Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cipher & Row LLC ("Processor", "we", "us") and the entity or individual agreeing to these terms ("Controller", "you", "Customer") for the use of the CR Gateway API validation service ("Service").

This DPA is entered into to ensure compliance with applicable data protection legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), and reflects the parties' agreement with regard to the processing of personal data by the Processor on behalf of the Controller.

2. Definitions

1. "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Service.
2. "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
3. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
4. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
5. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3. Roles and Scope

The Customer acts as the Data Controller, determining the purposes and means of processing Personal Data. Cipher & Row LLC acts as the Data Processor, processing Personal Data solely on behalf of and under the documented instructions of the Controller.

The scope of processing is limited to the provision of the CR Gateway API validation service, which validates AI agent outputs for hallucinations, confidence thresholds, safety violations, and structural integrity.

4. Categories of Data Processed

5. Purpose of Processing

The Processor shall process Personal Data solely for the following purposes:

1. Validating AI agent outputs for hallucinations, confidence thresholds, safety violations, and danger term detection.
2. Providing swarm fail-fast checks to terminate low-confidence agent chains.
3. Facilitating agent-to-agent validated relay delivery.
4. Compressing and managing AI context windows.
5. Storing validated messages when explicitly requested by the Controller via /v1/store.
6. Generating usage metrics and analytics for the Controller's account.
7. Providing confidence calibration and feedback processing.

6. Processor Obligations

The Processor shall:

1. Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing.
4. Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller.
5. Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection law.
6. Assist the Controller in ensuring compliance with obligations related to security of processing, notification of Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.
7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires retention.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

7. Technical and Organizational Security Measures

The Processor implements the following security measures to protect Personal Data:

7.1 Encryption

• All data in transit is encrypted using TLS 1.2 or higher.
• API keys are hashed using PBKDF2 with per-key salts before storage.
• No plaintext credentials are stored at rest.

7.2 Access Control

• API key authentication required for all data processing endpoints.
• Per-tenant isolation — each customer's data is logically separated.
• Rate limiting enforced to prevent abuse and unauthorized bulk access.

7.3 Infrastructure Security

• Edge computing architecture — data is processed at the nearest Cloudflare edge node, minimizing data transit distance.
• No centralized data store for transient validation operations.
• Path traversal protection and input sanitization on all endpoints.
• SSRF protection with URL validation and blocklisting of internal networks.

7.4 Monitoring and Response

• Error monitoring via Sentry for operational integrity.
• Automated fuzz testing and security scanning.
• Homoglyph evasion detection (Cyrillic, leetspeak, zero-width character attacks).

8. Sub-processors

The Controller provides general authorization for the Processor to engage the following Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

Each Sub-processor is contractually bound to data protection obligations no less protective than those set out in this DPA.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under GDPR, including:

1. Right of Access (Art. 15): Data Subjects may request access to their Personal Data. The Processor will provide data export capabilities upon Controller request.
2. Right to Rectification (Art. 16): Inaccurate Personal Data will be corrected upon notification.
3. Right to Erasure (Art. 17): Personal Data will be deleted upon Controller request. For transient validation data, no deletion is necessary as data is not retained.
4. Right to Data Portability (Art. 20): The Processor will provide Personal Data in a structured, commonly used, machine-readable format upon request.
5. Right to Restriction of Processing (Art. 18): Processing can be restricted upon Controller instruction.
6. Right to Object (Art. 21): The Controller may instruct the Processor to cease processing at any time.

Requests should be directed to privacy@cipherandrow.com. The Processor will respond to Controller requests within 30 days.

10. Data Breach Notification

In the event of a Data Breach, the Processor shall:

1. Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach.
2. Provide the Controller with sufficient information to allow the Controller to meet its obligations to report the breach to the relevant supervisory authority and/or to notify affected Data Subjects.
3. The notification shall include, to the extent available:
   • The nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned.
   • The likely consequences of the Data Breach.
   • The measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.
4. Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

11. Cross-Border Data Transfers

The Service operates on Cloudflare's global edge network. Data submitted for validation is processed at the edge node nearest to the originating request, minimizing cross-border data transit.

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures that appropriate safeguards are in place, including:

• Reliance on adequacy decisions by the European Commission where applicable.
• Standard Contractual Clauses (SCCs) as adopted by the European Commission.
• Binding Corporate Rules of Sub-processors where applicable.

The Processor shall inform the Controller of any changes to the transfer mechanisms and shall ensure that any new mechanism provides an adequate level of protection for Personal Data.

12. Data Retention

1. Transient validation data (/v1/validate, /v1/swarm/check, /v1/relay, /v1/compress, /v1/context/check): Not retained. Data is processed in memory and immediately discarded upon completion of the validation operation.
2. Stored messages (/v1/store): Retained for the duration configured by the Controller. Deletable upon Controller request at any time.
3. Usage metrics: Retained on a 30-day rolling window. Older metrics are automatically purged.
4. Account information: Retained for the duration of the service relationship. Deleted within 30 days of account closure upon Controller request.

13. GDPR Compliance

The Processor commits to the following GDPR compliance provisions:

1. Lawful Basis: The Processor processes Personal Data solely under the Controller's instructions and on the lawful basis established by the Controller.
2. Data Protection by Design and Default (Art. 25): The Service is designed with privacy as a core principle. The default behavior (/v1/validate) stores no data. Storage is opt-in only.
3. Records of Processing (Art. 30): The Processor maintains records of processing activities carried out on behalf of the Controller.
4. Data Protection Impact Assessment (Art. 35): The Processor shall assist the Controller in conducting DPIAs where required.
5. Supervisory Authority Cooperation (Art. 31): The Processor shall cooperate with supervisory authorities in the performance of their tasks.

14. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

1. Make available all information necessary to demonstrate compliance with the obligations set forth in this DPA.
2. Allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
3. Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes applicable data protection law.

Audits shall be conducted with reasonable notice and during normal business hours, and shall not unreasonably interfere with the Processor's operations.

15. Term and Termination

1. This DPA shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.
2. Upon termination of the Service, the Processor shall, at the Controller's election, return or delete all Personal Data processed on behalf of the Controller within 30 days, unless applicable law requires continued retention.
3. The Processor shall certify the deletion of Personal Data upon the Controller's written request.

16. Liability

Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA shall limit either party's liability for damages arising from breaches of its data protection obligations under applicable law.

17. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service, without regard to conflict of law principles. For customers in the EEA, this DPA is additionally subject to the provisions of the GDPR.

18. Contact Information

For all inquiries related to data protection, this DPA, or to exercise Data Subject rights, please contact:

The Processor shall respond to data protection inquiries within 30 days of receipt.

19. Amendments

This DPA may be updated by the Processor to reflect changes in data protection law or processing practices. Material changes will be communicated to the Controller at least 30 days in advance. Continued use of the Service after the effective date of amendments constitutes acceptance of the updated DPA.