> **REVIEW BY LEGAL COUNSEL REQUIRED BEFORE EXECUTION. Template sourced from GDPR.eu community version, adapted by the COHESION team. Not legal advice.**

# Data Processing Addendum (DPA) Template

**Controller:** [Customer legal entity name], [Customer jurisdiction]
**Processor:** COHESION AUTH LLC, a Washington State limited liability company, [registered address]
**Effective date:** [Effective date]
**Services agreement:** This DPA is an addendum to, and forms part of, the Services Agreement executed between the parties on [date].

This DPA reflects the parties' agreement with regard to the Processing of Personal Data in connection with the COHESION Judgment Independence Score API and related services (the "Services").

---

## 1. Definitions

Capitalized terms not otherwise defined here have the meanings given to them in Regulation (EU) 2016/679 (the "GDPR").

- "Controller" means the Customer named above.
- "Processor" means COHESION AUTH LLC.
- "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1), that is Processed under this DPA.
- "Processing" has the meaning given in GDPR Article 4(2).
- "Supervisory Authority" has the meaning given in GDPR Article 4(21).
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor).

## 2. Subject matter, nature, and purpose

The Processor Processes Personal Data on behalf of the Controller solely for the purposes set out in Schedule A (Processing Purposes) and as otherwise instructed in writing by the Controller.

## 3. Duration

This DPA takes effect on the Effective date and continues for the duration of the Services Agreement. Termination or expiration of the Services Agreement ends this DPA, subject to Section 11 (Return and Deletion).

## 4. Processor obligations

The Processor shall:

(a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Processor is subject.

(b) Ensure that persons authorized to Process Personal Data have committed themselves to confidentiality.

(c) Implement the technical and organizational measures described in Schedule E (Security Measures), which the Controller acknowledges provide an appropriate level of security for the Personal Data in question.

(d) Respect the conditions referred to in Article 28(2) and (4) GDPR for engaging Sub-processors (see Section 7 and Schedule C).

(e) Taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, in responding to requests for exercising the data subject's rights laid down in Chapter III GDPR (Schedule D).

(f) Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of Processing and the information available to the Processor.

(g) At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (Section 11).

(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Section 10 and Schedule F).

## 5. Controller obligations

The Controller warrants that it has a lawful basis for Processing the Personal Data and that its instructions to the Processor comply with applicable Data Protection Law. The Controller is responsible for the accuracy, quality, and legality of the Personal Data and of the means by which it acquired the Personal Data.

## 6. Personal data breach notification

The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach. The notification shall include, to the extent known:

(a) the nature of the breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of records concerned;
(b) the name and contact details of the Processor's point of contact;
(c) the likely consequences of the breach;
(d) the measures taken or proposed to be taken to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

The Processor's incident-response procedure for customer-facing events is documented in `scripts/incident-response-runbook.md`.

## 7. Sub-processors

(a) The Controller grants the Processor general written authorization to engage the Sub-processors listed in Schedule C.

(b) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

(c) Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Controller, the same data-protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract.

(d) Where the Sub-processor fails to fulfil its data-protection obligations, the Processor shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.

The canonical Sub-processor list is published at `docs/trust/sub-processors.md` and is the authoritative source for additions, removals, and jurisdictions.

## 8. International transfers

Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized by the European Commission as providing an adequate level of protection, the parties agree that such transfer shall be governed by the Standard Contractual Clauses, Module Two (Controller to Processor), which are incorporated into this DPA by reference.

For transfers to Sub-processors located outside the EEA, the Processor shall enter into the SCCs with such Sub-processors where required.

## 9. Data subject rights

Interim service-level commitment (v1.1.0): the Processor shall respond to Controller-forwarded data-subject requests (access, rectification, erasure, restriction, portability, objection) within **30 calendar days** of receipt by manual handling. A self-service endpoint for these requests is planned but not available in v1.1.0; this manual SLA applies until the self-service endpoint ships, at which point the parties may amend this section to reflect reduced SLAs.

The GDPR Chapter III rights covered by this commitment are listed in Schedule D.

## 10. Audit rights

(a) The Controller may, at its own cost, audit the Processor's compliance with this DPA not more than once per calendar year, on at least 30 days' written notice.

(b) The audit shall be conducted during normal business hours, shall not unreasonably interfere with the Processor's operations, and shall be subject to confidentiality obligations.

(c) In lieu of or in addition to such audits, the Processor may provide the Controller with independent security attestations available under NDA on request, or written responses to security questionnaires.

## 11. Return and deletion

Within 30 days of termination or expiration of the Services Agreement, the Processor shall at the Controller's written election either:

(a) return all Personal Data to the Controller in a mutually agreed format, and delete all copies; or
(b) delete all Personal Data and confirm deletion in writing.

Retention required by law (including the 90-day `audit_log` window documented in `docs/trust/security-posture.md` Section 7) is excluded from this obligation until the lawful retention period expires.

## 12. Liability

Each party's liability under this DPA is subject to the liability provisions of the Services Agreement.

## 13. Governing law

This DPA is governed by the laws of the State of Washington, USA, without regard to conflict-of-laws principles. Where the Controller is established in the European Economic Area, the United Kingdom, or Switzerland, and where applicable Data Protection Law requires a specific governing law or forum for data-protection claims, that requirement shall prevail over this Section 13 to the extent necessary.

## 14. Order of precedence

In the event of a conflict between this DPA and the Services Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

---

## Schedule A: Processing purposes

The Processor Processes Personal Data for the following purposes, and no others, unless expressly instructed in writing by the Controller:

1. Computing the Judgment Independence Score (JIS) for operators identified by a pseudonymous `operator_id`.
2. Computing per-dimension scores across the seven judgment dimensions defined in the COHESION Oversight Specification v1.
3. Projecting judgment-decay curves based on domain calibration parameters.
4. Generating EU AI Act Article 14 compliance reports on request.
5. Detecting and alerting on anomalous usage patterns that may indicate a security incident.
6. Authenticating API requests and enforcing rate limits.

## Schedule B: Categories of data subjects and data

**Categories of data subjects:** The Controller's operators whose interactions with AI-augmented systems are scored by the Services.

**Categories of Personal Data Processed:**

- Pseudonymous operator identifier (`operator_id`), supplied by the Controller. The Processor does not receive the mapping from `operator_id` to the natural person; that mapping remains with the Controller.
- Interaction telemetry: time-to-decision, decision value (accepted, modified, rejected, independent), modification extent, hover events, scroll depth, alternative views checked, outcome-correctness flag.
- Derived data: computed JIS, per-dimension scores, decay projections, compliance-report outputs.
- Technical metadata: API key prefix (non-secret), request IP hash, user-agent string (if supplied), request timestamps.

**Categories of Personal Data expressly excluded from the scoring path:**

- Operator name.
- Operator email.
- National identifier.
- Any special category of Personal Data as defined in GDPR Article 9.

The Processor's SDK implementations include a deny-list redaction layer to reduce the risk that free-text fields inadvertently carry excluded categories. The Controller remains responsible for not transmitting excluded categories.

## Schedule C: Sub-processors

As of the Effective date, the Processor engages the following Sub-processors:

| Sub-processor | Role | Jurisdictions | DPA |
|---|---|---|---|
| Cloudflare, Inc. | Compute, database, KV cache, static hosting (required) | United States, European Union | Executed |
| Sentry (Functional Software, Inc.) | Application-performance monitoring, **opt-in only**, enabled by Controller election | United States (EU residency on request) | Executed when opt-in activated |

Changes to this list are published at `docs/trust/sub-processors.md` with 30 days' advance notice per Section 7(b).

## Schedule D: Data-subject rights

The Processor shall, on instruction from the Controller, assist with the following GDPR Chapter III rights:

- Article 15, Right of access by the data subject.
- Article 16, Right to rectification.
- Article 17, Right to erasure ("right to be forgotten").
- Article 18, Right to restriction of processing.
- Article 20, Right to data portability.
- Article 21, Right to object.
- Article 22, Automated individual decision-making, including profiling.

**v1.1.0 interim SLA: 30 calendar days, manual handling.** See Section 9.

## Schedule E: Security measures

The Processor implements the technical and organizational measures described in `docs/trust/security-posture.md`, including:

- API key storage as peppered SHA-256 hashes, with the pepper held in Cloudflare Secrets Store.
- 80 millisecond uniform authentication timing floor.
- Two-layer rate limiting (per-IP pre-auth, per-key post-auth).
- Per-organization CORS allowlist with no reflection of unknown origins.
- TLS in transit, terminated by Cloudflare.
- Comprehensive `audit_log` of authentication and administrative events, with a 90-day retention window.
- Sub-processor isolation (Cloudflare only in the default configuration).
- Data-retention crons (interactions 24 months, rate-limits 2 hours, audit-log 90 days).
- Customer self-service key rotation and revocation via `/v1/admin/key/rotate` and `/v1/admin/key/revoke`.

## Schedule F: Audit rights (mechanics)

Audit requests shall be submitted in writing to the Processor's administrative contact. The Processor shall respond within 14 days with a proposed schedule, scope, and (where applicable) third-party audit artifacts that may satisfy the request without an on-site visit. The Processor may charge reasonable and documented costs for in-depth audits that exceed two business days.

## Schedule G: Standard Contractual Clauses

The 2021 EU Standard Contractual Clauses, Module Two (Controller to Processor), are incorporated by reference into this DPA for any transfer of Personal Data from the EEA, the UK, or Switzerland to a country not recognized by the European Commission as providing an adequate level of protection. The parties shall complete the SCC Annexes consistently with Schedules A, B, C, and E of this DPA.

---

## Signatures

**For the Controller:**
Name:
Title:
Date:
Signature:

**For the Processor (COHESION AUTH LLC):**
Name:
Title:
Date:
Signature:

---

> **Template notes:** This document is a TEMPLATE. It must be reviewed by qualified legal counsel before execution. COHESION AUTH LLC provides this template as a starting point for pilot engagements; it does not constitute legal advice. Sourced from GDPR.eu community version and adapted.
