Data Processing Agreement
This Data Processing Agreement (“DPA“) forms part of and is incorporated into the Terms of Service (“Terms“) by and between the Controller and the Processor.
1. Parties to this Agreement
| Role | Entity Details |
| Data Controller (“Controller”) | The customer, organization, or entity that has agreed to the Terms of Service and uses the Services. The Controller’s details are determined by the billing and account information provided during registration. |
| Data Processor (“Processor”) | Glorium Technologies LTD, Neofytou Nikolaidi & Theodorou Kolokotroni ONISIFOROU CENTER, 2nd floor Agios Theodoros Paphos 8011 Cyprus |
Contacts for Data Protection: Notices to the Processor shall be sent to contact@cogniagent.ai. Notices to the Controller shall be sent to the email address registered in the Controller’s account.
2. Details of Data Processing
| Subject | Description |
| Terms of Service | This DPA is subject to the Terms of Service between the parties. |
| Subject Matter | The subject matter of the processing is the performance of the services as described in the Terms of Service. |
| Nature and Purpose of Processing | The Processor will process Personal Data to provide the cloud-based software-as-a-service (SaaS) platform, features, tools, and support as specified in the Terms of Service. |
| Duration of Processing | For the term of the Terms of Service, unless otherwise required by applicable law. |
| Types of Personal Data | The types of Personal Data processed may include, but are not limited to: • Contact Information: such as name, email address, phone number, and physical address. • Technical Information: such as IP addresses, browser type, device information, cookies, and usage data. • Professional Information: such as job title, company name, and professional contact details. • Financial Information: such as billing details and payment information. • User-Generated Content: any personal data provided by the user in the course of using the services. |
| Categories of Data Subjects | The data subjects may include the Controller’s employees, customers, vendors, and service providers. |
3. Terms of the Agreement
3.1. Definitions
- For the purposes of this DPA, “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Processor” shall have the meanings ascribed to them in the applicable Data Protection Laws.
- “Data Protection Laws” means all applicable laws and regulations relating to data protection and privacy, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and any other relevant legislation.
- “Sub-processor” means any third-party processor engaged by the Processor to process Personal Data under this DPA.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as approved by the European Commission.
3.2. Obligations of the Parties
- Processor’s Obligations: The Processor shall:
- Only process Personal Data on behalf of and in accordance with the Controller’s documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by law.
- Not sell, retain, or use any Personal Data for any purpose other than as permitted by this DPA and the Terms of Service.
- Ensure that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement and maintain the technical and organizational measures specified in Annex 1 to ensure a level of security appropriate to the risk.
- Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach.
- Provide reasonable assistance to the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws.
- Upon termination of the Terms of Service, at the choice of the Controller, delete or return all Personal Data to the Controller, and delete existing copies unless applicable law requires storage of the Personal Data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
- Controller’s Obligations: The Controller represents and warrants that:
- It has a valid legal basis for the processing of Personal Data by the Processor.
- It has provided all necessary notices and obtained all necessary consents from Data Subjects.
- Its instructions to the Processor for the processing of Personal Data shall comply with all applicable Data Protection Laws.
3.3. Sub-processing
- The Controller provides a general authorization for the Processor to engage Sub-processors. The Processor’s current list of Sub-processors is detailed in Annex 2.
- The Processor shall inform the Controller of any intended changes concerning the addition or replacement of other Sub-processors, thereby giving the Controller the opportunity to object to such changes.
- Where the Processor engages a Sub-processor, the Processor shall enter into a written agreement with such Sub-processor imposing data protection obligations that are, in substance, no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor.
3.4. Customer-Enabled Third-Party Integrations
For clarity, third-party services or tools that are enabled, connected, or configured by the Controller, including through the Controller’s own account, API key, credentials, tokens, or integration settings, are not considered Sub-processors of the Processor under this DPA, unless the Processor separately engages such third party as its own Sub-processor for the provision of the Services.
Any Personal Data transferred to such third-party services or tools is transferred at the Controller’s instruction and is governed by the Controller’s separate agreement and data protection arrangements with the relevant third party. The Controller is responsible for assessing the lawfulness, security, and data protection compliance of such third-party services or tools.
3.5. Web Search and Web Extraction Features
The Services may allow the Controller and its authorized users to submit search queries, URLs, prompts, or other content for web search, web extraction, retrieval, and further processing.
The Controller is responsible for all information submitted through such features and shall not submit Personal Data, sensitive data, confidential information, or third-party Personal Data unless it has a valid legal basis and all necessary rights, notices, consents, and authorizations.
The Controller acknowledges that such submissions may be transmitted to third-party search, retrieval, or extraction providers engaged to provide the relevant functionality, and that the Processor does not control or pre-screen the content of queries, URLs, prompts, or other content submitted by the Controller or its authorized users.
3.6. International Data Transfers
- The Processor shall not transfer Personal Data outside the European Economic Area (EEA), the UK, or another jurisdiction with an adequacy decision without ensuring appropriate safeguards are in place, such as the Standard Contractual Clauses (SCCs).
3.7. General Provisions
- Order of Precedence: In the event of a conflict, the terms of this DPA shall prevail over the terms of the Terms of Service.
- Governing Law and Jurisdiction: This DPA and any disputes arising from it shall be governed by the laws and jurisdiction stipulated in the Terms of Service.
- Amendments: Any amendments to this DPA must be in writing and signed by both parties.
4. Incorporation and Acceptance
By accepting the Terms of Service, the Controller acknowledges and agrees to be bound by the terms of this Data Processing Addendum. No separate signature is required for this DPA to be legally binding between the parties.
ANNEX 1: Security Measures
This Annex describes the technical and organizational security measures implemented by the Processor to protect Personal Data.
1. Infrastructure & Environment
- Hosting: Hosted on a secure private cloud infrastructure located within the European Union (EU).
- Orchestration: Utilization of container orchestration technologies (e.g., Kubernetes and Helm).
- Management: Infrastructure is managed via Infrastructure-as-Code (IaC) principles.
- Environment Isolation: Strict logical separation of environments (Development, Staging, and Production).
- Data Restrictions: No Customer Personal Data is stored or processed in non-production environments.
2. Data Storage & Protection
- Database: Data is stored using secure, cloud-native relational databases (e.g., PostgreSQL).
- Encryption in Transit: All data in transit is encrypted using industry-standard protocols (TLS 1.2 or higher).
- Data Residency: All data resides within a data center located in the EU.
3. Access & Credential Security
- External Integration: Utilization of external integration providers to minimize the storage of credentials.
- Encryption at Rest (Credentials): Where storage is strictly required, credentials (such as API keys and OAuth tokens) are encrypted at rest.
- Secrets Management: Documented secrets management practices are implemented and enforced.
4. Availability & Resilience
- Auto-scaling: Auto-scaling mechanisms are enabled to ensure continued availability during traffic fluctuations.
- Load Balancing: Load balancing is utilized to distribute system traffic effectively and maintain stability.
5. Backup & Recovery
- Backups: Real-time and continuous database backup procedures are implemented.
- Restoration: Backup restoration procedures are regularly tested to ensure data integrity and recoverability.
6. Monitoring & Logging
- Observability: Utilization of specialized system monitoring and observability tools.
- Logging Capabilities: Comprehensive logging is implemented to support system monitoring, troubleshooting, and audit visibility.
7. Integrations & Data Flow
- External Systems: The platform supports integrations with external systems, including CRM, ERP, and other third-party tools, as configured by the Controller.
- Data Ingestion: Data may flow into and out of the platform through controlled API endpoints, authentication mechanisms, and integration settings.
- Integration Controls: The Processor implements reasonable technical controls for integrations under its control, including access controls, authentication, logging, and secure transmission where applicable.
8. Key Security Principles Enforced
- Environment isolation.
- Data segregation.
- Encryption (in transit for all data, and at rest for credentials).
- Controlled data exposure (Principle of Least Privilege).
- Continuous operational monitoring.
ANNEX 2: Sub-processors
This Annex lists the Sub-processors authorized by the Controller to process Personal Data.
| Subprocessor | Purpose | Applicable Service | Location |
| Pipedream | Workflow automation and integrations | Workflows, integrations, webhooks and API connections | United States |
| Google Cloud / Vertex AI | Cloud AI / machine learning processing | AI processing, prompts, model inputs/outputs, embeddings and related AI workflows | Customer-selected Google Cloud region or multi-region |
| Mailgun / Sinch Email | Transactional email delivery | Service emails | US or EU, depending on selected Mailgun region |
| Stripe | Payment processing | Payments and billing | Global |
| OVHcloud | Cloud hosting / infrastructure services | Hosting infrastructure | Selected OVHcloud region |
| Brevo | Email communications and transactional email delivery | Email / SMTP / API communications | EU / France and Belgium |
| Pipedrive | Customer relationship management and sales pipeline management | CRM platform | Estonia / European Union |
| HubSpot | CRM, marketing, sales and customer communications management | HubSpot customer platform / CRM tools | Global |
| PostHog | Product analytics and feature management | Analytics, event tracking, session replay, feature flags and related product tools | EU or US, depending on selected PostHog Cloud hosting option |
| Deepgram | Speech and voice AI processing | Speech-to-text, text-to-speech, audio intelligence and voice agent APIs | US or EU, depending on selected endpoint / configuration |
| LiveKit | Real-time audio/video communications and AI voice infrastructure | LiveKit Cloud, APIs, agents, media transport, signaling and related services | Selected LiveKit Cloud region; certain logs/telemetry may be processed in the United States |
| Composio / Sampark Inc. | AI agent integrations and tool-call orchestration | Composio Application Services, including integrations, tool calls, authentication/authorization flows and related support | United States, unless regional hosting is expressly available and selected |
| OpenRouter | AI model routing and inference gateway | API access to third-party AI models, including prompt/completion routing and related services | United States or other locations depending on selected model providers and configuration |
| Tavily / AlphaAI Technologies Inc. | Web search and content retrieval for AI agents | Tavily Search / Extract / Crawl APIs | United States |
The scope and categories of Customer Personal Data processed by each Subprocessor depend on Customer’s configuration and use of the Services. Each Subprocessor processes Customer Personal Data only as necessary to provide its respective services.
Where applicable, international transfers are protected by Standard Contractual Clauses or other appropriate safeguards.