Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Sovereign AI Terms of Service and governs how Sovereign AI processes Personal Data on behalf of its customers (the “Controller”) when they use the platform.

This DPA applies to processing subject to the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and other state privacy laws (e.g. CDPA, CPA, CTDPA, UCPA).

Customer is the data Controller of any Personal Data uploaded to, captured by, or generated through the platform on Customer's behalf (e.g. lead records, customer reviews, call transcripts, email recipient lists). Sovereign AI acts as data Processor.

Sovereign AI processes Personal Data only on documented Customer instructions (which include the platform configuration the Customer chooses) and only for the purposes of providing the contracted services.

Sovereign AI engages the following sub-processors to deliver the platform. Customer authorizes their use by entering into the Terms of Service.

• Vercel Inc. (United States) — application hosting, edge runtime, build infrastructure.
• Neon Inc. (United States) — managed PostgreSQL database.
• Stripe, Inc. (United States) — payment processing. Stripe is an independent Controller for payment data per its own DPA.
• Twilio Inc. (United States) — voice and SMS delivery.
• SendGrid (Twilio) (United States) — transactional and marketing email delivery.
• Anthropic PBC (United States) — Claude API for AI generation. Per Anthropic's data policy, Customer Personal Data sent through the API is not used to train Anthropic models.
• Sentry (Functional Software, Inc., United States) — error monitoring; PII scrubbing applied at the application boundary.

Sovereign AI will notify Customer of any new sub-processor at least 30 days in advance via email to the account's admin address, and Customer may object in writing within that window.

Personal Data transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States is subject to the Standard Contractual Clauses (SCCs) under Commission Implementing Decision (EU) 2021/914, which are incorporated into this DPA by reference. Customer may request a countersigned copy by emailing privacy@trysovereignai.com.

• TLS 1.2+ for all data in transit between client and platform.
• Encryption at rest for the production database (managed by Neon) and all Vercel-hosted environment variables.
• Per-tenant data isolation enforced at the application layer via mandatory requireClient() / requireAdmin() guards on every dashboard and admin API route.
• Webhook signature verification (Stripe, SendGrid, Twilio, Telegram) on all inbound provider events.
• Per-route rate limiting with token-bucket algorithm to mitigate abuse and brute force.
• Sentry error monitoring with PII scrubbing applied before events leave the application.
• Principle of least privilege for sub-processor access; no sub-processor receives Personal Data outside its specific function.

Sovereign AI will assist Customer in responding to data subject access, rectification, erasure, restriction, portability, and objection requests (Articles 15-22 GDPR; comparable CPRA rights). Self-serve export and deletion are available in the dashboard at /dashboard/data-export and /dashboard/data-deletion. For requests outside the self-serve flow, email privacy@trysovereignai.com with the request details and the affected account; we respond within 30 days.

Sovereign AI will notify Customer without undue delay (and within 72 hours where feasible under the GDPR) after becoming aware of a Personal Data Breach affecting Customer's data, with the information available at the time and updates as the investigation progresses.

On termination of the underlying service agreement, Sovereign AI will, at Customer's choice, return or delete all Personal Data processed on Customer's behalf within 90 days, unless retention is required by applicable law.

Backups are retained on a rolling 35-day window and overwritten in due course. Customer may request earlier purge in writing.

Customer may request, no more than once per twelve-month period, a written summary of Sovereign AI's security controls and sub-processor list. On-site audits are not generally permitted; in lieu, Sovereign AI will respond to reasonable security questionnaires from Customer's information-security team within a reasonable timeframe.

For Customers requiring a countersigned DPA (typical for enterprise procurement), email legal@trysovereignai.com with your business name and the email address of your authorized signatory. We will return a signed copy within five business days.