GDPR Data Processing Addendum + Standard Contractual Clauses.

'GDPR' means Regulation (EU) 2016/679. 'UK GDPR' means the GDPR as retained in UK law by the European Union (Withdrawal) Act 2018. 'EU SCCs' means the Standard Contractual Clauses approved by Commission Decision (EU) 2021/914 of 4 June 2021.

'Controller', 'Processor', 'Sub-processor', 'Data Subject', 'Personal Data', 'Processing', and 'Supervisory Authority' have the meanings ascribed to them under the GDPR.

'Customer' is the Controller; 'ShieldMind' is the Processor. Where Customer is itself a Processor for an underlying Controller, Module 3 of the EU SCCs applies and Customer remains responsible for that flow-down.

Customer determines the purposes and means of Processing Personal Data on the ShieldMind platform. ShieldMind processes that Personal Data only on documented instructions from Customer, as set out in the Master Services Agreement and this DPA.

The types of Personal Data processed are described in Annex I.B (Categories of Data) and the categories of Data Subjects in Annex I.A. The duration and frequency of Processing is the term of the Master Services Agreement.

Process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by EU or Member State law.

Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Take all measures required pursuant to GDPR Article 32 (security of processing), including: AES-256-GCM encryption at rest with customer-controllable KMS; TLS 1.3 in transit; pseudonymization where appropriate; tested incident response; HMAC-chained audit logging with tamper detection; multi-tenant isolation enforced at application + row-security-policy layers.

Engage Sub-processors only under the terms of Clause 9 below.

Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligation to respond to requests for exercising Data Subject rights (GDPR Articles 12–22). Self-service tools are exposed at /dashboard/governance for Customer Admins.

Assist Customer in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).

At Customer's choice, delete or return all the Personal Data to Customer after the end of the provision of services relating to Processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data.

Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, no more than once per year except for cause, and subject to reasonable confidentiality and security requirements.

ShieldMind will notify Customer without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.

The notification will describe, to the extent then known: (a) the nature of the breach, including categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences; (c) measures taken or proposed to address the breach and mitigate adverse effects; (d) contact details for further information.

ShieldMind will cooperate with Customer's investigation and provide information sufficient for Customer to comply with its own GDPR Article 33 (72-hour notification) and Article 34 (Data Subject notification) obligations.

ShieldMind is incorporated in India. Personal Data of EU/EEA/UK Data Subjects is transferred outside the EEA to ShieldMind's processing infrastructure. The parties rely on the EU SCCs (Commission Decision 2021/914) as the transfer mechanism, supplemented by the technical and organizational measures described in Annex II.

Module Selection. Where Customer is a Controller, Module 2 (Controller-to-Processor) applies. Where Customer is itself a Processor, Module 3 (Processor-to-Processor) applies. Both Modules are incorporated by reference into this DPA.

UK Transfers. The UK International Data Transfer Addendum (IDTA) issued under section 119A of the UK Data Protection Act 2018 is incorporated by reference, attaching to and modifying the EU SCCs for transfers subject to the UK GDPR.

Swiss Transfers. For transfers of Personal Data subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply with the following modifications: references to 'GDPR' include the FADP; the competent Supervisory Authority is the Swiss Federal Data Protection and Information Commissioner; the term 'Member State' will not be interpreted to exclude Data Subjects in Switzerland.

Government Access Requests. ShieldMind will notify Customer of any legally binding request for disclosure of Personal Data by a law enforcement or governmental authority unless prohibited by law. If prohibited from notification, ShieldMind will use reasonable efforts to challenge or limit the request, document the challenge, and publish a transparency report annually.

Customer's employees, contractors, and other authorized personnel whose devices have the ShieldMind agent installed or whose accounts are managed via the ShieldMind dashboard.

Customer's administrators and Security Operations Center personnel who access the ShieldMind dashboard.

Authorized end-users to whom Customer provides services and whose activity is governed by Customer's security policies as enforced by ShieldMind.

Identifiers: name, work email, organization, role, device identifier, IP address, user-agent, browser fingerprint hash.

Endpoint telemetry: process names, file paths, network connections (destination, port, protocol), command-line arguments (with secret-redaction applied), browser URLs visited.

AI usage telemetry: prompts sent to external AI services (with policy-controlled redaction), responses received (metadata only by default), model used, token counts.

Authentication metadata: SAML assertions, OIDC ID tokens (sub claim only persisted), session timestamps, MFA factor used.

Customer-uploaded artifacts: governance policy documents, knowledge-base files for RAG.

Excluded from default collection: clipboard content (only when an explicit policy enables it), keystroke logging (never), screen content (never), microphone (never), camera (never), location data (never beyond IP-derived country).

Encryption. AES-256-GCM at rest with per-row data encryption keys wrapped by a Key Encryption Key in AWS KMS or Azure Key Vault (Customer-Controllable where Customer opts in). TLS 1.3 in transit with modern cipher suites only.

Access Control. Role-based access control with principle of least privilege. Production database access restricted to a named on-call rotation, audit-logged, requires hardware MFA. Customer dashboard access requires SSO + (where Customer enables it) hardware MFA.

Tenant Isolation. Multi-tenant enforced at three layers: application-level organization scoping, database row-level security policies, and per-tenant encryption envelopes. Validated by a continuous tenant-isolation test suite (a-cannot-DELETE-b, a-cannot-READ-b, a-cannot-WRITE-b for every model).

Audit Logging. HMAC-chained audit log with tamper detection, retained for the GDPR Article 30 record-keeping period plus contractual term. Customer can export their own audit log at any time via /api/shieldmind/_audit/.

Backup & Recovery. Continuous Supabase point-in-time recovery with 30-day window. Quarterly disaster-recovery drill (script at deploy/drill_restore.sh) with RTO < 4 hours, RPO < 5 minutes.

Vulnerability Management. Dependency scanning via Bandit + Safety + Dependabot. Annual third-party penetration test. Bug-bounty program at /legal/vulnerability-disclosure.

Personnel. Background checks on all employees with production access. GDPR + DPDPA + HIPAA awareness training annually. Confidentiality clauses in all employment agreements. Termination workflow revokes all access within 4 business hours.

Physical Security. ShieldMind has no physical infrastructure of its own; all production runs on Railway (which runs on AWS us-east-1 + eu-west-1) and Supabase (Premier Tier with multi-AZ replicas). Both providers are SOC 2 Type II certified.

Sub-processors. Listed at /legal/sub-processors; Customer may subscribe to /legal/subprocessor-notifications for 30-day prior notice of additions or replacements.

Customer hereby provides general written authorization for ShieldMind to engage Sub-processors. The current list is published at /legal/sub-processors.

ShieldMind will provide Customer at least 30 days' prior notice of intended changes by email (if Customer is subscribed) and dashboard banner. Customer may object on reasonable grounds within 14 days; if objection cannot be resolved, Customer may terminate the affected service.

ShieldMind imposes data-protection obligations on its Sub-processors that are no less protective than those in this DPA.

This DPA is governed by the laws specified in the underlying Master Services Agreement. To the extent a conflict arises between this DPA and the MSA, this DPA prevails for Processing of Personal Data subject to the GDPR or UK GDPR.

Each party's aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability set out in the underlying MSA. Nothing in this DPA limits either party's liability for fines imposed by a Supervisory Authority arising from that party's own breach of GDPR.

This DPA is effective on the later of: (a) the date Customer accepts the underlying Master Services Agreement, or (b) the date Customer begins Processing Personal Data on ShieldMind. To execute a countersigned PDF copy with Annex I and III populated for your engagement, email bd@dtrasglobal.com.