Semswitch
Contact
Back to SemSwitch
SemswitchDocument · DPA

SemSwitch Data Processing Addendum

Version: 1.0 Effective Date: January 1, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Customer and SemSwitch, Inc. ("Processor," "Company," "we," or "us") governing Customer's use of the SemSwitch Services (the "Agreement").

This DPA applies where and to the extent Processor processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

Capitalized terms not defined herein have the meanings set forth in the Agreement. In this DPA:

"Applicable Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including (where applicable) GDPR, UK GDPR, the Swiss Federal Act on Data Protection, and the California Consumer Privacy Act (CCPA) as amended by the CPRA.

"Controller" means the entity that determines the purposes and means of processing Personal Data. For purposes of this DPA, Customer is the Controller of Customer Personal Data.

"Customer Personal Data" means Personal Data that Processor processes on behalf of Customer in connection with the Services.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

"Processor" means the entity that processes Personal Data on behalf of a Controller. For purposes of this DPA, SemSwitch, Inc. is the Processor of Customer Personal Data.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.

"Services" means the SemSwitch governance control plane, evidence services, APIs, SDKs, and related tools as described in the Agreement.

"Subprocessor" means any third party engaged by Processor to process Customer Personal Data on behalf of Customer.

"UK GDPR" means the GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 and applicable UK data protection legislation.

2. Scope and Roles

2.1 Roles of the Parties

With respect to Customer Personal Data:

  • Customer is the Controller and determines the purposes and means of processing.
  • Processor processes Customer Personal Data on behalf of Customer as a Processor.

2.2 Scope of Processing

Processor will process Customer Personal Data only as necessary to provide the Services and as further instructed by Customer in writing, unless processing is required by Applicable Data Protection Law (in which case Processor shall inform Customer of such requirement before processing, unless prohibited by law).

2.3 Details of Processing

The subject matter, duration, nature, and purpose of processing, the types of Personal Data processed, and the categories of Data Subjects are described in Annex I to this DPA.

3. Customer Obligations

3.1 Compliance

Customer represents and warrants that:

  • Customer's instructions to Processor comply with Applicable Data Protection Law.
  • Customer has obtained all necessary consents, authorizations, and legal bases for the processing of Customer Personal Data by Processor.
  • Customer has provided appropriate notices to Data Subjects regarding the processing.

3.2 Customer Instructions

Customer instructs Processor to process Customer Personal Data for the following purposes:

  • Providing, operating, and maintaining the Services
  • Processing evidence events and producing Evidence Artifacts
  • Security, integrity verification, and abuse prevention
  • Customer support
  • As otherwise instructed by Customer in writing

4. Processor Obligations

4.1 Processing Limitations

Processor shall:

  • Process Customer Personal Data only on documented instructions from Customer, unless required by Applicable Data Protection Law.
  • Inform Customer if, in Processor's opinion, an instruction violates Applicable Data Protection Law.
  • Ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations.

4.2 Security Measures

Processor shall implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures are described in Annex II to this DPA.

4.3 Personal Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Processor's internal target is to provide initial notice within forty-eight (48) hours of becoming aware.

Such notice shall include, to the extent known:

  • A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
  • Contact information for Processor's privacy or security contact
  • A description of likely consequences
  • A description of measures taken or proposed to address the breach

Notice may be provided in phases as information becomes available, and Processor shall provide timely updates without undue delay.

4.4 Assistance with Data Subject Rights

Processor shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures (insofar as possible) in fulfilling Customer's obligations to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law.

If Processor receives a request from a Data Subject regarding Customer Personal Data, Processor shall promptly notify Customer (unless prohibited by law) and shall not respond to such request except on Customer's documented instructions or as required by Applicable Data Protection Law.

4.5 Assistance with Compliance

Processor shall assist Customer in ensuring compliance with Customer's obligations under Applicable Data Protection Law regarding:

  • Security of processing
  • Personal Data Breach notification
  • Data protection impact assessments
  • Prior consultation with supervisory authorities

Such assistance shall be provided taking into account the nature of processing and information available to Processor, and may be subject to reasonable fees for assistance beyond what is required by Applicable Data Protection Law.

5. Subprocessors

5.1 Authorization

Customer provides general authorization for Processor to engage Subprocessors to process Customer Personal Data, subject to the requirements of this Section 5.

5.2 Current Subprocessors

The current list of Subprocessors is set forth in Annex III to this DPA and is also available at semswitch.com/privacy (Section 8).

5.3 Subprocessor Requirements

Processor shall:

  • Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA.
  • Remain liable for the acts and omissions of its Subprocessors.

5.4 Changes to Subprocessors

Processor shall notify Customer of any intended changes to Subprocessors (additions or replacements) by updating the Subprocessor list and providing notice via email to Customer's Account Owner at least fourteen (14) days before the new Subprocessor begins processing Customer Personal Data.

Customer may object to a new Subprocessor on reasonable grounds relating to data protection by notifying Processor in writing within fourteen (14) days of receiving notice. If Customer objects, the parties shall discuss Customer's concerns in good faith. If the parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services without penalty by providing written notice.

6. International Data Transfers

6.1 Processing Locations

Processor primarily processes Customer Personal Data in the United States. Customer Personal Data may also be processed in other locations where Processor or its Subprocessors maintain facilities, as described in Annex III.

6.2 Transfers from the EEA

Where the transfer of Customer Personal Data from the European Economic Area (EEA) to a country outside the EEA constitutes a "restricted transfer" requiring appropriate safeguards under GDPR, the parties agree that the EU Standard Contractual Clauses as adopted by Commission Implementing Decision (EU) 2021/914 are incorporated into and form part of this DPA as Exhibit A (SCCs).

For purposes of the SCCs:

  • Module Two (Controller to Processor) applies.
  • Customer is the "data exporter" and Processor is the "data importer."
  • The parties will complete the SCC Annexes with the relevant transfer details, including the description of processing, categories of Data Subjects, categories of Personal Data, and technical and organizational measures, as set forth in the Annexes to this DPA.
  • Clause 7 (Docking Clause): Not applicable.
  • Clause 9 (Use of Subprocessors): Option 2 (General written authorization) applies.
  • Clause 11 (Redress): The optional language is not included.
  • Clause 17 (Governing Law): The SCCs shall be governed by the law of Ireland.
  • Clause 18 (Choice of Forum and Jurisdiction): Disputes shall be resolved by the courts of Ireland.

6.3 Transfers from the United Kingdom

Where the transfer of Customer Personal Data from the United Kingdom constitutes a restricted transfer under UK data protection law, the parties agree that the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (in force 21 March 2022) is incorporated into and forms part of this DPA as Exhibit B (UK Addendum), and is appended to the SCCs referenced above, with the required tables and appendix information completed by the parties.

6.4 Transfers from Switzerland

For transfers from Switzerland, the SCCs apply with the modifications required to comply with the Swiss Federal Act on Data Protection, including that the Swiss Federal Data Protection and Information Commissioner is the competent supervisory authority.

6.5 Alternative Transfer Mechanisms

If a supervisory authority or court requires the use of an alternative transfer mechanism, the parties agree to negotiate in good faith to implement such mechanism.

7. Audit Rights

7.1 Audit Materials

Upon written request no more than once per calendar year, Processor will make available to Customer reasonable information necessary to demonstrate compliance with this DPA, including:

  • Responses to a written security questionnaire
  • Where available, independent third-party audit reports or certifications (e.g., SOC 2 Type II) under confidentiality restrictions

7.2 On-Site Audit

If Customer reasonably determines that the materials above are insufficient to verify compliance, Customer may conduct an audit of Processor's relevant processing activities solely as they relate to Customer Personal Data, subject to the following conditions:

  • At least thirty (30) days' prior written notice
  • No more than once per calendar year
  • During normal business hours
  • Performed by Customer or an independent auditor bound by confidentiality
  • At Customer's expense
  • In a manner that does not unreasonably disrupt Processor's operations or compromise other customers' data, confidentiality, or security

Processor may require remote/virtual audit methods where reasonably sufficient to verify compliance.

8. Data Retention and Deletion

8.1 Retention

Processor retains Customer Personal Data in accordance with the retention schedule set forth in the Privacy Policy (semswitch.com/privacy) and as summarized below:

Data CategoryRetention Period
Authorized User account dataAccount lifetime + 30 days
Evidence vault payloads (encrypted)365 days default (customer-configurable); crypto-shred immediately on deletion; hard-delete within 30 days
Evidence chain metadata (hashes/receipts/Merkle roots)7 years after payload deletion/termination
Operational logs/metrics90 days
Backups30 days rolling
Support tickets2 years after closure

8.2 Deletion

Upon termination of the Agreement or upon Customer's written request, Processor shall delete or return Customer Personal Data (at Customer's election) within thirty (30) days, except:

  • Where retention is required by Applicable Data Protection Law
  • For integrity metadata (hashes/receipts) retained to preserve verifiability of audit trails, which is not sufficient to reconstruct deleted payloads
  • For public blockchain anchors (if enabled by Customer), which are effectively permanent once published and contain only cryptographic hashes

Deletion of encrypted evidence payloads is implemented via crypto-shredding (cryptographic key destruction), rendering the data unreadable.

8.3 Certification

Upon Customer's written request, Processor shall provide written certification of deletion.

9. Aggregated and Anonymized Data

Customer agrees that Processor may use Customer Personal Data to create aggregated, anonymized, or de-identified data that does not identify any individual or Customer ("Anonymized Data"). Processor may use Anonymized Data to improve the Services, develop new features, and train internal or external models. Anonymized Data is not subject to the restrictions of this DPA.

10. CCPA-Specific Terms

To the extent Processor processes Customer Personal Data subject to the California Consumer Privacy Act (as amended by the CPRA):

  • Processor is a "Service Provider" as defined under CCPA.
  • Processor shall not sell or share Customer Personal Data.
  • Processor shall not retain, use, or disclose Customer Personal Data for any purpose other than performing the Services, as permitted under CCPA, or as otherwise permitted by the Agreement.
  • Processor shall not retain, use, or disclose Customer Personal Data outside of the direct business relationship between Processor and Customer.
  • Processor certifies that it understands these restrictions and will comply with them.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

12. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the processing of Customer Personal Data. In the event of any conflict between this DPA and the SCCs, the SCCs shall control.

13. Term

This DPA shall remain in effect for as long as Processor processes Customer Personal Data on behalf of Customer.

14. Contact

Data Protection Contact: privacy@semswitch.com

Legal Contact: legal@semswitch.com

Mailing Address: SemSwitch, Inc. 8 The Green, Suite B Dover, DE 19901

Annex I: Details of Processing

A. List of Parties

Data Exporter (Controller): Customer, as identified in the Agreement.

Data Importer (Processor): SemSwitch, Inc. 8 The Green, Suite B Dover, DE 19901 privacy@semswitch.com

B. Description of Processing

ElementDescription
Subject MatterProcessing of Personal Data in connection with the SemSwitch governance control plane and evidence services
DurationFor the term of the Agreement, plus any retention periods specified in Section 8
Nature of ProcessingCollection, storage, organization, structuring, retrieval, use, disclosure by transmission, encryption, hashing, verification, deletion
Purpose of ProcessingProviding the Services, including evidence capture, integrity verification, policy/guard distribution, optional LLM governance, and optional Cross-Tenant Insights (if enabled)
Categories of Data SubjectsCustomer's Authorized Users; End Users of Customer's applications (as determined by Customer's integration); Customer's employees, contractors, and agents
Categories of Personal DataIdentifiers (name, email, user ID); authentication data (login timestamps, IP addresses); evidence event data (as determined by Customer's integration, which may include application content, decision context, and other Customer-provided fields); usage and telemetry data
Sensitive Data (if any)None intended; Customer is responsible for not submitting sensitive or special category data unless appropriate safeguards are in place
Frequency of TransferContinuous, as Customer uses the Services
Retention PeriodAs specified in Section 8 of this DPA

Annex II: Technical and Organizational Security Measures

Processor implements and maintains the following technical and organizational measures to protect Customer Personal Data:

A. Access Control

  • Role-based access controls with least-privilege principles
  • Multi-factor authentication for administrative access
  • Unique user credentials; no shared accounts
  • Access logging and monitoring
  • Prompt deprovisioning upon termination

B. Encryption

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256 or equivalent)
  • Envelope encryption for evidence payloads
  • Secure key management practices

C. Tenant Isolation

  • Logical separation of Customer data
  • Enforced row-level security for tenant-scoped data stores
  • Tenant-scoped access tokens and API keys

D. Integrity and Verification

  • Cryptographic chaining for tamper-evident evidence records
  • Hash verification processes
  • Optional timestamping and anchoring for independent verification

E. Network Security

  • Firewalls and network segmentation
  • DDoS protection (via Cloudflare)
  • Intrusion detection and monitoring

F. Incident Management

  • Documented incident response procedures
  • 48-hour target for breach notification
  • Regular security reviews

G. Business Continuity

  • Regular backups (30-day rolling retention)
  • Disaster recovery procedures
  • Redundant infrastructure

H. Personnel Security

  • Background checks for employees with access to Customer data (where permitted by law)
  • Confidentiality obligations in employment agreements
  • Security awareness training

I. Vendor Management

  • Due diligence on Subprocessors
  • Written agreements with data protection obligations
  • Ongoing monitoring of Subprocessor compliance

Annex III: Subprocessors

SubprocessorPurposeProcessing Location
DigitalOceanHosting/computeUS
CloudflareCDN/site deliveryGlobal edge; US (logs)
AWS RDSDatabaseUS
AivenRedis cachingUS
DatadogMetrics/monitoringUS
HoneybadgerError monitoringUS
Temporal CloudWorkflow orchestrationUS
PrefectWorkflow orchestrationUS
OpenRouterLLM evaluations (optional; if enabled)US
CometAPILLM evaluations (optional; if enabled)Hong Kong
DigiCert / Sectigo / FreeTSARFC 3161 timestamping (optional; if enabled)US

Note: LLM provider selection is customer-configurable. If Customer selects CometAPI, data may be processed in Hong Kong. Customers requiring US-only processing should select OpenRouter or other US-based providers.

The current Subprocessor list is also available at: semswitch.com/privacy (Section 8).

Exhibit A: EU Standard Contractual Clauses (SCCs)

The EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated by reference and available at:

EUR-Lex: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

The Annexes to the SCCs shall be completed using the information set forth in Annexes I, II, and III of this DPA.

Exhibit B: UK International Data Transfer Addendum

The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (Version B1.0, in force 21 March 2022) is incorporated by reference and available at:

ICO: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

The UK Addendum is appended to the SCCs referenced in Exhibit A. The required tables and appendix information shall be completed using the information set forth in Annexes I, II, and III of this DPA.

Table 1 (Parties): As set forth in Annex I.A of this DPA.

Table 2 (Selected SCCs): Module Two (Controller to Processor) of the Approved EU SCCs, including the Appendix Information.

Table 3 (Appendix Information): As set forth in Annexes I, II, and III of this DPA.

Table 4 (Ending the Addendum): Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum.

Signature

This DPA is incorporated into and governed by the Agreement. By executing an Order Form that references this DPA, or by using the Services after the Effective Date, Customer agrees to the terms of this DPA.

For execution via countersignature, contact: legal@semswitch.com

Version 1.0 — Effective January 1, 2026