Data Processing Addendum

For Customer Data submitted to Aegis (source code, IaC, dependency manifests, cloud configuration, and resulting findings), Customer is the controller and Artificia AI is the processor. This DPA forms part of the Terms of Service.

We process Customer Data solely to perform security analysis, attack-path reasoning, and remediation proposals you request, and to operate, secure, and support the service. We process only on your documented instructions.

Personnel authorized to process Customer Data are bound by confidentiality obligations. Access is least-privilege, just-in-time, and recorded in a customer-visible audit log; standing access to Customer Data is not granted.

We engage AWS (infrastructure), Stripe (billing metadata only), and an LLM provider under a zero-retention agreement. We maintain a current subprocessor list and will give notice of changes, allowing reasonable objection.

Where Customer Data is transferred across jurisdictions, transfers are governed by Standard Contractual Clauses or another lawful transfer mechanism.

We will assist you, taking into account the nature of processing, in responding to data subject requests and in meeting your security, breach-notification, and impact-assessment obligations.

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, with information reasonably available to us.

On termination, and at your choice, we will return or delete Customer Data within the period defined in our retention schedule, except where retention is required by law.

We will make available information necessary to demonstrate compliance and will support audits subject to reasonable confidentiality and scheduling terms.

DPA and compliance: legal@artificia.ai.