Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following terms apply:

• "Controller" means the entity that determines the purposes and means of the processing of Personal Data and that has entered into a service agreement with Oceum.
• "Processor" means Oceum, Inc., which processes Personal Data on behalf of the Controller in connection with the provision of the platform.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection legislation including the GDPR and CCPA.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
• "Data Protection Laws" means all applicable legislation relating to the protection of personal data, including but not limited to the GDPR (EU 2016/679), UK GDPR, and the California Consumer Privacy Act (CCPA).

2. Scope and Purpose

This DPA applies to the Processor's processing of Personal Data on behalf of the Controller in connection with the Oceum platform. The Processor processes Personal Data solely to provide the AI agent governance platform, including:

• User authentication and account management
• AI agent deployment, monitoring, and orchestration
• Workflow execution and activity logging
• Secure Data Vault operations (encrypted key-value storage)
• Drift Engine social publishing (when enabled by the Controller)
• Billing and subscription management

The categories of data subjects include the Controller's employees, contractors, and end users who interact with the platform. The types of Personal Data processed include names, email addresses, organization names, authentication tokens, agent configurations, and any data the Controller chooses to store in the Secure Data Vault.

3. Obligations of the Processor

The Processor shall:

• Process on instructions only. Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. If such a legal requirement arises, the Processor shall inform the Controller before processing, unless the law prohibits such notification.
• Confidentiality. Ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Security measures. Implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Section 7 of this DPA and further detailed on the Security page.
• Sub-processing. Not engage another processor without prior written authorization of the Controller, subject to the provisions set out in Section 5.
• Data subject requests. Assist the Controller in fulfilling its obligations to respond to Data Subject requests for exercising their rights under Data Protection Laws.
• Breach assistance. Assist the Controller in ensuring compliance with breach notification obligations under Data Protection Laws.
• Data protection impact assessments. Provide reasonable assistance to the Controller with any data protection impact assessments required under Data Protection Laws.
• Deletion or return. Upon termination of the service agreement, delete or return all Personal Data to the Controller at the Controller's election, and delete existing copies unless applicable law requires retention.

4. Obligations of the Controller

The Controller shall:

• Ensure that it has a lawful basis for providing Personal Data to the Processor.
• Comply with its obligations under applicable Data Protection Laws.
• Inform the Processor of any specific data handling requirements without undue delay.
• Ensure that its instructions to the Processor comply with applicable Data Protection Laws.

5. Sub-processing

The Controller authorizes the Processor to engage the sub-processors listed on the Subprocessors page as of the effective date of this DPA.

The Processor shall:

• Notify the Controller of any intended changes to the list of sub-processors at least 30 days in advance, providing the Controller an opportunity to object.
• Impose data protection obligations on each sub-processor no less protective than those set out in this DPA.
• Remain fully liable for the acts and omissions of its sub-processors.

If the Controller objects to a new sub-processor on reasonable grounds related to data protection, the parties shall discuss the concern in good faith. If the parties cannot resolve the objection, the Controller may terminate the affected service by providing written notice.

6. International Data Transfers

The Processor stores and processes Personal Data primarily in the United States. Where Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to the United States, such transfers are made pursuant to:

• Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module Two: Controller to Processor), incorporated into this DPA by reference.
• Any supplementary measures reasonably necessary to ensure that the transferred data is afforded an adequate level of protection.

The Processor shall cooperate with the Controller to ensure that appropriate transfer mechanisms are in place for all international transfers of Personal Data.

7. Security Measures

The Processor implements the following technical and organizational security measures to protect Personal Data:

• Encryption in transit. All data transmitted between clients and the platform is encrypted via HTTPS with HSTS preloading.
• Encryption at rest. Vault data is encrypted using AES-256-GCM with per-organization encryption keys and random initialization vectors.
• Access controls. Role-based access control (RBAC) with owner, admin, and member roles. All API endpoints enforce organization-scoped access.
• Authentication. JWT-based authentication with 24-hour token expiry. Passwords hashed with bcrypt. SSO via Google and Microsoft supported.
• Audit logging. Platform activity is logged, including agent operations, authentication events, and vault access. Logs are retained per the Controller's plan tier.
• Multi-factor authentication. Available for all accounts via SSO provider MFA enforcement.
• Row-level security. Database queries enforce organization-level data isolation, preventing cross-tenant data access.
• Vulnerability management. Automated security audits, dependency monitoring, and prompt patching of identified vulnerabilities.
• Error sanitization. All API error responses are sanitized to prevent information leakage of internal system details.

A detailed description of security measures is available at /security. The Processor shall regularly review and update these measures to maintain an appropriate level of security.

8. Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned.
• The name and contact details of the Processor's point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each breach.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Where the Processor receives a request directly from a Data Subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.

10. Audit Rights

The Controller may audit the Processor's compliance with this DPA, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice of an audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• The Controller shall bear its own costs of any audit.
• The Processor may satisfy an audit request by providing a copy of a relevant third-party audit report or certification (such as SOC 2), where available.

The Processor shall cooperate with such audits and provide the Controller with all information reasonably necessary to demonstrate compliance.

11. Term and Termination

This DPA shall remain in effect for the duration of the service agreement between the Controller and the Processor. Upon termination of the service agreement:

• The Processor shall, at the Controller's election, either delete or return all Personal Data within 30 days of the termination date.
• The Processor shall provide written certification of deletion upon the Controller's request.
• Notwithstanding the above, the Processor may retain Personal Data to the extent required by applicable law, provided such data remains subject to the protections of this DPA.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the service agreement. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the service agreement, unless otherwise required by applicable Data Protection Laws.

14. Contact

For questions about this DPA or to exercise rights under this agreement, contact:

• Data Processing inquiries: dpa@oceum.ai
• Security concerns: security@oceum.ai
• General inquiries: hello@oceum.ai