Data Processing Addendum

Controller means the Customer entity that determines the purposes and means of processing Personal Data. Processor means CISORA LLC, which processes Personal Data on behalf of the Controller under this Addendum. Personal Data means any information relating to an identified or identifiable natural person that is submitted to the Cisora platform. Processing means any operation performed on Personal Data, including collection, storage, analysis, and deletion.

Sub-processor means any third party engaged by Cisora to assist in processing Personal Data on behalf of the Controller. Data Subject means the natural person to whom Personal Data relates. Applicable Data Protection Law includes the GDPR, UK GDPR, CCPA, and any other privacy law applicable to the Controller's jurisdiction.

Cisora processes Personal Data solely to provide the services described in the Master Services Agreement (MSA) or applicable order form, including AI agent telemetry collection, security monitoring, compliance reporting, and related support services.

Processing is carried out on the Controller's documented instructions. Cisora shall not process Personal Data for any other purpose, including its own commercial purposes, model training, or advertising. If Cisora is required by applicable law to process Personal Data beyond these instructions, it will notify the Controller before such processing unless prohibited by law.

The duration of processing corresponds to the term of the MSA or order form, plus any retention period required by applicable law or agreed upon by the parties.

The categories of Data Subjects whose Personal Data Cisora may process include: employees and contractors of the Controller who use the Cisora platform; end-users of the Controller's AI agent applications to the extent their data is transmitted as part of agent telemetry.

The categories of Personal Data that may be processed include: names, email addresses, and organizational affiliation of registered users; IP addresses and user-agent strings in server logs; AI agent invocation metadata (tool calls, model identifiers, timestamps, latency); any additional data the Controller's agents explicitly route through Cisora instrumentation.

Cisora shall process Personal Data only on the documented instructions of the Controller. Cisora shall ensure that persons authorized to process Personal Data are bound by confidentiality obligations. Cisora shall implement the technical and organizational security measures described in Section 9 of this Addendum.

Cisora shall assist the Controller in fulfilling its obligations regarding Data Subject rights requests, data protection impact assessments, and prior consultation with supervisory authorities. Cisora shall delete or return all Personal Data upon termination of the services as directed by the Controller, subject to applicable legal retention requirements.

Cisora shall make available to the Controller all information reasonably necessary to demonstrate compliance with this Addendum, and shall allow for and contribute to audits and inspections conducted by the Controller or an authorized third party with reasonable advance notice.

The Controller is responsible for ensuring that it has a lawful basis to provide Personal Data to Cisora for the purposes described herein. The Controller shall ensure that required privacy notices have been provided to Data Subjects before transmitting their Personal Data to Cisora.

The Controller shall promptly inform Cisora of any instructions that, in the Controller's opinion, would violate Applicable Data Protection Law. The Controller is responsible for configuring the Cisora SDK and API integrations in a manner consistent with its own data minimization obligations.

Cisora's primary infrastructure is located in AWS ap-south-1 (Mumbai, India). Where Personal Data originating from the European Economic Area (EEA) or the United Kingdom is transferred outside those regions, such transfers are covered by the European Commission Standard Contractual Clauses (SCCs) as set out in Commission Decision 2021/914/EU.

Customers who require SCCs for EEA-to-third-country transfers may request a signed copy by contacting legal@cisora.io. Cisora will promptly notify the Controller if it determines that it can no longer comply with an applicable transfer mechanism.

The Controller authorizes Cisora to engage the sub-processors listed at cisora.io/trust/sub-processors. Cisora will notify the Controller at least 30 days in advance of adding or replacing a sub-processor, allowing the Controller to object on reasonable grounds.

Cisora imposes data protection obligations on each sub-processor that are no less protective than the obligations in this Addendum. Cisora remains liable for the acts and omissions of its sub-processors with respect to data protection.

Cisora will assist the Controller in responding to Data Subject rights requests within the timescales required by Applicable Data Protection Law. Upon receipt of a Data Subject request that Cisora believes is directed at the Controller, Cisora will forward it to the Controller without undue delay.

Cisora provides API endpoints enabling Controllers to retrieve, correct, restrict, or delete Personal Data associated with their account. Controllers may also submit data subject requests by emailing legal@cisora.io.

Cisora implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. Measures include: AES-256 encryption at rest (AWS RDS), TLS 1.2+ in transit, bcrypt hashing of API credentials, private VPC subnet isolation for the database, and role-based access control on all production systems.

In the event of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, Cisora will notify the Controller within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to address the breach.

Cisora conducts periodic internal security reviews and is currently undergoing a SOC 2 Type I audit. Enterprise customers may request the audit report under NDA.

This Addendum is effective as of the date the Controller accepts the MSA or order form incorporating it, and remains in force for the duration of Cisora's processing of Personal Data on behalf of the Controller.

Upon termination, Cisora will, at the Controller's election, delete or return all Personal Data within 30 days, and certify deletion in writing. Certain data may be retained where required by applicable law, in which case Cisora will notify the Controller of the applicable legal basis.

This Addendum is governed by the laws of the State of Delaware, United States, except where Applicable Data Protection Law requires otherwise. For Controllers subject to the GDPR, the supervisory authority of the member state in which the Controller is established shall have jurisdiction over disputes arising under this Addendum.