Data Processing Addendum (DPA)

Effective Date: February 20, 2026
Last Updated: February 20, 2026

This Data Processing Addendum (“DPA”) forms part of the Agreement between Sedrino Labs, Inc. (“Sedrino,” “Processor”) and the Customer (“Controller”) and applies to the extent Sedrino processes Personal Data on behalf of Customer in providing the Services.

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to data protection obligations.

1. Definitions

1.1 “Personal Data” has the meaning given under applicable Data Protection Laws.
1.2 “Data Protection Laws” means all applicable privacy and data protection laws and regulations, including (where applicable) GDPR, UK GDPR, and similar laws.
1.3 “Processing” has the meaning given under applicable Data Protection Laws.
1.4 “Subprocessor” means a third party engaged by Processor to process Personal Data on behalf of Controller.

2. Roles and Scope

2.1 Controller and Processor. Customer is the Controller (or business/service provider customer, as applicable). Sedrino is the Processor with respect to Personal Data contained in Customer Content that Customer submits to the Services.

2.2 Controller instructions. Processor will process Personal Data only on documented instructions from Controller, including as necessary to provide the Services under the Agreement and as further described in Annex I.

2.3 Customer responsibility. Customer is responsible for (a) the lawfulness of instructions and Processing; (b) providing required notices and obtaining required consents; and (c) ensuring Customer Content does not violate Data Protection Laws.

3. Processor Obligations

3.1 Confidentiality. Processor will ensure personnel authorized to process Personal Data are bound by confidentiality obligations.

3.2 Security. Processor will implement appropriate technical and organizational measures as described in Annex II.

3.3 No training on Customer Content. Processor will not use Customer Content (including prompts, Outputs, or project content) to train generalized AI or machine learning models.

3.4 Assistance. Processor will provide reasonable assistance to Controller in:

  • responding to data subject requests (Section 5);

  • performing DPIAs or consultations where required (limited to information Processor can provide); and

  • fulfilling security and breach obligations (Section 6).

    3.5 Legal requests. If Processor receives a legally binding request for disclosure of Personal Data, Processor will notify Controller unless prohibited by law.

4. Subprocessors

4.1 Authorization. Controller authorizes Processor to use Subprocessors to provide the Services.

4.2 List and updates. A list of Subprocessors is available in subprocessors.md or on our website. Processor may update Subprocessors from time to time.

4.3 Subprocessor obligations. Processor will impose data protection obligations on Subprocessors that are no less protective than this DPA.

4.4 Objection. If Controller reasonably objects to a new Subprocessor on data protection grounds, Controller will notify Processor within 30 days of notice. The parties will work in good faith to resolve. If unresolved, Controller may terminate the affected Service(s) without penalty for the unused portion of pre-paid fees for that affected Service (if applicable), as Controller’s sole and exclusive remedy.

5. Data Subject Requests

5.1 Processor assistance. Processor will provide reasonable assistance to Controller to respond to requests to exercise data subject rights, to the extent Processor can identify the relevant Personal Data and is legally permitted to assist.

5.2 Direct requests. If Processor receives a request directly from a data subject relating to Personal Data in Customer Content, Processor will (where permitted) direct the data subject to Controller and notify Controller.

6. Personal Data Breach

6.1 Notice. Processor will notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Content.

6.2 Information. Processor will provide reasonably requested information to help Controller meet its obligations, to the extent available.

7. Return and Deletion

7.1 During the term. Processor may retain, delete, or anonymize data as described in the Agreement and Privacy Policy, including retention of AI Interaction Data generally up to 30 days and potential earlier/later deletion for operational, security, legal, or compliance reasons.

7.2 At termination. Upon termination of the Services, Processor will, at Controller’s option, delete or return Personal Data in Customer Content, subject to:

  • Controller’s ability to export data using available functionality;
  • retention in backups for a limited time; and
  • legal requirements to retain certain data.

8. Audits

8.1 Audit rights. Upon reasonable notice and not more than once per year, Controller may audit Processor’s compliance with this DPA through:

  • review of applicable third-party security reports where available; and/or

  • a written questionnaire.

    8.2 On-site audits. On-site audits are permitted only if (a) required by law or a regulator, or (b) the parties agree in writing to scope and timing, and subject to reasonable confidentiality and security requirements.

9. International Transfers

9.1 Transfer mechanisms. Where Processor transfers Personal Data internationally in a manner requiring a transfer mechanism, the parties agree to implement an appropriate mechanism (e.g., Standard Contractual Clauses).

9.2 SCC incorporation (template). If required, the EU Commission Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK Addendum (if applicable) are incorporated by reference, with Annexes completed using Annex I and Annex II of this DPA.

10. Limitation of Liability

The limitation of liability provisions in the Agreement apply to this DPA to the maximum extent permitted by law.

Annex I — Details of Processing

A. Subject matter: Provision of the Services (AI-assisted development platform and hosting).
B. Duration: For the term of the Agreement, plus limited backup retention.
C. Nature and purpose: Hosting, processing, and transmission of Customer Content to provide the Services; security; support; and compliance.
D. Categories of data subjects: Customer’s Authorized Users; Customer’s end users (if Customer chooses to process such data); other individuals whose data Customer includes in Customer Content.
E. Categories of Personal Data: May include names, emails, identifiers, content submitted in Customer Content, logs, and any other personal data Customer includes.
F. Special categories: Not intended; Customer will not submit special categories unless expressly agreed.
G. Processing operations: Collection, storage, hosting, transmission, generation of Output, logging, access for support/security, deletion.

Annex II — Security Measures (High-Level)

Processor maintains a security program designed to protect Customer Content, which may include:

  • access controls (least privilege; authentication/authorization);
  • encryption in transit (TLS) and, where applicable, at rest;
  • logging and monitoring of service activity;
  • vulnerability management and patching practices;
  • backups and disaster recovery procedures;
  • incident response process;
  • supplier/vendor risk management for Subprocessors.

(Controller acknowledges that specific controls may evolve over time.)