Data Processing Addendum
Effective date: 2026-05-23
Cognethics LLC
This Data Processing Addendum ("DPA") forms part of the Master Service Agreement, Order Form, or Terms of Service (the "Agreement") between Cognethics LLC ("Cognethics", "Processor") and the customer identified in the Agreement ("Customer", "Controller") for the provision of the A4 platform (the "Service"). This DPA applies to the extent Cognethics processes Personal Data on Customer's behalf in connection with the Service.
In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data.
1. Definitions
- Applicable Data Protection Law — the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), and any other data-protection law applicable to the processing of Personal Data under the Agreement.
- Controller, Processor, Data Subject, Personal Data, Processing, Sub-Processor, Personal Data Breach — have the meanings given in the GDPR.
- Customer Data — data, documents, prompts, configurations, and other content Customer or its authorized users submit to the Service, including any Personal Data contained therein.
- Standard Contractual Clauses or SCCs — the standard contractual clauses for the transfer of Personal Data to third countries adopted by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2. Roles and Subject Matter
For the processing of Personal Data contained in Customer Data, Customer is the Controller and Cognethics is the Processor. The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex I.
Cognethics processes Personal Data only on documented instructions from Customer. The Agreement, this DPA, and Customer's configuration of the Service (tenants, API calls, sub-tenant settings) together constitute Customer's documented instructions. Cognethics will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
3. Customer Obligations
Customer warrants that:
- It has all rights, consents, and legal bases necessary for Cognethics to process Personal Data as contemplated by the Agreement
- Its instructions to Cognethics comply with Applicable Data Protection Law
- It will not submit to the Service any special categories of Personal Data (Article 9 GDPR) or data subject to sector-specific regulation (PHI under HIPAA, payment-card data under PCI DSS, government-classified data) without a separate executed addendum (for HIPAA: a Business Associate Agreement available through the contact form in the Contact section)
- It is responsible for the lawfulness of the Personal Data it provides and the processing instructions it gives
4. Cognethics Obligations
Cognethics will:
- Process Personal Data only on Customer's documented instructions, including with regard to international transfers (subject to Section 8)
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement the technical and organizational measures set out in Annex II
- Assist Customer with data-subject requests, data-protection impact assessments, and consultations with supervisory authorities, taking into account the nature of the processing
- Notify Customer of Personal Data Breaches as set out in Section 7
- At Customer's choice, delete or return all Personal Data after the end of the provision of the Service, as set out in Section 9
5. Sub-Processors
General authorization. Customer authorizes Cognethics to engage Sub-Processors to process Personal Data, subject to the conditions in this Section. A current list of authorized Sub-Processors is published at /trust/sub-processors/ and itemized in Annex III.
Notice of changes. Cognethics will notify Customer of any intended addition or replacement of a Sub-Processor at least 30 days in advance, via the RSS change feed at https://developers.cognethics.com/trust/sub-processors/feed.xml. Customer may subscribe at any time.
Right to object. Customer may object on reasonable data-protection grounds to a proposed Sub-Processor by written notice through the contact form in the Contact section within 15 days of notification. If the parties cannot reach a mutually acceptable resolution within 30 days of the objection, Customer may terminate the affected portion of the Service for cause without penalty.
Sub-Processor obligations. Cognethics will impose data-protection obligations on each Sub-Processor that are no less protective than those in this DPA, by written contract. Cognethics remains liable to Customer for any failure by a Sub-Processor to perform those obligations.
6. Security Measures
Cognethics has implemented and will maintain the technical and organizational measures described in Annex II and at /trust/audit/ and /trust/sub-processors/, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256 via AWS KMS; sensitive data encrypted with a dedicated per-tenant AWS KMS customer-managed key using envelope encryption)
- Per-tenant data isolation at the database, queryset, and MCP-handler layers
- Immutable, SHA-256 hash-chained audit logging across every API write, with public chain-verification endpoint
- Network isolation (VPC, security groups, VPC Flow Logs)
- Identity and access management (IAM least-privilege, mandatory MFA for Cognethics personnel with production access)
- Threat detection (GuardDuty, Security Hub) and vulnerability management
- Backup, disaster-recovery, and cross-region replication procedures
- Background checks and security training for personnel
7. Personal Data Breach Notification
Cognethics will notify Customer of a confirmed Personal Data Breach affecting Customer Data without undue delay, and in any event within 48 hours of confirmation. The notification will include, to the extent known at the time:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of the person where more information can be obtained
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its possible adverse effects
Cognethics will cooperate with Customer and provide reasonable information and assistance to enable Customer to comply with its own breach-notification obligations under Applicable Data Protection Law.
8. International Transfers
Personal Data is processed in the AWS region(s) and availability zone(s) specified in the applicable Order Form, which Customer selects to meet its data-residency requirements. Where the processing location and the location of the Data Subjects are in the same jurisdiction, no cross-border transfer arises. For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a Cognethics processing location in a third country (including the United States), the parties incorporate by reference:
- EEA transfers: the EU Standard Contractual Clauses, Module Two (Controller-to-Processor) as published by the European Commission (Implementing Decision (EU) 2021/914), with Annex I (List of Parties, Description of Transfer, Competent Supervisory Authority), Annex II (Technical and Organizational Measures), and Annex III (Sub-Processors) of this DPA serving as the SCC annexes. Where Customer engages Cognethics in a role that triggers controller-to-controller transfers, Module One applies. Where Cognethics engages a Sub-Processor in a third country, Module Three (Processor-to-Processor) applies between Cognethics and that Sub-Processor; where the Sub-Processor returns Personal Data to Customer, Module Four (Processor-to-Controller) applies between Cognethics and Customer.
- UK transfers: the UK International Data Transfer Addendum (IDTA) to the EU SCCs, version B.1.0 issued by the Information Commissioner.
- Swiss transfers: the EU SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.
Full executed copies of the SCCs and the IDTA are available on request through the contact form in the Contact section.
9. Data Subject Requests
Cognethics will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures (insofar as this is possible) to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law. Specifically:
- Data access, rectification, deletion, restriction, and portability requests can be fulfilled through the Customer's own operator console, the data-portability APIs documented at /data-portability/, and the audit-log explorer at /trust/audit/
- For requests Customer cannot complete itself, Cognethics will assist on written request through the contact form in the Contact section and will acknowledge within 48 hours (business days) and complete within 30 days
10. Audit Rights
Customer may audit Cognethics's compliance with this DPA once per twelve-month period (or more frequently if required by a supervisory authority or following a Personal Data Breach), subject to:
- 30 days' prior written notice
- Reasonable scope, frequency, and duration agreed in advance by the parties
- Confidentiality obligations equivalent to those in the Agreement
- Conduct during business hours, in a manner that does not unreasonably interfere with Cognethics's operations or compromise the security of other customers' data
When a SOC 2 Type 2 report (or equivalent independent third-party audit report) is available, Customer may rely on that report in lieu of an on-site audit. Cognethics will make the report available under NDA on request.
11. Deletion and Return
On termination of the Agreement, and at Customer's choice expressed in writing through the contact form in the Contact section within 30 days of termination:
- Cognethics will export Customer Data in a machine-readable format and provide it to Customer through the data-portability APIs, or
- Cognethics will delete Customer Data from production systems within 30 days of termination
Backup copies will be retained for up to 90 days after deletion from production, then purged. Cognethics may retain Personal Data to the extent and for as long as required by applicable law, in which case it remains subject to the security obligations of this DPA.
12. Liability
Each party's liability under or in connection with this DPA is subject to the limitation-of-liability provisions of the Agreement. For the avoidance of doubt, the liability caps in the Agreement apply to liability under this DPA on an aggregate basis (not separately).
13. Order of Precedence
In the event of a conflict between this DPA and the Agreement, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.
14. Contact
For data-protection matters, legal questions, DPA/BAA requests, or security inquiries under this DPA, contact us through the form below and select the matching topic.
Contact us about this DPA
Pick a topic and we'll route your message to the right team.
Annex I — Description of Processing
Parties. Controller: Customer (as identified in the Agreement). Processor: Cognethics LLC. Contact: through the form in the Contact section.
Subject matter. Provision of the A4 platform: a multi-tenant SaaS for agentic, document-intensive, and auditable workflows.
Duration. The term of the Agreement plus the retention periods described in Section 11.
Nature and purpose. Storage, indexing, retrieval, embedding, summarization, classification, extraction, and orchestration of Personal Data submitted by Controller through the Service, solely to provide the Service.
Categories of Personal Data. Categories submitted by Controller, which may include identifiers (name, email), professional or employment information, content of documents and prompts, and any other Personal Data the Controller chooses to upload. Special categories (Article 9 GDPR) and sector-regulated data are permitted only under a separate executed addendum.
Categories of Data Subjects. Categories defined by Controller, which may include employees, contractors, customers, and other individuals whose data Controller submits.
Frequency of transfer. Continuous, on a request basis, during the term of the Agreement.
Competent supervisory authority. For EEA Controllers: the supervisory authority of the EU Member State in which the Controller has its main establishment, or the supervisory authority of the EU Member State in which the EU representative is established under Article 27 GDPR, or the lead supervisory authority designated under Article 56 GDPR.
Annex II — Technical and Organizational Measures
Cognethics implements the following measures:
| Domain | Measure |
|---|---|
| Encryption | TLS 1.3 in transit; AES-256 at rest via AWS KMS, with sensitive application data encrypted under a dedicated per-tenant AWS KMS customer-managed key (envelope encryption with automatic key rotation) |
| Tenant isolation | Mandatory tenant foreign key on every business model; queryset-level enforcement; MCP-handler-level enforcement; per-org sub-scoping via X-Organization-Context |
| Access control | IAM least-privilege; mandatory MFA for personnel with production access; role-based access in the operator console; just-in-time access elevation with audit |
| Audit logging | Immutable, per-tenant, SHA-256 hash-chained ledger across every API write; PostgreSQL BEFORE UPDATE OR DELETE trigger blocks mutation; public chain-verification endpoint |
| Network security | VPC isolation; security-group least-privilege; VPC Flow Logs; private subnets for data tier |
| Threat detection | AWS GuardDuty; AWS Security Hub; CloudTrail log analysis |
| Vulnerability management | Dependency scanning; container image scanning; quarterly third-party penetration tests |
| Backup and DR | Cross-region streaming PostgreSQL standby; encrypted EBS snapshots; tested restoration procedures |
| Personnel | Background checks; confidentiality obligations; security training on hire and annually |
| Physical security | AWS-managed data centers; SOC 1/2/3 and ISO 27001-certified facilities |
| Incident response | 24/7 on-call; documented runbooks; 48-hour breach-notification SLA to Customer |
| Sub-Processor management | Written contracts with no-less-protective obligations; 30-day advance-notice RSS feed |
A more detailed description of measures, including the live audit-explorer interface, is published at /trust/audit/.
Annex III — Authorized Sub-Processors
The authoritative, machine-readable list of Sub-Processors is published at /trust/sub-processors/ and at the JSON endpoint https://developers.cognethics.com/api/v1/core/sub-processors/, with an RSS change feed at https://developers.cognethics.com/trust/sub-processors/feed.xml.
As of the Effective date of this DPA:
| Sub-Processor | Role | Location | Processing |
|---|---|---|---|
| Amazon Web Services, Inc. | Infrastructure | AWS — region(s) and availability zone(s) specified in the applicable Order Form (any AWS region); high-availability standby in a second availability zone | Compute, storage, database, networking, KMS, CloudTrail, GuardDuty, Security Hub |
| Anthropic, PBC | LLM Provider | US (direct API and via AWS Bedrock) | LLM inference for AI features |
| Google (Gemini API) | LLM Provider | US regions | LLM inference for narrow extraction workflows |
| Cloudflare, Inc. | CDN / Edge | Global edge | Edge CDN and DDoS protection; request metadata only |
Changes to this list are published with at least 30 days' advance notice via the RSS change feed.