Trust · Data Processing Agreement

Data Processing Agreement.

The terms under which COHESION processes assessment data on behalf of a customer, aligned to GDPR Chapter II. This page summarizes the agreement; the executable copy is provided during procurement.

Version 1.0Updated 2026-06-05

Processing roles

The customer is the controller. COHESION is the processor, acting only on documented instructions to score oversight telemetry against the specification.

Data processed

Judgment Intervention Signal telemetry for an assessment window: escalation events, review timestamps, reviewer roles, and override actions. Telemetry is reduced to dimension scores; raw inputs are not retained beyond the scoring operation unless configured otherwise.

Data subject rights

COHESION assists the controller in responding to data subject requests, including access, rectification, and erasure, under a 30 day manual service level. Because telemetry is pseudonymous and reduced to dimension scores, most requests resolve at the controller's source system.

Retention

Dimension scores and evidence receipts are retained for the period set in the order. Customers can request deletion subject to legal retention obligations. On termination, COHESION returns or deletes processed data at the controller's election, subject to those obligations.

Security and breach notification

COHESION maintains the technical and organizational measures described on the Security Posture page. In the event of a personal data breach, COHESION notifies the controller without undue delay and within 72 hours of becoming aware, with the information the controller needs to meet its own notification duties.

International transfers

Hosted processing occurs in the contracted region by default. Where a transfer is required, it relies on the EU Standard Contractual Clauses (2021, Module Two, controller to processor). Self hosted deployments process entirely within the customer environment.

Audit rights

The controller may verify COHESION's compliance with this agreement through the tamper-evident audit chain and the documentation made available during procurement. Where a DPIA is required, COHESION provides the information reasonably necessary to support it.

Subprocessors

The current subprocessor list is published and dated on the Subprocessors page. Customers are notified before a new subprocessor begins processing.

Requesting the agreement

To request an executable DPA, contact peyton@cohesionauth.com with the subject line DPA request, your entity name, jurisdiction, and the regulatory framework driving the requirement.