Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other agreement (the "Agreement") between DATAFENIX LTD ("Vesta", "Processor") and the customer ("Customer", "Controller"). It governs Vesta's processing of Customer Personal Data on the Customer's behalf.

If you require a signed copy, contact info@datafenix.ai.

---

1. Definitions

• Data Protection Laws — all laws applicable to the processing under this DPA, including the UK GDPR and the Data Protection Act 2018 (as amended, including by the Data (Use and Access) Act 2025); the EU GDPR (Regulation 2016/679) where applicable; and US state privacy laws including the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) where applicable.
• Customer Personal Data — personal data within Customer Data that Vesta processes on the Customer's behalf under the Agreement, as described in Annex 1.
• Controller, Processor, Sub-processor, Data Subject, Personal Data, Personal Data Breach, Process/Processing — as defined in the UK GDPR.
• Sub-processor — a third party engaged by Vesta to process Customer Personal Data.
• Standard Contractual Clauses / SCCs — the EU Commission SCCs (Decision 2021/914). UK Addendum / IDTA — the ICO's International Data Transfer Addendum to the SCCs, or the International Data Transfer Agreement.

2. Roles and scope

2.1 As between the parties, the Customer is the Controller (or a processor acting for its own controller) and Vesta is the Processor of Customer Personal Data. For US state laws, Vesta acts as a service provider (Section 12).

2.2 Vesta will process Customer Personal Data only to provide and support the Service and only on the Customer's documented instructions, which comprise the Agreement, this DPA, the Customer's configuration and use of the Service, and any further written instructions. The Service's documented functionality (ingesting telemetry the Customer sends, transforming it, and presenting analytics, reports, and recommendations) is an instruction.

2.3 Vesta will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws (without obligation to give legal advice).

2.4 The Customer is responsible for the lawfulness of Customer Personal Data and of its instructions, including having a lawful basis, providing notices, and obtaining consents from its end users, and for configuring redaction so that it does not send Vesta more personal data than necessary.

3. Details of processing

The subject matter, duration, nature and purpose of processing, types of Personal Data, and categories of Data Subjects are set out in Annex 1.

4. Vesta's obligations (Article 28 UK GDPR)

Vesta will:

(a) process only on documented instructions (Section 2), including for international transfers (Section 11), unless required by law (in which case it will inform the Customer unless legally prohibited);

(b) ensure persons authorised to process Customer Personal Data are under a duty of confidentiality;

(c) implement appropriate technical and organisational security measures under Article 32, as described in Annex 2;

(d) respect the conditions in Section 5 for engaging Sub-processors;

(e) assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection);

(f) assist the Customer in ensuring compliance with Articles 32–36 (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to Vesta;

(g) at the Customer's choice, delete or return all Customer Personal Data at the end of the provision of services, and delete existing copies, unless storage is required by law (Section 10);

(h) make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits (Section 9).

5. Sub-processors

5.1 The Customer gives general authorisation for Vesta to engage Sub-processors. The current Sub-processors are listed in Annex 3.

5.2 Vesta will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and remains liable for its Sub-processors' performance.

5.3 Vesta will give the Customer at least 30 days' notice of any intended addition or replacement of a Sub-processor (by email or via the Service). If the Customer reasonably objects on data protection grounds within that period, the parties will work in good faith to resolve it; if they cannot, the Customer may terminate the affected Service as its sole remedy.

6. Security

Vesta will maintain the technical and organisational measures in Annex 2, appropriate to the risk, and will not materially decrease their overall protection during the term.

7. Personal Data Breach

Vesta will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own breach-notification obligations, and will take reasonable steps to mitigate and remediate.

8. Data Subject requests

If Vesta receives a request from a Data Subject relating to Customer Personal Data, it will, unless legally required to respond, refer the Data Subject to the Customer and assist the Customer in responding as set out in Section 4(e).

9. Audits

Vesta will make available information reasonably necessary to demonstrate compliance with this DPA. The Customer may audit no more than once per year (and on a Personal Data Breach), on reasonable prior notice, during business hours, subject to confidentiality, without unreasonably disrupting Vesta's operations. Vesta may satisfy audit requests by providing relevant documentation, security summaries, or third-party reports where available.

10. Return and deletion

On termination or expiry of the Agreement, Vesta will delete Customer Personal Data within 30 days, except: (a) anonymised and aggregated data, which is not Customer Personal Data and may be retained per the Agreement; and (b) copies required to be retained by law, which Vesta will continue to protect and process only as required for that purpose. Ingested telemetry is in any event retained on a 13-month rolling window during the term and then deleted.

11. International transfers

11.1 Vesta stores core Customer Personal Data in the United Kingdom (Google Cloud europe-west2).

11.2 Where Vesta or a Sub-processor transfers Customer Personal Data to a country without UK/EU adequacy, the transfer is subject to appropriate safeguards, which the parties agree to incorporate by this reference:

• for transfers subject to UK GDPR, the IDTA, or the EU SCCs together with the UK Addendum;
• for transfers subject to EU GDPR, the EU SCCs (Module Two: Controller-to-Processor; or Module Three where Vesta is a sub-processor), with Annexes populated by Annexes 1–3 of this DPA; with Vesta as "data importer" and the Customer as "data exporter". The parties agree the protection in the destination is not materially lower than under UK law (per the Data (Use and Access) Act 2025 transfer test). Copies of executed safeguards are available on request.

11.3 Where the SCCs require selections: docking clause applies; the optional independent-audit option in Clause 8.9 is met via Section 9; the governing law and forum are those of the data exporter's jurisdiction (or England and Wales for UK transfers); and the supervisory authority is the ICO (UK) or the competent EU authority.

12. United States — service provider terms (CCPA/CPRA)

To the extent Vesta processes personal information of US residents subject to the CCPA/CPRA (or comparable state laws), Vesta acts as a service provider and:

(a) will process such personal information only to perform the services specified in the Agreement (the "business purpose"), and not for any other purpose;

(b) will not sell or share personal information, and will not retain, use, or disclose it for any purpose other than the business purpose, including not combining it with personal information from other sources except as permitted by the CCPA;

(c) will not retain, use, or disclose personal information outside the direct business relationship with the Customer, except as permitted by law;

(d) will provide the same level of privacy protection as required of businesses under the CCPA/CPRA;

(e) will assist the Customer in responding to consumer rights requests (access, deletion, correction, opt-out);

(f) grants the Customer the right to take reasonable and appropriate steps to ensure Vesta uses personal information consistently with the Customer's obligations; and

(g) certifies that it understands and will comply with these restrictions.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

14. General

This DPA forms part of the Agreement. If there is a conflict on the subject of personal data processing, this DPA prevails over the rest of the Agreement (and the SCCs/IDTA prevail over this DPA for the transfers they govern). This DPA is governed by the law of the Agreement (England and Wales) except where Data Protection Laws or the SCCs require otherwise.

---

Annex 1 — Details of processing

Subject matter: Vesta's processing of Customer Personal Data to provide the Vesta analytics Service.

Duration: the term of the Agreement, plus the deletion period in Section 10 (and the 13-month rolling telemetry retention).

Nature and purpose: receiving telemetry ("span") data sent by the Customer's instrumented software; storing, transforming, and analysing it; and presenting analytics, reports, and recommendations to the Customer.

Types of Personal Data. Customer controls what it sends. Customer Personal Data may include, within telemetry spans:

• End-user / session identifiers: user_id, session_id, interaction_id (as set by the Customer's software).
• Request and response content: request_payload (tool/method arguments) and response_payload (results), which may contain personal data depending on what the Customer's software passes — unless redacted by the Customer using the SDK's redaction controls.
• Custom dimensions / attributes: arbitrary key/value dimensions and OTel attributes the Customer attaches.
• Operational metadata (generally not personal data): surface/trace/span identifiers, tool/method names, timestamps and durations, status and error codes, agent runtime and model provider/id, and redaction counts/paths.

Vesta does not require or request special category data. The Customer is instructed not to send special category data, payment card data, credentials, or secrets unless separately agreed.

Categories of Data Subjects: the Customer's end users and other individuals whose personal data may appear in the telemetry the Customer chooses to send (for example, users interacting with the Customer's MCP server or application).

---

Annex 2 — Technical and organisational security measures

Keep this annex truthful and current. It describes measures Vesta operates today. Do not add measures (e.g. specific monitoring/alerting or certifications) until they are actually in place.

• Encryption in transit: telemetry is transmitted to the ingest endpoint over HTTPS/TLS. Service and console traffic uses TLS.
• Encryption at rest: Customer Personal Data is stored in Google Cloud services (BigQuery, Firestore) with encryption at rest enabled by default.
• Data residency: core Customer Personal Data is stored in the UK (europe-west2).
• Authentication and authorisation: access to the ingest endpoint requires a secret API key (bearer token). Keys are scoped to specific surfaces and are enforced at the ingest boundary so a key can only write data for its authorised surface (tenant isolation). Console access is authenticated, and customer-scoped reads are restricted to the authenticated customer's own data.
• Secret handling: API keys are stored in hashed form; platform secrets are held in Google Secret Manager. Keys are displayed to the Customer once on creation and are not retrievable thereafter; keys can be revoked/rotated.
• Least-privilege access: service components run under dedicated service accounts with least-privilege IAM permissions.
• Logging: operational logging records request metadata (e.g. counts, timing, hashed key identifier) and is designed not to record raw payload content.
• Data minimisation tooling: the SDK provides Customer-configurable redaction (capture/redact/hash/truncate/detect) so the Customer can avoid sending unnecessary personal data; ingest records server-side timestamps.
• Resilience: managed, regionally-redundant Google Cloud storage services are used for Customer Personal Data.
• Organisational measures: confidentiality obligations on personnel; access to production data limited to those who need it.

(Roadmap controls not yet operating — e.g. ingest rate limiting, formal monitoring/alerting, scheduled backups — are intentionally excluded from this annex until deployed. Update this annex when they ship.)

---

Annex 3 — Authorised Sub-processors

Anthropic is not a Sub-processor of Customer Personal Data. Vesta uses third-party LLM services only to process Vesta's own synthetic/evaluation data, not Customer Personal Data.