflected in your order form, the Terms, this DPA, and reasonable written instructions you later provide.

Subject-matter. Provision of the ShadowIQ Services.
Duration. For the term of your subscription, plus any retention period described in the Privacy Policy or order form.
Nature and purpose. AI governance, including discovery of AI systems, runtime enforcement of policies, evaluation of models, and cryptographic audit evidence.
Data subjects. Customer employees, contractors, and where applicable, Customer's own end users.
Categories of personal data. Identifiers, professional and employment information, audit metadata, and any personal data Customer chooses to route through the Services.

We implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and access. These measures include at minimum:

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.3+);
• Role-based access control, least privilege, and MFA;
• Logging, monitoring, and a documented incident response process;
• Annual independent audits (SOC 2 Type II; ISO 27001 certification in progress);
• Signed container build provenance (SLSA Level 3);
• Regular third-party penetration testing and vulnerability management.

You grant us general authorization to engage subprocessors to process Customer Personal Data. We will maintain a current list and notify you of intended changes, giving you a reasonable opportunity to object on reasonable grounds relating to data protection.

Current subprocessors include: Amazon Web Services (cloud hosting), Cloudflare (CDN, DDoS, email forwarding), Sigstore (public transparency log for evidence). The definitive list is available on request.

Where transfer of Customer Personal Data outside the EEA, UK, or Switzerland takes place, the parties rely on the SCCs (Module 2 or 3 as applicable) and, for UK transfers, the UK Addendum. The SCCs are hereby incorporated by reference. Any conflict between this DPA and the SCCs is resolved in favor of the SCCs.

We will notify you without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data. Our notice will describe the nature of the breach, the categories and approximate number of data subjects concerned, likely consequences, and measures taken or proposed to mitigate possible adverse effects.

Taking into account the nature of processing, we will provide reasonable assistance to help you meet obligations regarding data subject requests, DPIAs, and prior consultations with supervisory authorities. Where a request is excessive or clearly unfounded, we may charge a reasonable fee.

On request (no more than once per year, or after a breach), we will make available information necessary to demonstrate compliance with this DPA and allow for reasonable audits, including through our most recent SOC 2 Type II and ISO 27001 reports. Direct on-site audits are permitted subject to reasonable advance notice and confidentiality obligations.

At the end of the Services, we will, at your election, return or delete all Customer Personal Data within 90 days. We may retain Customer Personal Data as required by law or for backup retention periods, during which we will continue to protect it under this DPA.

To invoke this DPA, to object to a new subprocessor, or to request a signed copy, email [email protected].