Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between [Customer Legal Name] ("Customer") and 5CEOs, Inc. ("5CEOs") for Customer's use of the CircaOS Service (the "Master Agreement" — see Terms of Service or the executed order form). It supplements the Master Agreement and governs 5CEOs's processing of Personal Data on Customer's behalf. In the event of a conflict between this DPA and the Master Agreement with respect to data protection, this DPA controls.

Effective Date: [Effective Date — typically the date of the last signature below, or the Master Agreement effective date, whichever is later].

Definitions

• Customer Data means all data, including Personal Data, that Customer submits to the Service or that the Service generates on Customer's behalf.
• Personal Data means any information relating to an identified or identifiable natural person, as defined under GDPR Art. 4(1), CCPA Cal. Civ. Code §1798.140, or equivalent applicable law.
• Processing has the meaning given in GDPR Art. 4(2): any operation performed on Personal Data, including collection, storage, transmission, and erasure.
• Sub-processor means any third party engaged by 5CEOs that Processes Personal Data on 5CEOs's behalf in the course of providing the Service.
• Authorized User means an individual to whom Customer has issued credentials to use the Service.
• Service has the meaning given in the Terms of Service: the CircaOS gateway, inference engine, audit-bench, and supporting infrastructure operated by 5CEOs at cogos.5ceos.com.
• Standard Contractual Clauses or SCCs means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Addendum.

1. Scope of Processing

5CEOs Processes Customer Data only to the extent necessary to provide the Service to Customer in accordance with the Master Agreement. The categories of Personal Data Processed and the categories of data subjects are set out below:

• Categories of Personal Data: identifiers and account metadata of Authorized Users (name, email, billing details collected by Stripe); any Personal Data that Customer elects to include in API requests submitted to /v1/chat/completions (prompts, messages, schemas); operational telemetry tied to the Authorized User identifier (timestamp, IP address, request ID, token counts, HTTP status).
• Categories of data subjects: Customer's Authorized Users; end-users of Customer-built products whose data Customer elects to include in Inputs to the Service.
• Nature and purpose of Processing: routing requests to the inference engine, returning Outputs to Customer, enforcing quotas, billing reconciliation, abuse detection, and operational diagnostics.
• Duration: for the term of the Master Agreement, plus the retention windows in §9.

2. Roles of the Parties

With respect to Personal Data Processed under this DPA:

• Customer is the Controller (GDPR Art. 4(7)) or the equivalent (e.g., "Business" under CCPA). Customer determines the purposes and means of the Processing.
• 5CEOs is the Processor (GDPR Art. 4(8)) or the equivalent (e.g., "Service Provider" under CCPA). 5CEOs Processes Personal Data only on Customer's documented instructions, as reflected in the Master Agreement, this DPA, and Customer's use of the Service.

3. Sub-processors

5CEOs maintains a current list of sub-processors at cogos.5ceos.com/sub-processors. By executing this DPA, Customer grants 5CEOs a general authorization to engage the sub-processors listed at that URL and any future sub-processors added in accordance with the notice procedure below.

5CEOs will:

• Impose data protection obligations on each sub-processor that are no less protective than those in this DPA;
• Remain liable to Customer for the acts and omissions of each sub-processor to the same extent as if those acts and omissions were 5CEOs's own;
• Provide Customer with at least thirty (30) days' prior written notice (which may be by email to Customer's notice address or by updating /sub-processors) of the addition or replacement of a sub-processor. Customer may object on reasonable data-protection grounds within fifteen (15) days. The parties will work in good faith to address the objection; if not resolved, Customer may terminate the affected portion of the Service for convenience without penalty.

4. Security Measures

5CEOs implements and maintains the technical and organizational measures listed below. These measures correspond to the verifiable security claims published at SECURITY.md §3; the claims are reproduced here so counsel does not have to follow a link.

• Image signing (cosign): every deployed image is signed with a 5CEOs-controlled cosign key before rollout to the production Container App. The public key is published at https://cogos.5ceos.com/cosign.pub for customer/auditor verification.
• Response signature (HMAC): every successful /v1/* response carries an X-Cogos-Signature header — an HMAC-SHA256 over the response body, keyed by a per-tenant secret issued at the same time as the Customer's API key. Customer can verify that the response was emitted by 5CEOs and not a man-in-the-middle.
• Open determinism bench: the "same call in, same bytes out" property of the Service is auditable against the live endpoint via the open-source bench published at https://github.com/5CEOS-DRA/llm-determinism-bench.
• API key handling: Customer API keys are stored as SHA-256 hashes; the plaintext key is shown to the Customer exactly once at issuance. A database leak of the key store does not leak usable keys.
• Admin auth: administrative operations require a separate admin key carried in the X-Admin-Key header; rotation is a single environment-variable change; revocation is immediate.
• Stripe webhook verification: inbound webhooks at POST /stripe/webhook are signature-verified against STRIPE_WEBHOOK_SECRET; an attacker cannot forge a billing event.
• Schema-enforced output: when a request includes response_format: { type: "json_schema", ... }, the output is grammar-constrained at the token level by the inference engine — non-conforming output is physically impossible, not retried or filtered after the fact.
• Transport encryption: all connections to the Service use TLS 1.2 or higher.
• Network segmentation: the inference engine has internal-only ingress; it is not reachable from the public internet.
• Secrets storage: administrative credentials are stored in Azure Container Apps secrets and are not exposed in environment variables visible to non-privileged personnel or in source code.
• Vendor exclusion: Customer prompts and Outputs are not transmitted to any third-party language-model API provider (OpenAI, Anthropic, Google, Cohere, Mistral, Fireworks, Together, DeepInfra, Modal, Replicate, Groq, or similar). The inference engine is deployed as a sibling container within the same managed environment as the gateway.
• Audit engagement: 5CEOs has a SOC 2 Type II audit engagement pending. Until the report is published, 5CEOs will provide a written security attestation to Customers with executed DPAs on request.

5. Data Location

By default, Customer Data is Processed in Microsoft Azure's East US region (United States). For current location details, see SECURITY.md and Privacy Policy §6. Enterprise customers may select an alternative region (US-West, EU, APAC) under an executed order form. 5CEOs will not transfer Customer prompts or Outputs across regions without explicit Customer instruction or as required by applicable law.

6. Data Subject Rights

Customer, as Controller, is responsible for responding to requests from data subjects (access, rectification, erasure, restriction, portability, objection — "DSARs"). 5CEOs, as Processor, will:

• Forward to Customer any DSAR received directly by 5CEOs that relates to Customer's data, without independently responding (except as required by law);
• Assist Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in fulfilling Customer's obligation to respond to DSARs under applicable law;
• On Customer's documented instruction, retrieve, correct, or delete Personal Data associated with a specific data subject within fifteen (15) business days, subject to the legal retention obligations in §9.

7. Personal Data Breach Notification

5CEOs will notify Customer of any confirmed Personal Data Breach (as defined in GDPR Art. 4(12)) affecting Customer Data without undue delay and in any event within seventy-two (72) hours of becoming aware of it. The notification will include, to the extent known at the time of notification:

• The nature of the breach, categories of Personal Data, and approximate number of data subjects affected;
• The likely consequences of the breach;
• Measures taken or proposed to be taken to address the breach;
• A point of contact for further information.

Customer's designated breach-notification contact is: [Customer Security Contact — Name, Title, Email]. 5CEOs's breach-notification contact is support@5ceos.com (subject prefix [SECURITY] per SECURITY.md §1). Notification will be by email and will not be conditioned on a finding that the breach is reportable under applicable law; reportability is a question for Customer as Controller.

8. Audit Rights

Customer may request, no more than once per twelve-month period and on at least thirty (30) days' written notice, evidence of 5CEOs's compliance with this DPA. 5CEOs will satisfy this obligation by providing:

• The then-current SOC 2 Type II report, once published, under a customary confidentiality undertaking; or
• Until the SOC 2 Type II report is published, a written attestation describing the security measures in §4, signed by an officer of 5CEOs; and
• Responses to a reasonable security questionnaire (CAIQ, SIG Lite, or equivalent).

On-site audit by Customer or its independent auditor is subject to (i) mutual scheduling, (ii) a customary non-disclosure agreement, (iii) Customer paying 5CEOs's reasonable costs for audit support, and (iv) the auditor not being a competitor of 5CEOs. On-site audit will not extend to 5CEOs's multi-tenant infrastructure to the extent that access would compromise the security of other customers; in such cases the SOC 2 report or attestation is the sole audit deliverable.

9. Term, Termination, and Deletion

This DPA is effective on the Effective Date and continues for the term of the Master Agreement. Upon termination of the Master Agreement, 5CEOs will, at Customer's election:

• Return Customer Data in a structured, commonly used format (JSONL export of the audit log; CSV export of usage records) within thirty (30) days of termination; or
• Delete Customer Data within thirty (30) days of termination.

5CEOs will issue a written certificate of deletion to Customer's notice address on request following completion of deletion. 5CEOs may retain Customer Data after termination only (i) as required by applicable law (e.g., tax, financial recordkeeping) and (ii) in secure backups that are isolated from production systems and overwritten in the ordinary course; such retained data remains subject to the confidentiality and security obligations of this DPA.

10. International Transfers

To the extent 5CEOs's Processing of Customer's Personal Data involves a transfer of Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a country not covered by an adequacy decision, the parties incorporate the Standard Contractual Clauses by reference, with the following selections:

• Module Two (Controller-to-Processor) applies between Customer (data exporter) and 5CEOs (data importer);
• Clause 7 (docking clause) applies;
• Clause 9(a), Option 2 (general written authorization for sub-processors) applies, with the notice period as set out in §3;
• Clause 11(a) (independent dispute resolution) does not apply;
• Clause 17 (governing law): the law of the Republic of Ireland;
• Clause 18 (forum and jurisdiction): the courts of the Republic of Ireland;
• Annex I (parties, categories of data, data subjects, purposes): completed by reference to §1 of this DPA;
• Annex II (technical and organizational measures): completed by reference to §4 of this DPA;
• Annex III (sub-processors): completed by reference to /sub-processors.

For UK transfers, the parties incorporate the UK International Data Transfer Addendum (issued by the UK Information Commissioner) to the SCCs, with the tables completed by reference to the corresponding annexes above. For Swiss transfers, the SCCs apply with the modifications set out in the FDPIC's guidance.

11. Liability

Each party's liability under this DPA, taken together with the Master Agreement, is subject to the limitations of liability and the liability cap set forth in the Master Agreement. Nothing in this DPA expands either party's liability beyond what the Master Agreement provides, except to the extent applicable data protection law requires otherwise (in which case the statutory minimum applies).

12. Order of Precedence

In the event of any conflict between (i) this DPA, (ii) the Standard Contractual Clauses incorporated under §10, and (iii) the Master Agreement, the order of precedence is (ii) > (i) > (iii) with respect to data protection matters.

13. Signatures

The parties have caused this DPA to be executed by their authorized representatives as of the Effective Date.