Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service between you ("Controller") and Olsson Security, a sole proprietorship registered in the commercial register of the Canton of Zurich, Switzerland (UID CHE-248.057.933), Baslerstrasse 77, 8048 Zurich, Switzerland, operating the Provedit service ("Processor", "we", "us"). It applies whenever you use the Service to process personal data subject to the Swiss Federal Act on Data Protection (nFADP), the EU General Data Protection Regulation (GDPR), or the UK GDPR. Capitalised terms not defined here have the meaning given in the GDPR; where the nFADP applies, equivalent Swiss terms (e.g. "contracted data processor") have the same meaning. Where required by Swiss law, references to "personal data breach" include a "breach of data security" within the meaning of Art. 24 nFADP, notifications go to the FDPIC, and references to data-subject rights include rights under Art. 25 ff. nFADP.
1. Roles and scope
You act as Controller and we act as Processor for personal data you or your authorised users submit to the Service ("Customer Data"). Where you are a processor on behalf of your own customers, we act as your sub-processor; you confirm that you have authority and a valid lawful basis to engage us.
2. Subject matter, duration, nature, and purpose
| Subject matter | Provision of the Service: signed, hash-chained audit records of AI agent and tool-call activity, with policy and approval workflow. |
|---|---|
| Duration | For as long as you have an active account, plus the retention windows in section 7. |
| Nature and purpose | Hosting, storage, transmission, indexing, integrity-anchoring (hash chain plus ES256 batch signatures and XMSS post-quantum anchoring), and display of Customer Data so you can audit and govern AI agents. |
| Types of personal data | Account contact data (name, work email); per-action actor identifiers you choose to send (typically a user email or pseudonymous ID on whose behalf an agent acted); free-text summaries and tool-call parameters you log; tenant administrator IP and user-agent captured in operational logs. |
| Categories of data subjects | Your personnel, your customers (where you act as their processor), and people referenced in the actions you log. |
3. Our obligations as Processor
- Process Customer Data only on your documented instructions, including the Terms, this DPA, and configuration choices you make in the product. We will tell you if we believe an instruction breaches data protection law.
- Ensure persons authorised to process Customer Data are under a duty of confidentiality.
- Implement and maintain the technical and organisational measures in section 6.
- Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your obligations under Articles 32 to 36 GDPR.
- Make available the information needed to demonstrate compliance and allow audits as described in section 9.
4. Sub-processors
You give us general authorisation to engage sub-processors to provide the Service, on terms no less protective than this DPA. The current list of sub-processors is published at provedit.ai/dpa#subprocessors; see the table at the end of this document for the live list.
We will give at least 30 days notice (by email or in-product) before adding or replacing a sub-processor. You may object on reasonable data-protection grounds; if we cannot resolve the objection you may terminate the affected portion of the Service.
5. International transfers
Customer Data is hosted in the EU (Microsoft Azure West Europe). Where transfer outside the EEA/UK/Switzerland is necessary (for example, sub-processor support), it is covered by the European Commission's Standard Contractual Clauses (Module 2 or 3 as applicable) and, where required, the UK International Data Transfer Addendum and Swiss FADP addendum, plus supplementary measures including encryption in transit and at rest.
6. Security measures
- Transport encryption (TLS 1.2+) for all external connections; HSTS on customer-facing domains.
- Encryption at rest for managed databases (Azure Cosmos DB) and object storage (Azure Blob Storage), using Microsoft-managed keys.
- Multi-tenant data isolation: every Cosmos container is partitioned by
tenantId, and the tenant identifier is resolved and enforced at every API entry point. Agent keys are scoped to a single tenant and user. - Append-only, hash-chained audit log. Per-batch Merkle roots are signed with ECDSA P-256 (ES256) and additionally anchored with a quantum-resistant XMSS signature so the chain cannot be silently rewritten later.
- Action parameters ("params") are stored separately from the chain hash. Only a hash of params is included in the chain, so plaintext params can be redacted on request without breaking chain integrity.
- Secrets stored in Azure Key Vault; access via Azure Managed Identity, no long-lived secrets in container images.
- Role-based access for our staff; production access limited to named on-call engineers, MFA required, every access logged via Azure Application Insights and Log Analytics.
- Secret scanning, dependency scanning, and CodeQL on every change; vulnerability patching SLAs aligned to CVSS severity.
- Cosmos DB continuous backup (point-in-time restore) with encryption at rest; restoration tested.
- Documented incident response with notification per section 8.
- Designed against the SOC 2 Trust Services Criteria and ISO/IEC 42001 (AI management system) control frameworks. Formal third-party attestations are not yet complete; we will share the SOC 2 Type II report under NDA once issued.
7. Data subject rights, retention, and deletion
We will, on your written request and at no extra charge for reasonable volumes, help you respond to data subject requests by providing export, rectification, restriction, or deletion functionality. Note: audit chain entries are immutable by design. Action parameters and free-text summaries can be redacted without breaking the chain, because only a hash of those values is incorporated into the chain itself; the hash and surrounding metadata (timestamp, actor identifier, action name, chain position) are preserved so prior signatures remain verifiable. Account contact data is retained for the life of the account plus 90 days. Customer Data submitted into the chain is retained for the life of the account; on termination you have 30 days to export, after which it is deleted from production within 90 days. Cosmos DB continuous backups age out within 30 days.
8. Personal data breach notification
We will notify you without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Data. The notice will describe the nature of the breach, affected data categories, likely consequences, and the measures taken or proposed.
9. Audit
On reasonable written notice and no more than once per twelve months (except where required by a supervisory authority or following a confirmed breach), you may request a copy of our most recent SOC 2 Type II report or equivalent under NDA, and submit a written questionnaire that we will respond to within 30 days. Where these are insufficient, we will agree on the scope, timing, and cost of an on-site audit conducted by you or a mutually agreed independent auditor under NDA, without disrupting the Service.
10. Return and deletion on termination
On termination of the Service, we will, at your choice, return or delete Customer Data within the timelines in section 7. We will certify deletion in writing on request.
11. Liability
Each party's liability under this DPA is subject to the limitation of liability section of the Terms, except where the GDPR or applicable law prohibits such a limitation.
12. Conflicts
If there is a conflict between this DPA and the Terms, this DPA controls. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control.
13. Contact
Data protection contact: hello@provedit.ai.
Sub-processor list
Authentication is currently handled by our own email-and-password service running inside the API. Microsoft Entra External ID is provisioned but not yet enabled for end-user login; this list will be updated before that change goes live.
| Sub-processor | Purpose | Location of processing |
|---|---|---|
| Microsoft Azure - Cosmos DB (SQL API) | Primary application database (tenants, users, actions, chain entries, agent keys, policies) | EU (West Europe) |
| Microsoft Azure - Blob Storage | Bundle and export artefacts | EU (West Europe) |
| Microsoft Azure - Container Apps, Container Registry, Static Web Apps, App Service | Hosting of API, console, and marketing site | EU (West Europe) |
| Microsoft Azure - Service Bus | Action-committed event queue | EU (West Europe) |
| Microsoft Azure - Key Vault and Managed Identity | Secret storage and workload identity | EU (West Europe) |
| Microsoft Azure - Application Insights and Log Analytics | Operational telemetry, error and access logging | EU (West Europe) |
| Microsoft Azure - Communication Services (Email) | Transactional email (verification codes, alerts) | EU |
| Google LLC - Google Analytics / Google Ads (gtag) | Marketing site analytics and conversion measurement on provedit.ai only; not loaded inside the authenticated console or API | EU/US (SCCs in place) |