DecisionLedger AI

    Data Processing Agreement

    Effective March 1, 2026

    This Data Processing Agreement ("DPA") forms part of the Terms of Service between DecisionLedger AI ("Processor", "we", "us") and the customer entity ("Controller", "you") that has agreed to the Terms of Service for the DecisionHost platform (the "Service").

    1. Definitions

    • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service
    • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
    • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates
    • "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller
    • "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including the GDPR, CCPA/CPRA, and any other relevant data protection legislation

    2. Roles and Scope

    The Controller determines the purposes and means of processing Personal Data through its use of the Service. The Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller, except where required by applicable law.

    The nature and purpose of processing is to provide the DecisionHost platform services, including:

    • Decision model execution and analytics computation
    • User authentication and access management
    • Data storage and retrieval for scenarios, KPIs, and decisions
    • Integration data synchronization with Controller-configured systems
    • Audit logging and compliance reporting

    Categories of Data Subjects may include the Controller's employees, contractors, customers, and other individuals whose data is processed through the Service as determined by the Controller.

    3. Controller Obligations

    The Controller shall:

    • Ensure it has a lawful basis for processing Personal Data and transferring it to the Processor
    • Provide all necessary notices to and obtain all necessary consents from Data Subjects
    • Ensure that Personal Data provided to the Processor is accurate and lawfully collected
    • Comply with all Applicable Data Protection Law regarding its use of the Service

    4. Processor Obligations

    The Processor shall:

    • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
    • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
    • Implement and maintain appropriate technical and organizational security measures (see Section 5)
    • Not engage a Sub-processor without prior written authorization from the Controller (see Section 6)
    • Assist the Controller in responding to Data Subject requests (see Section 7)
    • Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and consultation obligations
    • Delete or return all Personal Data upon termination (see Section 10)
    • Make available all information necessary to demonstrate compliance and allow for audits (see Section 9)

    5. Security Measures

    The Processor implements the following technical and organizational measures to protect Personal Data:

    • Encryption at rest: AES-256 encryption for all stored data (RDS, S3)
    • Encryption in transit: TLS 1.3 for all data transfers
    • Tenant isolation: Row-Level Security (RLS) enforced at the database level across all tables
    • Access control: Role-based access control with 49 granular permissions; least-privilege principle
    • Authentication: AWS Cognito with support for MFA and SSO/SAML
    • Audit logging: Immutable audit trails protected by S3 Object Lock
    • PII scanning: Automated detection and classification of personal data in model inputs
    • Infrastructure: AWS ECS Fargate (serverless containers) with no persistent local storage
    • Monitoring: CloudWatch alarms with automated incident detection (< 5 minutes)
    • Backup: Daily automated backups with point-in-time recovery

    6. Sub-processors

    The Controller authorizes the use of the following Sub-processors as of the effective date of this DPA:

    • Amazon Web Services (AWS): Cloud infrastructure, compute, storage, and database services — United States (us-west-2 region)
    • AWS Cognito: User authentication and identity management — United States
    • Stripe: Payment processing and subscription management — United States
    • PostHog: Product analytics (anonymized usage data only) — United States / European Union

    The Processor will notify the Controller at least 30 days before engaging any new Sub-processor. The Controller may object to a new Sub-processor within 14 days of notification. If the Controller objects and the parties cannot reach resolution, the Controller may terminate the affected Service by providing written notice.

    7. Data Subject Rights

    The Processor will assist the Controller in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Law, including requests to access, rectify, erase, restrict processing, data portability, and object to processing.

    If the Processor receives a request from a Data Subject directly, it will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless required by applicable law.

    8. Data Breach Notification

    In the event of a Personal Data breach, the Processor will:

    • Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach, consistent with GDPR Article 33
    • Provide sufficient information to enable the Controller to meet its own notification obligations, including: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
    • Cooperate with the Controller in investigating and remediating the breach
    • Document all breaches, including facts, effects, and remedial actions taken

    9. Audit Rights

    The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller (or its authorized third-party auditor, subject to confidentiality obligations) may conduct audits, including inspections, with reasonable advance notice (at least 30 days) and during normal business hours. Audits shall not unreasonably interfere with the Processor's operations.

    The Processor may satisfy audit requests by providing relevant SOC 2 Type II reports, ISO 27001 certificates, or equivalent third-party audit documentation where available.

    10. Data Return and Deletion

    Upon termination of the Service agreement, the Processor will:

    • Make all Controller Personal Data available for export for 30 days following termination, consistent with the Terms of Service
    • After the 30-day export window, permanently delete all Personal Data from active systems within 30 additional days
    • Delete Personal Data from backup systems within 90 days of termination, or upon the natural expiry of backup retention cycles
    • Provide written confirmation of deletion upon the Controller's request

    11. International Transfers

    The Service is hosted in the United States (AWS us-west-2 region). If Personal Data originates from the European Economic Area, United Kingdom, or Switzerland, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission to provide adequate safeguards for international data transfers. The Controller's acceptance of this DPA constitutes execution of the SCCs, which are incorporated by reference.

    12. Duration and Termination

    This DPA is effective for the duration of the Controller's use of the Service under the Terms of Service. The obligations of the Processor regarding Personal Data protection survive termination of this DPA until all Personal Data has been deleted or returned in accordance with Section 10.

    13. Governing Law

    This DPA is governed by the same law that governs the Terms of Service (the laws of the State of Delaware), except where Applicable Data Protection Law requires otherwise.

    14. Contact

    For questions about this DPA or to exercise rights under it, contact our Data Protection team at privacy@decisionledgerai.com.