Data Processing Agreement

1. Scope and application

This Data Processing Agreement ("DPA") supplements the Intended Terms of Service and applies when Intended, Inc. ("Intended", "Processor") processes personal data on behalf of the Customer ("Controller") in connection with the Authority Runtime Services. This DPA applies to all personal data processed through the Services, including intent metadata, authority decision records, escalation data, and account information. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

2. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person processed through the Services
• "Processing" — any operation performed on Personal Data, including collection, storage, evaluation (risk scoring), transmission (connector execution), and deletion
• "Sub-processor" — a third-party entity engaged by Intended to process Personal Data on behalf of the Controller
• "Authority Decision Data" — intent metadata, risk evaluations, policy outcomes, token claims, and audit records generated during authority evaluation
• "Security Incident" — a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data
• "Standard Contractual Clauses" or "SCCs" — the standard contractual clauses approved by the European Commission for the transfer of personal data to third countries
• "UK Addendum" — the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK Information Commissioner's Office

3. Processor obligations

• Process Personal Data only on documented instructions from the Controller (as configured through policies, connectors, and platform settings)
• Ensure that persons authorized to process Personal Data have committed to confidentiality obligations
• Implement and maintain technical and organizational security measures as described in Section 5 and the TOMs Appendix (Section 14)
• Engage sub-processors only with prior notice and under equivalent data protection obligations, in accordance with Section 6
• Assist the Controller in responding to data subject requests (access, correction, deletion, portability) within the timeframes required by applicable law
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
• Cooperate with the Controller in conducting data protection impact assessments (DPIAs) where required under GDPR Article 35
• Delete or return all Personal Data upon termination of Services, subject to legal retention requirements
• Make available all information necessary to demonstrate compliance and allow for audits
• Maintain a record of processing activities carried out on behalf of the Controller in accordance with GDPR Article 30(2)

4. Categories of data processed

5. Security measures

• Encryption at rest: AES-256-GCM for all sensitive data, signing keys, and connector credentials
• Encryption in transit: TLS 1.3 for all API, database, and cache connections
• Per-tenant isolation: Database-scoped queries, separate RSA key pairs, isolated credential storage
• Access control: Role-based access (4 roles, 20 permissions) enforced at middleware level
• Audit integrity: SHA-256 hash-chained ledger with tamper detection
• Key management: Automated key rotation lifecycle (ACTIVE → PREVIOUS → RETIRED)
• Nonce protection: Single-use nonces consumed on first verification
• Infrastructure: AWS with VPC isolation, security groups, and encrypted storage volumes
• Monitoring: CloudWatch alarms, CloudTrail logging, and automated anomaly detection
• Fail-closed architecture: Unresolvable evaluations result in denial, not bypass

6. Sub-processors

Intended maintains a current list of sub-processors. The Controller will be notified at least fourteen (14) days in advance of any new sub-processor engagement or material change to an existing sub-processor. The Controller may object to a new sub-processor within fourteen (14) days of notification by providing written notice to dpa@intended.so with a reasonable basis for the objection. If the Controller objects and Intended cannot reasonably accommodate the objection, either party may terminate the affected Services upon thirty (30) days written notice.

7. Security incident notification

Intended will notify the Controller of a confirmed Security Incident in accordance with the following timelines:

• GDPR: Notification without undue delay, and no later than 72 hours after becoming aware of a breach likely to result in a risk to the rights and freedoms of natural persons
• Other jurisdictions: Notification without undue delay, and in compliance with applicable breach notification laws
• Notification will include: nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
• Intended will cooperate with the Controller's investigation and provide ongoing updates until the incident is resolved
• Intended maintains an incident response plan with defined roles, communication procedures, and remediation protocols
• Intended will document all Security Incidents, including those that do not trigger notification obligations, and make records available to the Controller upon request

8. International data transfers

Intended processes data in the United States. For transfers of personal data from jurisdictions with transfer restrictions, Intended provides the following safeguards:

• European Economic Area (EEA): Intended relies on the Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision (EU) 2021/914) for transfers of personal data from the EEA to the United States. The SCCs are incorporated by reference into this DPA as Module Two (Controller to Processor)
• United Kingdom: For transfers of personal data from the UK, Intended relies on the UK International Data Transfer Addendum (UK IDTA), Version B1.0, Module Two (Controller to Processor), as issued by the UK Information Commissioner's Office under Section 119A of the UK Data Protection Act 2018. The UK IDTA supplements the SCCs with UK-specific safeguards and is incorporated by reference into this DPA.
• Switzerland: Intended relies on the SCCs as recognized under the Swiss Federal Act on Data Protection (FADP / nDSG), with the modifications required by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers from Switzerland
• Supplementary measures include encryption at rest and in transit, per-tenant isolation, access controls, and fail-closed architecture as described in Section 5
• Enterprise customers requiring data residency in specific regions should contact Intended to discuss deployment options

8.1 Schrems II supplementary measures

In addition to Standard Contractual Clauses (SCCs) and UK IDTA, Intended implements the following supplementary technical and organizational measures to address post-Schrems II requirements:

• Encryption and Key Management: Personal data encrypted at rest (AES-256-GCM) and in transit (TLS 1.3). Encryption keys managed per-tenant. Master keys derived from tenant-controlled key material where technically feasible. US government authorities cannot decrypt data without Intended's cooperation.
• Data Isolation: Per-tenant isolation prevents aggregation of EU data with other customer data, limiting exposure in government requests.
• Fail-Closed Architecture: Unresolvable authority evaluations result in denial, not approval, preventing over-inclusive government access.
• Government Access Notification: Intended will notify Controller of any legal demand (subpoena, FISA order, NSL) requiring disclosure of personal data, unless Intended is legally prohibited. Notification to dpa@intended.so within [X hours] of receipt, unless legally prohibited.
• Transparency Reporting: Intended publishes annual transparency report detailing number of government access requests, jurisdiction, and Controller's response (aggregate, non-identifying).
• Objection and Termination Rights: Controller may object to processing upon government access demand. If Intended cannot accommodate objection, either party may terminate affected Services without penalty.
• These measures do not eliminate risk of compelled US government access but substantially reduce risk and provide Controller with remedies and visibility.

3.9 Prohibition on model training

Intended shall NOT use Personal Data or Authority Decision Data to train, fine-tune, evaluate, or improve any machine learning model, large language model (LLM), foundation model, or internal algorithmic system, whether operated by Intended or by sub-processors, without explicit prior written consent from the Controller. Sub-processor obligations (Section 6) include equivalent restrictions prohibiting use of Personal Data for model improvement. Intended will ensure OpenAI, Anthropic, and any other LLM sub-processor contractually commits to the same restriction. Any change to this policy (e.g., future use of authority decision data for internal analytics improvement) requires 90 days' advance written notice and explicit Controller opt-in consent. Controller may terminate Services without penalty if consent is not given.

9. Data protection impact assessments

Intended will provide reasonable cooperation and assistance to the Controller in conducting data protection impact assessments (DPIAs) where required under GDPR Article 35 or equivalent provisions of other applicable data protection laws. Intended will provide information about its processing activities, technical and organizational measures, and sub-processors as needed for the Controller to complete its assessment. Requests for DPIA cooperation should be directed to dpa@intended.so.

6.1 Sub-processor obligations

Each sub-processor engaged by Intended shall implement obligations substantially equivalent to this DPA, including but not limited to:

• Process Personal Data only on documented instructions from Intended (which, in turn, follows Controller instructions).
• Implement and maintain technical and organizational security measures per Section 5 (Appendix TOMs).
• Notify Intended of any Security Incident within 24 hours of discovery.
• Assist with data subject access, deletion, correction, and portability requests within timeframes specified in Section 3.4.
• Delete or return Personal Data upon termination, except where legal retention applies.
• Submit to audits and provide compliance documentation to Intended (which Intended may share with Controller under NDA).
• Not engage further sub-processors without prior written approval from Intended.
• Implement the same prohibition on model training per Section 3.9.
• Intended shall ensure all sub-processor agreements are executed before engagement and shall provide evidence of compliance upon request.

3.4 Data subject rights assistance

Assist the Controller in responding to data subject requests in accordance with the following timelines and procedures:

• Requests for Access (GDPR Art. 15, CCPA §1798.100): Extract all personal data held for the data subject in machine-readable format (CSV, JSON) within 10 business days of request. Provide all authority decisions, audit records, connector logs, and account data.
• Requests for Deletion (GDPR Art. 17, CCPA §1798.105): Delete all personal data associated with data subject within 10 business days, except where legal retention (SOX 7-year, GDPR Art. 17(3)) or ongoing disputes require retention. Notify Controller if deletion is not fully possible and explain legal basis for retention.
• Requests for Correction (GDPR Art. 16, CCPA §1798.106): Correct factual inaccuracies in account data (name, email) within 5 business days. For authority decision data, correction may not be technically possible (immutable audit ledger); in that case, Intended will flag the record as disputed and provide attestation of the error.
• Requests for Portability (GDPR Art. 20): Provide all personal data and authority decision records in structured, machine-readable format (CSV, JSON, XML) within 10 business days, suitable for import to another processor.
• Requests for Objection (GDPR Art. 21): Upon Controller's instruction that data subject has objected to processing, Intended will cease processing that data subject's data within 5 business days, except where legal basis for continued processing applies.
• Cost: Routine requests (up to 5 per calendar year per data subject) are included in Services fees. Requests in excess of 5 per data subject per year are subject to professional services fees at Intended's standard rate ([$ per hour], currently $ ).
• Procedure: Data subject rights requests should be submitted to dpa@intended.so with sufficient information to identify the data subject and the requested action. Intended will acknowledge receipt within 2 business days and provide progress updates every 5 business days if response exceeds 10 business days.

12.1 Limitation of liability for DPA breaches

Intended's liability for DPA breach is governed by the Terms of Service Section 14 (Limitation of Liability) and the liability cap specified in any MSA. Specifically:

• Intended's aggregate liability for data protection claims (breach of confidentiality, failure to implement security measures per §5, unauthorized access) shall not exceed [X months of fees] or the amount specified in the MSA, whichever is lower.
• Intended is not liable for losses arising from Controller's use of personal data or authority decisions (e.g., customer's own discriminatory use of Intended's risk scores) if Intended has complied with §3 (instructions) and §5 (security measures).
• Intended is not liable for sub-processor breaches unless Intended failed to exercise reasonable oversight of the sub-processor or failed to flow down equivalent DPA obligations per Section 6.
• Carve-outs from liability cap: Gross negligence, willful misconduct, breach of confidentiality (Section 3.2), IP indemnification (Terms §16A), and Intended's payment obligations.

11.1 Supervisory authority cooperation

Intended will cooperate with EU/EEA DPAs, UK ICO, Swiss FDPIC, and other supervisory authorities in investigations concerning Personal Data processing, including:

• Responding to information requests and interrogatories within statutory timeframes (typically 30 days).
• Providing copies of relevant processing records, security policies, incident reports, and compliance documentation.
• Allowing DPA representatives to conduct on-site inspections of facilities and systems processing personal data (with reasonable notice, no more than once per year absent ongoing investigation).
• Notifying Controller of any DPA investigation, audit, or enforcement action concerning Controller's data within [X days] of Intended's receipt of notice, unless legally prohibited.
• Cooperating in remediation of any finding and providing evidence of remediation to DPA.
• Intended will not disclose Controller's confidential information to DPA without reasonable notice to Controller, except where required by law.

13. AI Act compliance confirmation

Intended confirms the following regarding Personal Data and AI processing:

• No Personal Data or Authority Decision Data is used to train, fine-tune, evaluate, or improve any general-purpose AI (GPAI) or high-risk AI system without explicit prior written Controller consent per Section 3.9.
• Intended complies with EU AI Act (Regulation 2024/1689), Articles 4–7 (prohibited practices), Articles 8–15 (high-risk AI), and Articles 51–55 (GPAI deployer obligations), to the extent Personal Data is processed in connection with AI.
• Intended maintains documentation of processing and AI safeguards required by AI Act Article 13(3) and Article 5(2)(a) and will provide to Controller upon request.
• Any material change to AI processing (e.g., use of new GPAI model, change in inference parameters) requires 90 days' advance notice and Controller's written consent.
• Controller remains responsible for compliance with AI Act Articles 6(1)–(2) (high-risk AI assessment and conformity) and Article 22 (GDPR right to human review when AI makes decisions about natural persons).

10. Data retention and deletion

• Authority decision data is retained according to the Controller's plan tier (30 days, 1 year, or custom up to 7 years)
• Account data is retained for the duration of the active agreement plus 30 days for export
• Upon termination, Intended will delete or return Personal Data within 30 days, except where retention is required by law
• Audit records subject to regulatory retention requirements (e.g., SOX 7-year) are maintained in S3 Object Lock (Compliance mode) and cannot be deleted before the retention period expires
• The Controller may request certification of deletion upon completion of the deletion process

11. Audits and compliance

The Controller may audit Intended's compliance with this DPA once per year with 30 days written notice. Audits will be conducted during business hours and will not unreasonably interfere with operations. Intended will provide SOC 2 Type II reports, penetration testing summaries, and other compliance documentation upon request under NDA. Enterprise customers may request additional compliance documentation through their account team. Intended will maintain a record of processing activities in accordance with GDPR Article 30(2) and make it available to the Controller and supervisory authorities upon request.

12. Duration and termination

This DPA remains in effect for the duration of the Services agreement. Obligations regarding data deletion, retention, confidentiality, and cooperation with data protection authorities survive termination. In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.

13. Data processing jurisdiction

• Primary processing location: United States (AWS us-east-1)
• Data may be processed in AWS regions selected by Customer for Enterprise deployments
• International transfers are governed by Standard Contractual Clauses (SCCs) for EEA/UK transfers, as described in Section 8
• Sub-processor list is maintained and updated with fourteen (14) days advance notice in accordance with Section 6

14. Contact

For DPA-related inquiries, data protection officer contact, or to request a signed copy: dpa@intended.so or legal@intended.so. For EU-specific data protection inquiries: eu-privacy@intended.so.

Appendix: Technical and organizational measures (TOMs)

The following technical and organizational measures are implemented by Intended to protect personal data processed under this DPA: