MITRITY Platform — Data Processing Agreement
Last updated: March 2026
This Data Processing Agreement ("DPA") forms part of the Agreement between MITRITY and Customer (each a "Party," together the "Parties") and governs the processing of personal data by MITRITY on behalf of Customer in connection with the MITRITY Platform.
This DPA is entered into in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").
Capitalized terms not defined herein have the meanings given in the Terms of Service.
1. Definitions
In addition to the definitions in the Terms of Service, the following definitions apply to this DPA:
- "Controller" means the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this DPA, Customer is the Controller.
- "Data Subject" means an identified or identifiable natural person whose personal data is processed.
- "Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) of GDPR.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
- "Processing" means any operation or set of operations performed on personal data, as defined in Article 4(2) of GDPR.
- "Processor" means a natural or legal person which processes personal data on behalf of the Controller. For the purposes of this DPA, MITRITY is the Processor.
- "Sub-Processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
- "Supervisory Authority" means an independent public authority established by an EU Member State, as defined in Article 4(21) of GDPR.
2. Scope and Roles
2.1 Roles
(a) Customer as Controller: Customer determines the purposes and means of processing personal data transmitted to the Service through Customer's AI agents and Sentinels. Customer is the Controller of Agent Data that contains personal data.
(b) MITRITY as Processor: MITRITY processes personal data on behalf of Customer solely to provide the Service. MITRITY is the Processor with respect to personal data within Agent Data.
(c) MITRITY as Controller: For personal data relating to Customer's account registration, billing, and direct interactions with MITRITY (e.g., support requests), MITRITY is an independent Controller. Such processing is governed by the Privacy Policy, not this DPA.
2.2 Subject Matter of Processing
The processing of personal data under this DPA is performed in connection with the provision of the MITRITY Platform, specifically:
- Receiving, validating, and analyzing AI agent actions transmitted via Edge Nodes
- Storing and indexing agent action data for governance dashboards and audit trails
- Processing behavioral patterns through ML models for anomaly detection
- Generating alerts, reports, and analytics
- Forwarding events to Customer-configured SIEM systems
2.3 Duration of Processing
Processing begins on the Effective Date and continues for the duration of the Agreement. Upon termination, processing continues only as necessary for data export and deletion in accordance with Section 12.
3. Types of Personal Data
The following types of personal data may be processed under this DPA, depending on what Customer's AI agents transmit:
| Category | Examples |
|---|---|
| Agent operator identifiers | User IDs, email addresses, or usernames of individuals who configure or manage AI agents |
| End user identifiers | Names, email addresses, account IDs, or other identifiers of individuals whose data is acted upon by Customer's AI agents |
| Action metadata | Timestamps, IP addresses, session identifiers, geolocation data associated with agent actions |
| Business data in payloads | Any personal data that may be present in agent action payloads (e.g., customer names, addresses, financial data, health data — depending on Customer's use case) |
| Communication data | Email addresses, message content, or other communication data processed by Customer's AI agents |
Note: MITRITY does not intentionally collect sensitive categories of personal data (Article 9 GDPR). However, if Customer's AI agents process special category data, Customer is responsible for ensuring a valid legal basis and appropriate safeguards are in place before transmitting such data to the Service.
4. Categories of Data Subjects
The following categories of Data Subjects may be affected:
- Employees, contractors, or agents of Customer who operate or manage AI agents
- End users, customers, or clients of Customer whose data is processed by Customer's AI agents
- Any other individuals whose personal data is contained in Agent Data
5. Customer Obligations
As Controller, Customer shall:
(a) Ensure that it has a valid legal basis for the processing of personal data transmitted to the Service, including where necessary obtaining consent from Data Subjects;
(b) Ensure that Data Subjects have been provided with appropriate privacy notices in accordance with Articles 13 and 14 of GDPR;
(c) Ensure that any special categories of personal data (Article 9) or criminal conviction data (Article 10) transmitted to the Service are processed with appropriate legal basis and safeguards;
(d) Provide documented instructions to MITRITY regarding the processing of personal data (the Agreement, including this DPA, constitutes the initial documented instructions);
(e) Comply with all applicable data protection laws in connection with its use of the Service;
(f) Promptly notify MITRITY of any changes to processing instructions or any circumstances that may affect MITRITY's ability to comply with this DPA; and
(g) Conduct data protection impact assessments where required by Article 35 of GDPR.
6. Processor Obligations
6.1 Processing on Instructions (Article 28(3)(a))
MITRITY shall process personal data only on documented instructions from Customer, including with regard to transfers of personal data to a third country, unless required to do so by EU or Member State law to which MITRITY is subject. In such a case, MITRITY shall inform Customer of that legal requirement before processing, unless the law prohibits such notice.
The Agreement, including this DPA, constitutes Customer's documented instructions. Customer may issue additional instructions in writing, provided they are consistent with the Agreement. If MITRITY believes an instruction infringes GDPR or other data protection law, it shall promptly inform Customer.
6.2 Confidentiality (Article 28(3)(b))
MITRITY shall ensure that all persons authorized to process personal data:
(a) Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(b) Process personal data only as instructed by Customer and as necessary for the performance of their duties; and
(c) Have received appropriate training on data protection requirements.
6.3 Security Measures (Article 28(3)(c) and Article 32)
MITRITY shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Technical measures:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.3 for all communications |
| Encryption at rest | AES-256 for stored data (Google Cloud default encryption) |
| Access control | Role-based access control (RBAC) with principle of least privilege |
| Authentication | Mandatory multi-factor authentication for all administrative access |
| Network security | Private networking, Cloud Armor WAF, DDoS protection |
| Database isolation | Tenant-level isolation; all queries scoped to tenant_id |
| Backup encryption | All backups encrypted with AES-256 |
| Key management | Google Cloud KMS for encryption key management |
| Vulnerability management | Regular vulnerability scanning (govulncheck, semgrep, tfsec); dependency monitoring |
| Penetration testing | Annual third-party penetration testing |
Organizational measures:
| Measure | Implementation |
|---|---|
| Information security policy | Documented and reviewed annually |
| Employee screening | Background checks for employees with access to personal data |
| Security training | Mandatory security awareness training for all staff |
| Incident response plan | Documented plan with defined roles and procedures |
| Access reviews | Quarterly reviews of access permissions |
| Vendor assessment | Security assessment of all sub-processors |
| Secure development | Secure SDLC with code review and automated security scanning |
| Business continuity | Disaster recovery plan with regular testing |
MITRITY shall regularly test, assess, and evaluate the effectiveness of these measures and update them as necessary to reflect the current state of the art and associated risks.
6.4 Sub-Processor Management (Article 28(2) and (4))
6.4.1 General Authorization
Customer provides general written authorization for MITRITY to engage Sub-Processors as listed in Annex A of this DPA.
6.4.2 Obligations on Sub-Processors
Before engaging a Sub-Processor, MITRITY shall:
(a) Carry out appropriate due diligence to ensure the Sub-Processor is capable of providing the level of protection required by this DPA;
(b) Enter into a written agreement with the Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA; and
(c) Remain fully liable to Customer for the performance of the Sub-Processor's obligations.
6.4.3 Notification of Changes
MITRITY shall notify Customer at least 30 days in advance of any intended changes to Sub-Processors (additions or replacements) by:
(a) Sending written notice to the email address associated with Customer's account; and
(b) Updating the Sub-Processor list in Annex A.
6.4.4 Objection Right
Customer may object to a new or replacement Sub-Processor within 14 days of receiving notification by providing written notice to MITRITY with reasonable grounds for the objection. If Customer objects:
(a) MITRITY shall use commercially reasonable efforts to make available an alternative arrangement that avoids the use of the objected-to Sub-Processor;
(b) If no alternative is reasonably available within 30 days of the objection, either Party may terminate the affected portion of the Service (or the entire Agreement if the Sub-Processor is essential to the Service) without penalty; and
(c) MITRITY will refund any prepaid fees for the terminated portion of the Service covering the period after the termination date.
6.5 Assistance with Data Subject Rights (Article 28(3)(e))
MITRITY shall, taking into account the nature of the processing:
(a) Promptly notify Customer if MITRITY receives a request from a Data Subject to exercise their rights under GDPR (access, rectification, erasure, restriction, portability, or objection);
(b) Not respond directly to the Data Subject unless instructed by Customer or required by law;
(c) Assist Customer in fulfilling its obligation to respond to Data Subject requests by providing relevant data and technical capabilities, including data export tools; and
(d) Provide such assistance within a timeframe that allows Customer to meet the GDPR's 30-day response deadline.
6.6 Assistance with Security and Breach Notification (Article 28(3)(f))
MITRITY shall assist Customer in ensuring compliance with Articles 32 to 36 of GDPR, taking into account the nature of processing and the information available to MITRITY, including:
(a) Implementing appropriate security measures (Section 6.3);
(b) Notifying Customer of Personal Data Breaches (Section 8);
(c) Assisting with data protection impact assessments, where reasonably required; and
(d) Assisting with prior consultation with Supervisory Authorities, where required.
6.7 Deletion or Return of Data (Article 28(3)(g))
Upon termination of the Agreement:
(a) MITRITY shall make Customer's personal data available for export for 30 days following termination, in a structured, commonly used, machine-readable format (JSON or CSV);
(b) After the 30-day export period, MITRITY shall delete all personal data and existing copies, unless EU or Member State law requires retention;
(c) Upon Customer's written request, MITRITY shall certify in writing that deletion has been completed; and
(d) Anonymized and aggregated data that does not constitute personal data may be retained in accordance with the Terms of Service.
6.8 Audit Rights (Article 28(3)(h))
(a) MITRITY shall make available to Customer all information necessary to demonstrate compliance with this DPA and GDPR Article 28;
(b) MITRITY shall allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer;
(c) Customer shall provide at least 30 days' written notice of an audit request;
(d) Audits shall be conducted during normal business hours, no more than once per year (unless required by a Supervisory Authority or following a Personal Data Breach), and in a manner that minimizes disruption to MITRITY's operations;
(e) Customer shall bear the costs of audits, unless the audit reveals material non-compliance by MITRITY;
(f) Customer (and any auditor) must enter into confidentiality obligations protecting MITRITY's confidential information discovered during the audit;
(g) MITRITY may satisfy audit obligations by providing Customer with copies of relevant third-party audit reports or certifications (e.g., SOC 2 Type II, ISO 27001), where available; and
(h) MITRITY shall promptly inform Customer if, in MITRITY's opinion, an instruction from Customer regarding an audit infringes GDPR.
7. Sub-Processor List (Annex A)
The following Sub-Processors are authorized as of the date of this DPA:
| Sub-Processor | Purpose | Data Processed | Location | Safeguards |
|---|---|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud infrastructure: compute, storage, database (Cloud SQL), networking, key management, monitoring | All Agent Data, account data, usage data | europe-north1 (Finland), EU | EU Data Processing Terms; SOC 2; ISO 27001; EU-US DPF |
| Stripe, Inc. | Payment processing for subscriptions | Customer billing name, email, payment method, billing address, transaction history | EU primary processing; US for certain operations | EU-US DPF; SCCs; PCI DSS Level 1 |
| Twilio Inc. (SendGrid) | Transactional email delivery (invitations, alerts, notifications) | Recipient email addresses, email content (subject, body) | EU primary processing; US for certain operations | EU-US DPF; SCCs; SOC 2 |
| Google (Google Analytics 4) | Website analytics | Anonymized website visitor data (IP anonymized, no user-level identifiers) | EU settings enabled | EU Data Processing Terms; SOC 2; EU-US DPF |
Google Cloud Platform specifics:
- All MITRITY production data is stored and processed in the europe-north1 (Finland) region
- Google Cloud's EU Data Processing Terms apply
- Data is encrypted at rest using Google-managed encryption keys (AES-256)
- Google does not access customer data except as necessary to provide the service or as required by law
8. Personal Data Breach Notification
8.1 Notification to Customer
MITRITY shall notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer's personal data. This timeline is designed to allow Customer to meet its own 72-hour notification obligation to Supervisory Authorities under Article 33 of GDPR.
8.2 Content of Notification
The notification shall include, to the extent reasonably available:
(a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of personal data records concerned;
(b) The name and contact details of MITRITY's point of contact for the breach;
(c) A description of the likely consequences of the breach;
(d) A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate possible adverse effects; and
(e) Any other information required under Article 33(3) of GDPR.
If it is not possible to provide all information at the same time, MITRITY shall provide information in phases without undue delay.
8.3 Cooperation
MITRITY shall:
(a) Cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of the breach;
(b) Assist Customer in meeting its obligations under Articles 33 and 34 of GDPR (notification to Supervisory Authorities and Data Subjects);
(c) Take immediate steps to contain and remediate the breach; and
(d) Preserve evidence related to the breach for investigation purposes.
8.4 Communication
MITRITY shall not notify any Data Subject or third party about a Personal Data Breach without Customer's prior written authorization, unless required by law.
9. Cross-Border Data Transfers
9.1 EU-Based Processing
MITRITY's primary infrastructure is located in the EU (Google Cloud europe-north1, Finland). Personal data is processed and stored in the EU by default.
9.2 Transfers Outside the EU/EEA
Where personal data is transferred to Sub-Processors located outside the EU/EEA, MITRITY ensures that appropriate safeguards are in place under Chapter V of GDPR:
(a) Adequacy decisions — Transfers to countries recognized by the European Commission as providing an adequate level of data protection (Article 45);
(b) Standard Contractual Clauses — EU Commission-approved SCCs (Article 46(2)(c)), using the modules appropriate to the transfer scenario:
- Module Two (Controller to Processor) for transfers of Customer personal data to US-based Sub-Processors
- Module Three (Processor to Processor) where applicable;
(c) EU-US Data Privacy Framework — Where the Sub-Processor is certified under the EU-US Data Privacy Framework (supplementary to SCCs); and
(d) Supplementary measures — Additional technical, organizational, or contractual measures where the transfer impact assessment indicates they are necessary.
9.3 Transfer Impact Assessments
MITRITY conducts transfer impact assessments for each Sub-Processor outside the EU/EEA, evaluating:
(a) The legal framework of the destination country;
(b) The Sub-Processor's security measures and data protection practices;
(c) Whether government access to data is likely and the scope of such access; and
(d) Whether supplementary measures are necessary and sufficient.
Transfer impact assessments are reviewed annually or upon material changes.
9.4 Customer Notification
MITRITY shall inform Customer of any new transfers of personal data outside the EU/EEA as part of the Sub-Processor change notification process (Section 6.4.3).
10. Liability
10.1 General
Each Party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that:
(a) The limitations do not apply to fines or penalties imposed by a Supervisory Authority directly on a Party for its own GDPR non-compliance;
(b) Each Party remains liable for damage caused by its own GDPR non-compliance in accordance with Article 82 of GDPR; and
(c) Where both Parties are responsible for damage caused by processing, liability is allocated in accordance with Article 82(2)-(5) of GDPR.
10.2 Indemnification
Each Party shall indemnify the other Party for any costs, claims, damages, or expenses arising from the indemnifying Party's breach of this DPA or GDPR, to the extent attributable to the indemnifying Party's acts or omissions.
11. Relationship to the Agreement
11.1 Precedence
In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA shall prevail.
11.2 Incorporation
This DPA is incorporated into and forms part of the Agreement. All references in the Terms of Service to the "DPA" or "Data Processing Agreement" refer to this document.
11.3 Amendment
This DPA may be amended by MITRITY to reflect changes in applicable data protection law or MITRITY's data processing practices. Material changes will be communicated to Customer with at least 30 days' advance notice.
12. Term and Termination
12.1 Term
This DPA takes effect on the Effective Date of the Agreement and remains in effect as long as MITRITY processes personal data on behalf of Customer.
12.2 Survival
Sections 6.7 (Deletion/Return), 6.8 (Audit Rights), 8 (Breach Notification), 9 (Cross-Border Transfers), and 10 (Liability) survive termination of this DPA to the extent necessary to give effect to their provisions.
13. Governing Law
This DPA is governed by the laws of Sweden, in accordance with the Terms of Service. To the extent that GDPR applies, the provisions of GDPR shall take precedence over conflicting national law provisions.
14. Contact
For questions about this DPA or data protection matters:
MITRITY Data Protection Officer Email: dpo@mitrity.com
MITRITY Legal Email: legal@mitrity.com
Annex B — Technical and Organizational Measures
The following technical and organizational measures are implemented by MITRITY as of the date of this DPA. These measures are subject to continuous improvement and may be updated to reflect the current state of the art.
B.1 Pseudonymization and Encryption (Article 32(1)(a))
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for all data at rest (Google Cloud default encryption)
- Google Cloud KMS for encryption key management
- Database field-level encryption for sensitive data where applicable
- Pseudonymization of personal data in analytics and ML training pipelines
B.2 Confidentiality, Integrity, Availability, and Resilience (Article 32(1)(b))
- Confidentiality: RBAC with least privilege; mandatory MFA; encrypted connections; confidentiality agreements for all personnel
- Integrity: Database transaction controls; audit logging; integrity monitoring; automated backup verification
- Availability: Multi-zone deployment in europe-north1; automated failover; auto-scaling on Cloud Run; 99.95% uptime target (Enterprise)
- Resilience: Infrastructure-as-code (Terraform) for rapid rebuilding; automated monitoring and alerting; DDoS protection via Cloud Armor
B.3 Restore Availability and Access (Article 32(1)(c))
- Automated daily database backups with point-in-time recovery
- Backup retention: 30 days
- Documented disaster recovery procedures
- Recovery time objective (RTO): 4 hours
- Recovery point objective (RPO): 1 hour
- Annual disaster recovery testing
B.4 Testing, Assessment, and Evaluation (Article 32(1)(d))
- Automated security scanning in CI/CD pipeline (gosec, govulncheck, semgrep, tfsec, npm audit)
- Annual third-party penetration testing
- Quarterly internal security reviews
- Continuous vulnerability monitoring and patch management
- Regular review of access controls and permissions