Saluca · Legal

Data Processing Agreement

Effective date: July 8, 2026 · Last updated: July 8, 2026


Preamble

This Data Processing Agreement ("DPA") is entered into by and between:

Saluca and Customer are each a "Party" and together the "Parties."

This DPA supplements, forms part of, and is incorporated into the master subscription agreement, terms of service, or ordering document between the Parties governing Customer's access to and use of the Services (collectively, the "Agreement"). It applies only where and to the extent Saluca Processes Personal Data on behalf of Customer in connection with the Services. In the event of any conflict between this DPA and the Agreement with respect to the subject matter of this DPA, this DPA controls (see Section 15, Order of Precedence).

This DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation ("EU GDPR"), Article 28 of the UK GDPR, and the "service provider" requirements of the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), in each case to the extent applicable to a given processing activity.


1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. For purposes of this DPA:

1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including as applicable: (a) the EU GDPR (Regulation (EU) 2016/679) and its national implementing laws; (b) the UK GDPR and the UK Data Protection Act 2018; and (c) U.S. state privacy laws, including the CCPA/CPRA and other comprehensive state privacy laws to the extent applicable to a given Processing activity.

1.2 "Controller" means the natural or legal person that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For CCPA/CPRA purposes, "Controller" corresponds to "Business." As between the Parties for Personal Data Processed under this DPA, Customer is the Controller.

1.3 "Processor" means the entity that Processes Personal Data on behalf of the Controller. For CCPA/CPRA purposes, "Processor" corresponds to "Service Provider." As between the Parties for Personal Data Processed under this DPA, Saluca is the Processor.

1.4 "Customer Personal Data" means Personal Data contained within Customer Content that Saluca Processes on behalf of Customer under the Agreement and this DPA. It includes agent queries and persistent "memory" content that Customer or its Authorized Users submit to the in-scope Services, together with account identifiers.

1.5 "Customer Content" means the data, text, queries, memory records, and other materials that Customer or its Authorized Users submit to, store in, or generate through the in-scope Services. Customer determines the content and, as Controller, is responsible for its lawfulness.

1.6 "Authorized User" means an individual or software agent that Customer permits to access and use the Services under Customer's account.

1.7 "Personal Data" means any information relating to an identified or identifiable natural person, and includes "personal data" as defined under GDPR/UK GDPR and "personal information" as defined under CCPA/CPRA, in each case to the extent Processed by Saluca on behalf of Customer.

1.8 "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation (GDPR Art. 9), and equivalent "sensitive personal information" under CCPA/CPRA.

1.9 "Processing" (and "Process") means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.

1.10 "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by Saluca or a Sub-processor.

1.11 "Data Subject" means the identified or identifiable natural person to whom Personal Data relates; corresponds to "consumer" under CCPA/CPRA.

1.12 "Sub-processor" means any third party engaged by Saluca to Process Customer Personal Data in connection with the Services.

1.13 "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission by Implementing Decision (EU) 2021/914 of 4 June 2021.

1.14 "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner.

1.15 "Sell," "Share," "Business Purpose," and "Commercial Purpose" have the meanings given under the CCPA/CPRA.

1.16 "Services" means the Saluca products and services provided under the Agreement, comprising: (a) Asphodel (hosted SaaS memory + MCP / mindset-grounding platform); (b) the PEP add-on; and (c) Tiresias-ZT self-hosted software. The scope of this DPA with respect to each is set out in Section 2.


2. Scope and Roles

2.1 Processor / Controller relationship

With respect to Customer Personal Data Processed under the in-scope Services (Section 2.2), the Parties agree that Customer is the Controller (Business) and Saluca is the Processor (Service Provider). Saluca Processes Customer Personal Data only on behalf of, and under the documented instructions of, Customer.

Where Saluca acts as a Controller in its own right — for example, for account administration, billing, security, product telemetry, and Saluca's own legitimate business operations — such Processing is outside the scope of this DPA and is governed by Saluca's own privacy notice.

2.2 Services in scope

This DPA governs Saluca's Processing of Customer Personal Data for the following Services:

2.3 Services and data expressly out of scope

Because Saluca does not Process the Customer's self-hosted governed data, the Processor obligations in this DPA do not attach to that data; the Customer remains the Controller and Processor of its own self-hosted environment.

2.4 Compliance with law

Each Party will comply with its respective obligations under Applicable Data Protection Law. Customer, as Controller, is responsible for the lawfulness of the Personal Data it submits and for having a valid legal basis for the Processing it instructs Saluca to perform.


3. Processing Details and Customer Instructions

3.1 Documented instructions

Saluca will Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by EU, EU Member State, UK, or other applicable law to which Saluca is subject; in such a case, Saluca will (to the extent legally permitted) inform Customer of that legal requirement before Processing.

Customer's documented instructions are constituted by: (a) the Agreement and this DPA; (b) Customer's configuration and use of the Services through their features and functionality; and (c) any additional written instructions agreed by the Parties. The Details of Processing are set out in Annex I.

3.2 Lawfulness of instructions

Saluca will inform Customer if, in Saluca's reasonable opinion, an instruction infringes Applicable Data Protection Law. Saluca is not obligated to perform a legal review of the lawfulness of Customer's instructions and provides any such notice without prejudice to Section 4.1.

3.3 Special Category Data

The Services are not designed or intended for the Processing of Special Category Data. Customer will not submit, and will instruct its Authorized Users not to submit, Special Category Data to the Services absent a separate written agreement between the Parties addressing the additional safeguards required. Customer is solely responsible for any Special Category Data it submits in breach of this Section.

3.4 Customer controls the data

Customer determines what Customer Content — and therefore what categories of Personal Data — it submits to the Services. Saluca does not control, require, or dictate the content of Customer's queries or memory records.


4. Processor Obligations (GDPR Article 28(3))

Saluca will:

4.1 Process only on documented instructions. Process Customer Personal Data only on Customer's documented instructions, as described in Section 3, including with respect to transfers to a third country, unless required to do so by applicable law (in which case Saluca will notify Customer as set out in Section 3.1, unless legally prohibited).

4.2 Confidentiality of personnel. Ensure that persons authorized to Process Customer Personal Data are subject to an appropriate obligation of confidentiality (whether contractual or statutory) and are trained on their data-protection responsibilities.

4.3 Security. Implement and maintain the technical and organizational measures described in Section 5 and Annex II to ensure a level of security appropriate to the risk, in accordance with GDPR Article 32.

4.4 Sub-processors. Engage Sub-processors only in accordance with Section 6, and impose on each Sub-processor, by written contract, data-protection obligations that are, in substance, no less protective than those set out in this DPA. Saluca remains fully liable to Customer for the performance of each Sub-processor's obligations, subject to Section 14.

4.5 Assist with Data Subject rights. Taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as reasonably possible, in fulfilling Customer's obligation to respond to requests from Data Subjects exercising their rights (Section 7).

4.6 Assist with Articles 32–36. Taking into account the nature of Processing and the information available to Saluca, assist Customer in ensuring compliance with its obligations relating to security (Art. 32), Personal Data Breach notification (Arts. 33–34), data protection impact assessments (Art. 35), and prior consultation with supervisory authorities (Art. 36), as set out in Sections 5, 8, and 9.

4.7 Deletion or return on termination. At Customer's choice, delete or return all Customer Personal Data after the end of the provision of the Services, and delete existing copies, unless applicable law requires storage of the Personal Data, as set out in Section 12.

4.8 Information and audits. Make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, as set out in Section 11.

4.9 Records of processing. Maintain records of the categories of Processing carried out on behalf of Customer as required by GDPR Article 30(2).


5. Security Measures

5.1 Saluca will implement and maintain the technical and organizational measures set out in Annex II, designed to protect Customer Personal Data against a Personal Data Breach and to ensure a level of security appropriate to the risk.

5.2 Current measures include, without limitation: encryption of data in transit (TLS) and at rest (cloud-managed encryption); logical tenant isolation; capability-token, deny-by-default access control; single sign-on via OIDC and passkey authentication; tamper-evident, cryptographically-signed audit logs; and least-privilege internal access.

5.3 Saluca may update or modify the security measures from time to time, provided that such updates do not materially reduce the overall level of protection of Customer Personal Data.

5.4 Certifications. Saluca's SOC 2 examination is in progress and not yet certified. Saluca makes no representation that it holds a completed SOC 2 report as of the date of this DPA.


6. Sub-processors

6.1 General authorization. Customer provides Saluca with a general authorization to engage Sub-processors to Process Customer Personal Data, subject to this Section 6. The Sub-processors approved as of the effective date are listed in Annex III.

6.2 Flow-down terms. Saluca will enter into a written agreement with each Sub-processor imposing data-protection obligations that are, in substance, no less protective than those in this DPA, including appropriate security measures and, where relevant, the SCCs (Module 3) for onward transfers.

6.3 Liability. Saluca remains fully liable to Customer for the acts and omissions of its Sub-processors to the same extent Saluca would be liable if performing the services directly, subject to the limitations of liability in Section 14.

6.4 Change notice. Saluca will notify Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, by email to Customer's designated contact or through a Saluca sub-processor notification page or in-product notice, giving Customer an opportunity to object.

6.5 Objection. Customer may object to a new Sub-processor on reasonable data-protection grounds within thirty (30) days of the notice. The Parties will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may, as its sole and exclusive remedy, terminate the affected Service and receive a pro-rata refund of any prepaid fees for the terminated portion of the then-current subscription term.


7. Data Subject Rights Assistance

7.1 Taking into account the nature of the Processing, Saluca will provide reasonable assistance to Customer, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

7.2 If Saluca receives a request directly from a Data Subject relating to Customer Personal Data, Saluca will not respond to the request substantively (except to confirm that the request should be directed to the relevant Controller) and will, without undue delay and to the extent legally permitted, forward the request to Customer.

7.3 To the extent Customer cannot address a Data Subject request through its own use of the Services' self-service features, Saluca will provide reasonable cooperation and assistance. Assistance that materially exceeds Saluca's self-service features and standard support may be subject to reasonable, documented cost recovery, notified to Customer in advance.


8. Personal Data Breach Notification

8.1 Saluca will notify Customer without undue delay and, where feasible, within seventy-two (72) hours after Saluca becomes aware of a Personal Data Breach affecting Customer Personal Data.

8.2 Such notification will, to the extent known and available to Saluca at the time, describe: (a) the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) a contact point for further information. Where the information cannot be provided at once, it may be provided in phases without undue further delay.

8.3 Saluca will take reasonable steps to investigate, contain, and remediate the Personal Data Breach, and will cooperate with Customer and provide reasonable assistance in Customer's own breach-notification and mitigation obligations.

8.4 Saluca's notification of, or response to, a Personal Data Breach is not an acknowledgment by Saluca of fault or liability. Customer, as Controller, is responsible for any notifications to supervisory authorities and affected Data Subjects required of it under Applicable Data Protection Law. Breach-related liability is subject to Section 14.


9. Data Protection Impact Assessments and Prior Consultation

9.1 Taking into account the nature of the Processing and the information available to Saluca, Saluca will provide reasonable assistance to Customer with: (a) data protection impact assessments Customer is required to carry out under GDPR Article 35; and (b) any prior consultation with a supervisory authority under GDPR Article 36.

9.2 Such assistance may take the form of the information made available in this DPA (including Annex II), Saluca's documentation, security materials, and reasonable responses to Customer's due-diligence inquiries. Assistance that materially exceeds this standard documentation may be subject to reasonable, documented cost recovery, notified to Customer in advance.


10. International Transfers

10.1 Storage location. Customer Personal Data is stored in the United States (Google Cloud, us-central1).

10.2 EU / UK transfers. To the extent Saluca's Processing of Customer Personal Data involves a transfer of Personal Data subject to the EU GDPR or UK GDPR to a country not benefiting from an adequacy decision, the Parties agree that:

10.3 Order of precedence for transfer terms. In the event of a conflict between this DPA and the SCCs / UK Addendum, the SCCs / UK Addendum prevail with respect to the transfer of Personal Data.

10.4 Supplementary measures. Saluca's technical and organizational measures (Annex II) serve as supplementary measures supporting the lawfulness of transfers.


11. Audits and Information

11.1 Saluca will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28, including, where available, third-party audit reports, security certifications (when completed), and responses to reasonable security questionnaires. Saluca may satisfy its audit obligations under this Section by providing such third-party reports, certifications, and completed questionnaires where available.

11.2 Where such information is insufficient to demonstrate compliance, Customer (or an independent auditor mandated by Customer and not a competitor of Saluca) may conduct an audit, subject to the following: audits will be (a) conducted no more than once per twelve (12) months, except following a Personal Data Breach or where required by a supervisory authority; (b) preceded by reasonable prior written notice of at least thirty (30) days; (c) conducted during normal business hours, in a manner that does not unreasonably disrupt Saluca's operations; (d) subject to confidentiality obligations; and (e) limited to information and systems relevant to the Processing of Customer Personal Data, without access to other customers' data or to Saluca's confidential or multi-tenant infrastructure that cannot be segregated.

11.3 Costs. Each Party bears its own costs in connection with an audit. Customer bears the cost of any on-site audit it initiates, except where the audit reveals material non-compliance by Saluca, in which case Saluca bears the reasonable costs of that audit.


12. Return and Deletion on Termination

12.1 Upon termination or expiry of the Agreement, or upon Customer's earlier written request, Saluca will, at Customer's election, delete or return all Customer Personal Data in Saluca's possession or control, and delete existing copies, except to the extent applicable law requires retention.

12.2 Customer may export Customer Content through the Services' available features prior to termination. Within thirty (30) days following termination, Saluca will delete or return Customer Personal Data in the ordinary course, subject to Sections 12.1 and 12.3.

12.3 Saluca may retain Customer Personal Data to the extent required by applicable law and in routine backup media, provided that such retained data remains subject to the confidentiality and security obligations of this DPA and is deleted in accordance with Saluca's standard backup-rotation cycle.

12.4 Upon written request, Saluca will certify in writing that it has complied with this Section 12.


13. CCPA / CPRA Service-Provider Terms

Where Saluca Processes Personal Data that constitutes "personal information" of California consumers on Customer's behalf, Saluca acts as a Service Provider and the following apply:

13.1 Business purpose only. Saluca will Process such personal information solely for the purpose of performing the Services under the Agreement (the "Business Purpose") and for no other purpose, and will not retain, use, or disclose the personal information outside the direct business relationship with Customer or as otherwise permitted by the CCPA/CPRA.

13.2 No sale or share. Saluca will not Sell or Share such personal information, and will not retain, use, or disclose it for any purpose other than the Business Purpose specified in the Agreement, including for any Commercial Purpose other than performing the Services.

13.3 No combining. Saluca will not combine such personal information with personal information it receives from, or on behalf of, other persons, or collects from its own interactions with the consumer, except as permitted by the CCPA/CPRA to perform the Business Purpose.

13.4 Compliance and cooperation. Saluca will comply with applicable obligations under the CCPA/CPRA and provide the same level of privacy protection required of a Service Provider. Saluca will notify Customer if it determines it can no longer meet its obligations under the CCPA/CPRA, and Customer may, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

13.5 Assistance and audit. Saluca will assist Customer in responding to verifiable consumer requests and will make available information necessary to demonstrate compliance; Customer has the right to take reasonable and appropriate steps to help ensure Saluca uses personal information consistent with Customer's CCPA/CPRA obligations.

13.6 Certification. Saluca certifies that it understands and will comply with the restrictions in this Section 13.

13.7 Deletion. Upon a consumer's valid deletion request forwarded by Customer, Saluca will delete the relevant personal information as directed, subject to applicable exceptions.


14. Liability

14.1 Each Party's liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to and counts toward the aggregate limitations and exclusions of liability set out in the Agreement. Any reference in the Agreement to the liability of a Party means the aggregate liability of that Party under the Agreement and this DPA together.

14.2 Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under Applicable Data Protection Law, including the rights of Data Subjects under the SCCs.


15. Order of Precedence and Term

15.1 Term. This DPA takes effect on the effective date of the Agreement and continues for as long as Saluca Processes Customer Personal Data on behalf of Customer, after which the obligations that by their nature should survive (including confidentiality, deletion, and liability) will survive.

15.2 Order of precedence. In the event of any conflict or inconsistency among the documents, the following order of precedence applies with respect to the subject matter of data protection: (a) the SCCs / UK Addendum (as to the transfer of Personal Data); (b) this DPA; and (c) the Agreement. In all other respects, the Agreement governs.

15.3 Governing law and jurisdiction. Except as required by the SCCs / UK Addendum (under which the governing law and forum are those of Ireland for in-scope transfers), this DPA is governed by the governing law and subject to the jurisdiction specified in the Agreement.

15.4 Changes to law. If any change in Applicable Data Protection Law, or any decision of a competent authority, requires amendment of this DPA to maintain compliance, the Parties will negotiate in good faith to make the necessary amendments.


Annex I — Details of Processing

Item Detail
Subject matter Provision of the hosted Services (Asphodel and, where enabled, the PEP add-on; and optional opt-in Tiresias-ZT central control-plane audit shipping).
Duration The subscription term of the Agreement, plus any wind-down / deletion period described in Section 12.
Nature and purpose Storing and retrieving persistent "memory" content and serving mindset-grounding queries; and, where opted in, receiving and storing shipped audit records.
Type of Personal Data Whatever Personal Data the Customer submits within Customer Content (agent queries and persistent memory) — Customer controls and determines the content; plus account identifiers (e.g., user/agent identifiers, authentication metadata). Special Category Data is not permitted absent a separate written agreement (Section 3.3).
Categories of Data Subjects The Customer's Authorized Users and agents whose data is submitted to or generated through the Services.
Frequency of Processing Continuous, for the duration of the subscription term.
Storage location United States — Google Cloud, us-central1.
Controller Customer.
Processor Saluca LLC, a California limited liability company.

For purposes of the SCCs, the data exporter is the Customer (Controller) and the data importer is Saluca (Processor); the description of the transfer, the categories of data, Data Subjects, frequency, nature, and purpose are as set out in this Annex I; and the competent supervisory authority is determined in accordance with the SCCs based on the Customer's establishment or EU/EEA representative.


Annex II — Technical and Organizational Security Measures

Saluca implements and maintains the following measures (GDPR Art. 32). These reflect current practice and may be updated provided the overall level of protection is not materially reduced.

Encryption - Encryption of Personal Data in transit using TLS. - Encryption of Personal Data at rest using cloud-managed encryption.

Access control and identity - Capability-token, deny-by-default authorization for access to data and functions. - Least-privilege internal access, granted on a need-to-know basis. - Customer authentication via single sign-on (SSO) / OIDC and passkeys.

Tenant isolation - Logical tenant isolation separating each Customer's data from that of other customers.

Logging and monitoring - Tamper-evident, cryptographically-signed audit logs of security-relevant events.

Personnel - Confidentiality obligations binding personnel with access to Customer Personal Data (Section 4.2).

Certifications - SOC 2 examination in progress; not yet certified as of the date of this DPA.


Annex III — Approved Sub-processors

As of the effective date, Saluca engages the following Sub-processors to Process Customer Personal Data:

Sub-processor Service provided Processing location
Google Cloud (Google LLC) Hosting, compute, storage, and database United States (us-central1)
Stripe (Stripe, Inc.) Payment processing United States
WorkOS (WorkOS, Inc.) Authentication / SSO United States
Resend (Resend, Inc.) Transactional email delivery United States
Cloudflare (Cloudflare, Inc.) DNS, CDN, and web application firewall (WAF) United States

Saluca will provide Customer with at least thirty (30) days' advance notice before adding or replacing a Sub-processor, and Customer's objection right is as set out in Section 6.5. Where a Sub-processor Processes Customer Personal Data subject to the EU or UK GDPR outside an adequate jurisdiction, the applicable transfer mechanism is the SCCs (Module 3) and, where relevant, the UK Addendum.