Data Processing Agreement

Last Updated: March 2026 · ADJUDON, Germany

1. Scope and Purpose of Processing

Purpose of processing

Runtime compliance monitoring, human-in-the-loop review, audit trail generation for AI agent actions

Nature of processing

Collection, storage, analysis, deletion

Categories of data subjects

Customer's end users, employees, and any individuals whose data is processed by Customer's AI agents

Categories of personal data

Names, email addresses, IP addresses, usage data, and any personal data contained in AI agent inputs/outputs

Processing location

Frankfurt, Germany (EU)

Retention period

Customer-configured 7–365 days, default 90 days

2. Obligations of the Processor

Process personal data only on documented instructions from the Controller

Ensure confidentiality of all personnel with access to personal data

Implement appropriate technical and organisational measures (TOMs)

Notify Controller of personal data breach within 48 hours

Assist Controller in fulfilling obligations under Articles 32–36 GDPR

Delete or return all personal data at the end of services

Make available all information necessary to demonstrate compliance and allow audits

3. Obligations of the Controller

The Controller must ensure it has a legal basis for processing, inform data subjects of the processing, provide only lawful instructions to the Processor, and obtain necessary consents where required.

4. Sub-Processing

A list of current sub-processors is available at adjudon.com/legal/subprocessors.

ADJUDON will provide 30 days' notice of any changes. Customers may object within 14 days. All sub-processors are subject to equivalent data protection obligations.

5. International Transfers

Processing occurs within the EU/EEA. If any sub-processor is located outside the EEA, ADJUDON will ensure appropriate safeguards through Standard Contractual Clauses (SCCs).

Annex I — Technical and Organisational Measures

Encryption at Rest

AES-256, key rotation

Encryption in Transit

TLS 1.3

Audit Log Integrity

SHA-256 chain

Access Control

MFA, VPN, quarterly review

PII Detection and Masking

Automated detection and redaction

Data Isolation

Per-org keys, tenant isolation

Vulnerability Management

Disclosure programme, severity SLAs

Incident Response

48h notification

6. Contact

For questions about this DPA or to request Standard Contractual Clauses (SCCs), contact [email protected]