GDPR Article 28 — Processor Commitments

Effective Date: [Effective Date — typically the date of the last signature below, or the Master Agreement effective date, whichever is later].

Subject Matter, Duration, Nature, and Purpose of Processing

• Subject matter. Provision by Processor to Controller of the CircaOS Service — a gateway, inference engine, and audit-bench operated at cogos.5ceos.com.
• Duration. For the term of the Master Agreement (see Terms of Service or the executed order form) plus the retention windows set out in §(g) below.
• Nature. Routing API requests to the inference engine, returning Outputs to Controller, enforcing quotas, billing reconciliation, abuse detection, and operational diagnostics.
• Purpose. To enable Controller to use the Service for Controller's own lawful purposes, as Controller determines.

Type of Personal Data

• Identifiers and account metadata of Controller's authorized users: name, email, billing details (collected by Stripe);
• Any Personal Data that Controller elects to include in API request payloads (prompts, messages, schemas) submitted to /v1/chat/completions;
• Operational telemetry tied to authorized-user identifiers (timestamp, IP address, request ID, token counts, HTTP status).

Processor does not require Controller to include any special categories of data (GDPR Art. 9) or data relating to criminal convictions and offences (GDPR Art. 10) in order to use the Service. Controller is responsible for the lawful basis of any such data it elects to include.

Categories of Data Subjects

• Controller's authorized users;
• End-users of Controller-built products whose data Controller elects to include in Inputs to the Service.

Obligations and Rights of the Controller

• Controller warrants that it has a lawful basis under GDPR Art. 6 (and, where applicable, Art. 9) for the Processing it instructs Processor to perform.
• Controller is responsible for issuing documented instructions to Processor (the use of the Service in accordance with the Master Agreement constitutes such instructions).
• Controller is responsible for responding to data-subject rights requests, with Processor's assistance as set out in (e) below.
• Controller retains the right to audit Processor in accordance with §(h) below.

Processor Obligations under GDPR Art. 28(3)(a)–(h)

(a) Documented Instructions

Processor shall process the Personal Data only on documented instructions from Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Master Agreement, the use of the Service in accordance with its documentation, and any specific written instructions issued by Controller through the channels in DPA §6 constitute documented instructions.

(b) Confidentiality of Personnel

Processor shall ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. All Processor personnel with access to Controller's Personal Data are bound by written confidentiality obligations as a condition of employment or contract, surviving termination.

(c) Security Measures (Art. 32)

Processor shall take all measures required pursuant to Article 32 (security of processing). Processor's technical and organisational measures are set out in DPA §4 and are made verifiable in SECURITY.md §3:

• Pseudonymisation and encryption of personal data, where appropriate (TLS 1.2+ in transit; API keys stored as SHA-256 hashes);
• Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems (response signature HMAC, append-only audit log, cosign-signed deployments, internal-only ingress for the inference engine);
• Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (Azure platform redundancy + Processor's documented incident response);
• A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures (open determinism bench published at github.com/5CEOS-DRA/llm-determinism-bench; SOC 2 Type II audit engagement pending).

(d) Sub-processor Restrictions

Processor shall not engage another processor without prior specific or general written authorisation of the Controller. By executing this addendum, Controller grants general written authorisation for Processor to engage the sub-processors listed at cogos.5ceos.com/sub-processors. In the case of general written authorisation, Processor shall inform Controller of any intended changes concerning the addition or replacement of other processors, thereby giving Controller the opportunity to object to such changes. The notice procedure and objection right are set out in DPA §3 (thirty (30) days' prior notice; fifteen (15) days for Controller to object).

Where Processor engages another processor, the same data-protection obligations as set out in this addendum shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law. Where that other processor fails to fulfil its data protection obligations, the initial Processor shall remain fully liable to the Controller for the performance of that other processor's obligations.

(e) Assistance with Data-Subject Rights (Chapter III)

Processor shall, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection, automated decision-making). The assistance procedure is set out in DPA §6 (forward DSARs to Controller; on Controller's documented instruction, retrieve/correct/delete Personal Data within fifteen (15) business days).

(f) Assistance with Security and Notification Obligations (Arts. 32–36)

Processor shall assist Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Processor. In particular:

• Art. 33 (notification to supervisory authority): Processor will notify Controller of any Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of it (DPA §7), so that Controller can comply with its 72-hour notification obligation to the supervisory authority.
• Art. 34 (communication to data subject): Processor will provide Controller with the information necessary to assess whether the breach is likely to result in a high risk to data subjects and, if so, to communicate the breach to data subjects.
• Art. 35 (data protection impact assessment): on Controller's reasonable request, Processor will provide information about the Service's processing operations, security measures, and sub-processors sufficient to enable Controller to conduct a DPIA.
• Art. 36 (prior consultation): Processor will cooperate with Controller's prior consultation with the supervisory authority, where applicable.

(g) Deletion or Return at End of Processing

At the choice of the Controller, Processor shall delete or return all the personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data. The deletion procedure is set out in DPA §9 (return or delete within thirty (30) days of termination; certificate of deletion on request; permitted retention only as Required by Law and in isolated/overwritten backups).

(h) Audit and Information Rights

Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller. The audit procedure, frequency, and conditions are set out in DPA §8. Processor shall immediately inform Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection provisions.

International Transfers

To the extent Processor's Processing of Controller's Personal Data involves a transfer of Personal Data out of the European Economic Area, the United Kingdom, or Switzerland to a country not covered by an adequacy decision, the parties incorporate the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), Module Two (Controller-to-Processor), and, for UK transfers, the UK International Data Transfer Addendum, on the terms set out in DPA §10.

Term and Termination

This addendum is effective on the Effective Date and continues for the term of the Master Agreement. Upon termination of the Master Agreement, the obligations of §(g) (deletion or return) and any obligation that by its nature survives termination (confidentiality, audit cooperation with respect to past Processing, breach notification for breaches occurring during the term but discovered after) will survive.

Order of Precedence

In the event of any conflict between (i) this addendum, (ii) the Standard Contractual Clauses incorporated by reference, (iii) the Data Processing Addendum, and (iv) the Master Agreement, the order of precedence is (ii) > (i) > (iii) > (iv) with respect to GDPR matters.

Signatures

The parties have caused this addendum to be executed by their authorized representatives as of the Effective Date.