Data Processing Addendum

1. Roles and Scope

Customer is the controller of personal data entered into the Service. Custodia, LLC acts as a processor on Customer's behalf to provide functionality including evidence storage, policy generation, and report exports. The scope of processing is limited to delivering contracted services, improving platform security, and complying with applicable law.

2. Customer Responsibilities

• Provide instructions that comply with applicable data protection legislation.
• Collect necessary consents and maintain a lawful basis for processing personal data.
• Ensure data uploaded to the Service is accurate and limited to what is required for compliance efforts.

3. Custodia Obligations

• Process personal data only as documented by Customer or required by law.
• Maintain appropriate technical and organizational security measures.
• Assist with data subject requests where feasible and legally permitted.
• Notify Customer without undue delay of any confirmed personal data breach.
• Ensure personnel with access to personal data are bound by confidentiality obligations.

4. Subprocessors

Custodia, LLC uses vetted subprocessors to deliver the Service, including Vercel (hosting), Neon (database), Clerk (authentication), and Google (Gemini AI). A current list is maintained at https://custodiacmmc.com/trust. Customer authorizes the use of these subprocessors. We will provide notice of any material changes.

5. International Transfers

Personal data is primarily hosted in the United States. Where transfers outside of the U.S. occur, Custodia, LLC will rely on legally recognized transfer mechanisms such as Standard Contractual Clauses or their successors.

6. Return or Deletion

Upon termination of the agreement or at Customer's request, Custodia will delete or return personal data within thirty (30) days, unless retention is required by law. Backups will be overwritten on their normal schedule.