Data Processing Addendum

Effective date: 2026-05-23

Cognethics LLC

This Data Processing Addendum ("DPA") forms part of the Master Service Agreement, Order Form, or Terms of Service (the "Agreement") between Cognethics LLC ("Cognethics", "Processor") and the customer identified in the Agreement ("Customer", "Controller") for the provision of the A4 platform (the "Service"). This DPA applies to the extent Cognethics processes Personal Data on Customer's behalf in connection with the Service.

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.

1. Definitions

2. Roles and Subject Matter

For the processing of Personal Data contained in Customer Data, Customer is the Controller and Cognethics is the Processor. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex I.

Cognethics processes Personal Data only on documented instructions from Customer. The Agreement, this DPA, and Customer's configuration of the Service (tenants, API calls, sub-tenant settings) together constitute Customer's documented instructions. Cognethics will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

3. Customer Obligations

Customer warrants that:

4. Cognethics Obligations

Cognethics will:

5. Sub-Processors

General authorization. Customer authorizes Cognethics to engage Sub-Processors to process Personal Data, subject to the conditions in this Section. A current list of authorized Sub-Processors is published at /trust/sub-processors/ and itemized in Annex III.

Notice of changes. Cognethics will notify Customer of any intended addition or replacement of a Sub-Processor at least 30 days in advance, via the RSS change feed at https://developers.cognethics.com/trust/sub-processors/feed.xml. Customer may subscribe at any time.

Right to object. Customer may object on reasonable data-protection grounds to a proposed Sub-Processor by written notice through the contact form in the Contact section within 15 days of notification. If the parties cannot reach a mutually acceptable resolution within 30 days of the objection, Customer may terminate the affected portion of the Service for cause without penalty.

Sub-Processor obligations. Cognethics will impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA, by written contract. Cognethics remains liable to Customer for any failure by a Sub-Processor to perform those obligations.

6. Security Measures

Cognethics has implemented and will maintain the technical and organizational measures described in Annex II and at /trust/audit/ and /trust/sub-processors/, including:

7. Personal Data Breach Notification

Cognethics will notify Customer of a confirmed Personal Data Breach affecting Customer Data without undue delay, and in any event within 48 hours of confirmation. The notification will include, to the extent known at the time:

Cognethics will cooperate with Customer and provide reasonable information and assistance to enable Customer to comply with its own breach-notification obligations under Applicable Data Protection Law.

8. International Transfers

Personal Data is processed in the AWS region(s) and availability zone(s) specified in the applicable Order Form, which Customer selects to meet its data-residency requirements. Where the processing location and the location of the Data Subjects are in the same jurisdiction, no cross-border transfer arises. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a Cognethics processing location in a third country (including the United States), the parties incorporate by reference:

Full executed copies of the SCCs and the IDTA are available on request through the contact form in the Contact section.

9. Data Subject Requests

Cognethics will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures (insofar as this is possible) to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Specifically:

10. Audit Rights

Customer may audit Cognethics's compliance with this DPA once per twelve-month period (or more frequently if required by a supervisory authority or following a Personal Data Breach), subject to:

When a SOC 2 Type 2 report (or equivalent independent third-party audit report) is available, Customer may rely on that report in lieu of an on-site audit. Cognethics will make the report available under NDA on request.

11. Deletion and Return

On termination of the Agreement, and at Customer's choice expressed in writing through the contact form in the Contact section within 30 days of termination:

Backup copies will be retained for up to 90 days after deletion from production, then purged. Cognethics may retain Personal Data to the extent and for as long as required by applicable law, in which case it remains subject to the security obligations of this DPA.

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitation-of-liability provisions of the Agreement. For the avoidance of doubt, the liability caps in the Agreement apply to liability under this DPA on an aggregate basis (not separately).

13. Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

14. Contact

For data-protection matters, legal questions, DPA/BAA requests, or security inquiries under this DPA, contact us through the form below and select the matching topic.

Contact us about this DPA

Pick a topic and we'll route your message to the right team.


Annex I — Description of Processing

Parties. Controller: Customer (as identified in the Agreement). Processor: Cognethics LLC. Contact: through the form in the Contact section.

Subject matter. Provision of the A4 platform: a multi-tenant SaaS for agentic, document-intensive, and auditable workflows.

Duration. The term of the Agreement plus the retention periods described in Section 11.

Nature and purpose. Storage, indexing, retrieval, embedding, summarization, classification, extraction, and orchestration of Personal Data submitted by Controller through the Service, solely to provide the Service.

Categories of Personal Data. Categories submitted by Controller, which may include identifiers (name, email), professional or employment information, content of documents and prompts, and any other Personal Data the Controller chooses to upload. Special categories (Article 9 GDPR) and sector-regulated data are permitted only under a separate executed addendum.

Categories of Data Subjects. Categories defined by Controller, which may include employees, contractors, customers, and other individuals whose data Controller submits.

Frequency of transfer. Continuous, on a request basis, during the term of the Agreement.

Competent supervisory authority. For EEA Controllers: the supervisory authority of the EU Member State in which the Controller has its main establishment, or the supervisory authority of the EU Member State in which the EU representative is established under Article 27 GDPR, or the lead supervisory authority designated under Article 56 GDPR.

Annex II — Technical and Organizational Measures

Cognethics implements the following measures:

DomainMeasure
EncryptionTLS 1.3 in transit; AES-256 at rest via AWS KMS, with sensitive application data encrypted under a dedicated per-tenant AWS KMS customer-managed key (envelope encryption with automatic key rotation)
Tenant isolationMandatory tenant foreign key on every business model; queryset-level enforcement; MCP-handler-level enforcement; per-org sub-scoping via X-Organization-Context
Access controlIAM least-privilege; mandatory MFA for personnel with production access; role-based access in the operator console; just-in-time access elevation with audit
Audit loggingImmutable, per-tenant, SHA-256 hash-chained ledger across every API write; PostgreSQL BEFORE UPDATE OR DELETE trigger blocks mutation; public chain-verification endpoint
Network securityVPC isolation; security-group least-privilege; VPC Flow Logs; private subnets for data tier
Threat detectionAWS GuardDuty; AWS Security Hub; CloudTrail log analysis
Vulnerability managementDependency scanning; container image scanning; quarterly third-party penetration tests
Backup and DRCross-region streaming PostgreSQL standby; encrypted EBS snapshots; tested restoration procedures
PersonnelBackground checks; confidentiality obligations; security training on hire and annually
Physical securityAWS-managed data centers; SOC 1/2/3 and ISO 27001-certified facilities
Incident response24/7 on-call; documented runbooks; 48-hour breach-notification SLA to Customer
Sub-Processor managementWritten contracts with no-less-protective obligations; 30-day advance-notice RSS feed

A more detailed description of measures, including the live audit-explorer interface, is published at /trust/audit/.

Annex III — Authorized Sub-Processors

The authoritative, machine-readable list of Sub-Processors is published at /trust/sub-processors/ and at the JSON endpoint https://developers.cognethics.com/api/v1/core/sub-processors/, with an RSS change feed at https://developers.cognethics.com/trust/sub-processors/feed.xml.

As of the Effective date of this DPA:

Sub-ProcessorRoleLocationProcessing
Amazon Web Services, Inc.InfrastructureAWS — region(s) and availability zone(s) specified in the applicable Order Form (any AWS region); high-availability standby in a second availability zoneCompute, storage, database, networking, KMS, CloudTrail, GuardDuty, Security Hub
Anthropic, PBCLLM ProviderUS (direct API and via AWS Bedrock)LLM inference for AI features
Google (Gemini API)LLM ProviderUS regionsLLM inference for narrow extraction workflows
Cloudflare, Inc.CDN / EdgeGlobal edgeEdge CDN and DDoS protection; request metadata only

Changes to this list are published with at least 30 days' advance notice via the RSS change feed.