Data Processing Agreement

1. Scope and application

This Data Processing Agreement ("DPA") supplements the Intended Terms of Service and applies when Intended, Inc. ("Intended", "Processor") processes personal data on behalf of the Customer ("Controller") in connection with the Authority Runtime Services. This DPA applies to all personal data processed through the Services, including intent metadata, authority decision records, escalation data, and account information. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

2. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person processed through the Services
• "Processing" — any operation performed on Personal Data, including collection, storage, evaluation (risk scoring), transmission (connector execution), and deletion
• "Sub-processor" — a third-party entity engaged by Intended to process Personal Data on behalf of the Controller
• "Authority Decision Data" — intent metadata, risk evaluations, policy outcomes, token claims, and audit records generated during authority evaluation
• "Security Incident" — a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data
• "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries
• "UK Addendum" — the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office

3. Processor obligations

• Process Personal Data only on documented instructions from the Controller (as configured through policies, connectors, and platform settings)
• Ensure that persons authorized to process Personal Data have committed to confidentiality obligations
• Implement and maintain technical and organizational security measures as described in Section 5 and the TOMs Appendix (Section 14)
• Engage sub-processors only with prior notice and under equivalent data protection obligations, in accordance with Section 6
• Assist the Controller in responding to data subject requests (access, correction, deletion, portability) within the timeframes required by applicable law
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Cooperate with the Controller in conducting data protection impact assessments (DPIAs) where required under GDPR Article 35
• Delete or return all Personal Data upon termination of Services, subject to legal retention requirements
• Make available all information necessary to demonstrate compliance and allow for audits
• Maintain a record of processing activities carried out on behalf of the Controller in accordance with GDPR Article 30(2)

4. Categories of data processed

5. Security measures

• Encryption at rest: AES-256-GCM for all sensitive data, signing keys, and connector credentials
• Encryption in transit: TLS 1.3 for all API, database, and cache connections
• Per-tenant isolation: Database-scoped queries, separate RSA key pairs, isolated credential storage
• Access control: Role-based access (4 roles, 20 permissions) enforced at middleware level
• Audit integrity: SHA-256 hash-chained ledger with tamper detection
• Key management: Automated key rotation lifecycle (ACTIVE → PREVIOUS → RETIRED)
• Nonce protection: Single-use nonces consumed on first verification
• Infrastructure: AWS with VPC isolation, security groups, and encrypted storage volumes
• Monitoring: CloudWatch alarms, CloudTrail logging, and automated anomaly detection
• Fail-closed architecture: Unresolvable evaluations result in denial, not bypass

6. Sub-processors

Intended maintains a current list of sub-processors. The Controller will be notified at least fourteen (14) days in advance of any new sub-processor engagement or material change to an existing sub-processor. The Controller may object to a new sub-processor within fourteen (14) days of notification by providing written notice to dpa@intended.so with a reasonable basis for the objection. If the Controller objects and Intended cannot reasonably accommodate the objection, either party may terminate the affected Services upon thirty (30) days written notice.

7. Security incident notification

Intended will notify the Controller of a confirmed Security Incident in accordance with the following timelines:

• GDPR: Notification without undue delay, and no later than 72 hours after becoming aware of a breach likely to result in a risk to the rights and freedoms of natural persons
• Other jurisdictions: Notification without undue delay, and in compliance with applicable breach notification laws
• Notification will include: nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
• Intended will cooperate with the Controller's investigation and provide ongoing updates until the incident is resolved
• Intended maintains an incident response plan with defined roles, communication procedures, and remediation protocols
• Intended will document all Security Incidents, including those that do not trigger notification obligations, and make records available to the Controller upon request

8. International data transfers

Intended processes data in the United States. For transfers of personal data from jurisdictions with transfer restrictions, Intended provides the following safeguards:

• European Economic Area (EEA): Intended relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914) for transfers of personal data from the EEA to the United States. The SCCs are incorporated by reference into this DPA as Module Two (Controller to Processor)
• United Kingdom: Intended incorporates the UK International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018, for transfers of personal data from the UK
• Switzerland: Intended relies on the SCCs as recognized under the Swiss Federal Act on Data Protection (FADP / nDSG), with the modifications required by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers from Switzerland
• Supplementary measures include encryption at rest and in transit, per-tenant isolation, access controls, and fail-closed architecture as described in Section 5
• Enterprise customers requiring data residency in specific regions should contact Intended to discuss deployment options

9. Data protection impact assessments

Intended will provide reasonable cooperation and assistance to the Controller in conducting data protection impact assessments (DPIAs) where required under GDPR Article 35 or equivalent provisions of other applicable data protection laws. Intended will provide information about its processing activities, technical and organizational measures, and sub-processors as needed for the Controller to complete its assessment. Requests for DPIA cooperation should be directed to dpa@intended.so.

10. Data retention and deletion

• Authority decision data is retained according to the Controller's plan tier (30 days, 1 year, or custom up to 7 years)
• Account data is retained for the duration of the active agreement plus 30 days for export
• Upon termination, Intended will delete or return Personal Data within 30 days, except where retention is required by law
• Audit records subject to regulatory retention requirements (e.g., SOX 7-year) are maintained in S3 Object Lock (Compliance mode) and cannot be deleted before the retention period expires
• The Controller may request certification of deletion upon completion of the deletion process

11. Audits and compliance

The Controller may audit Intended's compliance with this DPA once per year with 30 days written notice. Audits will be conducted during business hours and will not unreasonably interfere with operations. Intended will provide SOC 2 Type II reports, penetration testing summaries, and other compliance documentation upon request under NDA. Enterprise customers may request additional compliance documentation through their account team. Intended will maintain a record of processing activities in accordance with GDPR Article 30(2) and make it available to the Controller and supervisory authorities upon request.

12. Duration and termination

This DPA remains in effect for the duration of the Services agreement. Obligations regarding data deletion, retention, confidentiality, and cooperation with data protection authorities survive termination. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

13. Data processing jurisdiction

• Primary processing location: United States (AWS us-east-1)
• Data may be processed in AWS regions selected by Customer for Enterprise deployments
• International transfers are governed by Standard Contractual Clauses (SCCs) for EEA/UK transfers, as described in Section 8
• Sub-processor list is maintained and updated with fourteen (14) days advance notice in accordance with Section 6

14. Contact

For DPA-related inquiries, data protection officer contact, or to request a signed copy: dpa@intended.so or legal@intended.so. For EU-specific data protection inquiries: eu-privacy@intended.so.

Appendix: Technical and organizational measures (TOMs)

The following technical and organizational measures are implemented by Intended to protect personal data processed under this DPA: