⚖ Legal · Data Processing

Data Processing Addendum

Last updated: June 17, 2026
Draft — pending legal review. This document is a good-faith working draft published for transparency and review by counsel. It is not yet a final or binding legal agreement and may change. For a countersigned version or questions, contact legal@cloudspectra.ai.

This Data Processing Addendum ("DPA") supplements the agreement under which Cloud Spectra LLC ("Processor", "we") provides products and services to you ("Controller", "Customer"). It applies to the extent we process personal data on your behalf.

Architecture note. Cloud Spectra is self-hosted in your AWS account. For the appliance itself, you are the controller and AWS (not Cloud Spectra) is your processor/infrastructure provider; Cloud Spectra typically does not receive your end-user personal data through the product. This DPA primarily covers the limited processing tied to sales, support, and our website.

1. Definitions

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings in the EU GDPR / UK GDPR; "Business", "Service Provider", and "Sell/Share" have the meanings in the CCPA/CPRA.

2. Roles & scope

We process personal data only to provide and support the products/services, as documented instructions from you, and as described in the Privacy Policy. Under the CCPA/CPRA we act as a Service Provider and will not sell or share personal information or use it outside the direct business purpose.

3. Security measures

We maintain technical and organizational measures appropriate to the risk, including least-privilege access, encryption in transit, logging, and an internal vulnerability-handling process (see disclosure policy).

4. Sub-processors

You authorize the sub-processors listed in the Privacy Policy. We remain responsible for their performance and will give notice of material changes affecting customer personal data.

5. Data-subject requests & assistance

We will, taking into account the nature of processing, assist you in responding to data-subject requests and in meeting your security, breach-notification, and DPIA obligations. We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal-data breach affecting your data, with the information you reasonably need to meet your own notification obligations.

6. International transfers

Where applicable, the EU Standard Contractual Clauses and UK IDTA are incorporated by reference for transfers of personal data outside the EEA/UK. Counsel to attach the SCC modules, Annexes I-III, and select the UK Addendum options.

7. Return & deletion

On termination, we will delete or return personal data we hold on your behalf, except as required by law. Data held in your own AWS account remains under your control at all times.

8. Audits

We will make available information reasonably necessary to demonstrate compliance and allow for audits consistent with Article 28(3)(h), subject to confidentiality and reasonable scheduling.

9. How to execute

To countersign this DPA for your organization, contact legal@cloudspectra.ai. A signable PDF can be provided on request.