⚠️ Draft placeholder. This document is pending review by legal counsel and is not yet binding.

Data Processing Addendum

Version: Draft (pending counsel review) Last updated: 2026-06-14 Effective date: [To be set on publication]

This Data Processing Addendum ("DPA") forms part of the Terms of Service between NeuronKite LLC ("Processor", "we", "us") and the entity or individual identified as the customer in the Terms ("Controller", "you", "Customer") for use of Blueprint (the "Service").

The DPA applies to the extent that your use of the Service involves the Processing of Personal Data subject to:

Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), including as it has effect in the United Kingdom under the UK GDPR
The Swiss Federal Act on Data Protection ("FADP")
The California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA")
Other applicable data-protection laws

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms or in applicable Data Protection Laws.

"Personal Data" — any information relating to an identified or identifiable natural person.
"Processing" / "Process" — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Data Subject" — the natural person to whom Personal Data relates.
"Subprocessor" — any third party engaged by us to Process Personal Data on behalf of Customer, as listed in the Subprocessor List.
"Standard Contractual Clauses" or "SCCs" — the contractual clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914.

2. Roles and scope

2.1 Roles

For Personal Data within Customer Content that you submit to the Service: you are the Controller and we are the Processor.
For account data (email, billing information) that we collect to manage your account: we are the Controller (governed by the Privacy Policy).

2.2 Scope of Processing

Element	Detail
Subject matter	Provision of the Blueprint Service
Duration	The term of the Terms + 30 days post-termination for deletion
Nature and purpose	Storage, transmission, retrieval, AI-assisted generation of Artifacts from Briefs
Categories of Data Subjects	Customer's employees, contractors, end customers — to the extent Personal Data appears in Briefs
Categories of Personal Data	Whatever Customer chooses to include in Briefs. By default, Briefs are technical engineering documents and we expect minimal Personal Data
Special categories	None expected. Customer should not submit special-category data (health, biometric, criminal, political opinions, sexual orientation) without prior written agreement

3. Processor obligations

3.1 Processing on instruction

We Process Personal Data only on your documented instructions. The Terms, this DPA, and your in-product configuration constitute your documented instructions. We will notify you if, in our opinion, an instruction violates applicable Data Protection Law.

3.2 Confidentiality

We ensure that personnel authorized to Process Personal Data are under a binding confidentiality obligation.

3.3 Security

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit and at rest
Pseudonymization where appropriate
Ability to restore availability and access to Personal Data promptly after an incident
Regular testing and evaluation of the security measures
Per-user data isolation in application logic
Access controls and audit logging on production database access

Detail is provided in Annex II.

3.4 Subprocessors

You authorize the Subprocessors listed in the Subprocessor List. We will notify you of new Subprocessors at least 30 days in advance by updating the Subprocessor List and emailing your account address. You may object in writing within 30 days; if we cannot accommodate your objection, you may terminate the affected Service component without penalty.

Each Subprocessor is bound by a written agreement imposing data-protection obligations no less protective than this DPA.

3.5 Data Subject requests

We assist you in fulfilling Data Subject rights requests by providing reasonable functionality and information. Standard operations supported via the in-product UI or admin tools:

Access: Customer can export their account data + Briefs + Artifacts via the in-product UI or by emailing [email protected]
Correction: Customer can update their account profile and Briefs in-product
Deletion: Customer can close their account, triggering 30-day automated deletion

For requests we cannot resolve via standard operations, contact [email protected].

3.6 Personal Data breach notification

We will notify you without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data breach affecting your Personal Data. The notification will include the nature of the breach, categories and approximate numbers of Data Subjects and records concerned, contact point for further information, likely consequences, and measures taken or proposed.

3.7 Data Protection Impact Assessment

We provide reasonable assistance with Data Protection Impact Assessments (Art 35 GDPR) and prior consultations with supervisory authorities (Art 36 GDPR), at your request.

3.8 Audit rights

You may audit our compliance with this DPA, no more than once per calendar year, by:

Reviewing the most recent third-party audit reports (SOC 2, ISO 27001) we make available — we do not currently hold these certifications; this clause anticipates future audits
Submitting a written security questionnaire we will answer within 30 days
For material concerns, conducting an on-site audit on 60 days' notice, during business hours, at your expense, subject to a reasonable scope agreed in writing

The on-site audit right is suspended where we have legal, contractual, or technical restrictions preventing access (for example, multi-tenant Subprocessor infrastructure where on-site access would compromise other customers' data).

3.9 Return or deletion of Personal Data

On termination of the Terms, we will, at your choice, return or delete all Personal Data, except where retention is required by law (e.g., billing records). Deletion is completed within 30 days of account closure. Backup tapes/snapshots may retain Personal Data for up to 90 additional days under our standard backup rotation, after which they are automatically overwritten.

4. International transfers

Where Customer's Personal Data is transferred from the EEA, UK, or Switzerland to the United States or another country lacking an adequacy decision, the parties agree to:

4.1 EU SCCs

The European Commission's Standard Contractual Clauses, Module Two (controller to processor), are incorporated into this DPA by reference. The clauses are between Customer (data exporter) and NeuronKite (data importer), with the following Annex selections:

Annex I.A (List of Parties): As stated in the Terms.
Annex I.B (Description of Transfer): Per §2.2 of this DPA.
Annex I.C (Competent Supervisory Authority): The supervisory authority of the EU Member State in which the Customer's lead establishment is located, or, if the Customer has no establishment in the EU, the supervisory authority of the Member State in which the Customer's representative for GDPR Art 27 purposes is established.
Annex II (Technical and Organizational Measures): Per §3.3 of this DPA and the security detail in the Privacy Policy.
Annex III (List of Subprocessors): The Subprocessor List.

4.2 UK Addendum

The UK International Data Transfer Addendum to the EU SCCs (issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference and applies to transfers of UK Personal Data. Table 1 (Parties) is per the Terms. Table 2 (Selected SCCs, Modules and Selected Clauses) is per §4.1 above. Table 3 (Appendix Information) is per §4.1 Annexes above. Table 4 (Ending this Addendum) — both parties may end the Addendum as provided in the Addendum.

4.3 Swiss Addendum

Where data is transferred from Switzerland, references to the GDPR in the SCCs are deemed to include references to the FADP, and references to the supervisory authority include the Swiss Federal Data Protection and Information Commissioner.

5. CCPA / CPRA service provider terms

For Personal Data of California residents:

We Process Personal Data only on your documented instructions
We are prohibited from "selling" or "sharing" Personal Data
We are prohibited from retaining, using, or disclosing Personal Data outside the direct business relationship between you and us
We are prohibited from combining Personal Data received from you with Personal Data received from other sources, except as permitted by CCPA §1798.140(j)(3)
We will notify you if we determine we can no longer meet our obligations under CCPA/CPRA

These provisions constitute the "service provider" terms required by CCPA §1798.140(j) and applicable regulations.

6. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms.

7. Conflict

If this DPA conflicts with the Terms, this DPA controls solely with respect to Personal Data Processing.

8. Termination

This DPA terminates automatically with the Terms.

Annex I — Description of Processing


Categories of Data Subjects	Customer's employees, contractors, end users, or any natural persons identified in Briefs
Categories of Personal Data	Identifiers (name, email if included in Briefs); professional information; technical content authored by Data Subjects
Special categories	Not expected; do not submit without prior written agreement
Frequency	Continuous, for the duration of the Terms
Nature	Storage, retrieval, AI-assisted processing, display
Purpose	Delivery of the Service
Retention	Life of the Customer's account plus 30 days

Annex II — Technical and Organizational Measures

Domain	Measures
Encryption	TLS 1.2+ in transit; AES-256 at rest (cloud-provider default)
Access control	Per-user isolation in application logic. Production database access limited to founder + named SREs. Multi-factor authentication required for admin access
Pseudonymization	Internal IDs are UUIDs not derived from Personal Data. Error reports scrub `brief_*`, `s3_key`, and standard sensitive fields before transmission to Sentry
Resilience	Daily Postgres backups retained 30 days. Object storage versioning. Health monitoring via BetterStack with SMS paging
Testing	Pre-merge automated tests. Manual smoke testing on every deploy. Independent security review prior to production launch (planned)
Confidentiality of personnel	All personnel under written confidentiality obligation. Access to production data is logged
Physical security	Production infrastructure runs on Google Cloud Platform in SOC 2 Type II-certified facilities

Annex III — Subprocessor List

See 05-subprocessor-list.md.