Codia

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Codia Tech, LLC, a Delaware limited liability company with its registered address at 1111B S Governors Ave STE 21043, Dover, DE 19904, United States ("Processor" or "Codia"), and the customer identified in the applicable order form ("Controller" or "Customer"). It applies when Codia processes Personal Data on behalf of Customer in the course of providing the Services.

By using the Services on behalf of a business entity, Customer accepts this DPA. Enterprise customers may also execute a countersigned copy on request to [email protected].

1. Definitions

Capitalized terms used but not defined here have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Brazilian Lei Geral de Proteção de Dados ("LGPD"), the Korean Personal Information Protection Act ("PIPA") or the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), as applicable.

2. Roles

For Personal Data that Customer or Customer's end users submit to the Services, Customer is the Controller and Codia is the Processor. Codia will process Personal Data only on documented instructions from Customer, including with regard to transfers, except where required by law.

3. Scope and duration

Codia processes Personal Data for the purposes, duration, categories of data and categories of data subjects described in Annex A.

4. Codia's obligations

Codia will:

  • process Personal Data only on Customer's documented instructions (including the instructions contained in the Agreement and this DPA);
  • ensure that persons authorized to process Personal Data are bound by confidentiality;
  • implement the technical and organizational measures described in Annex B (GDPR Art. 32);
  • assist Customer in responding to Data-Subject Requests (GDPR Art. 12–22) using the tools made available in the Services;
  • assist Customer with its obligations under GDPR Art. 32–36 (security, breach notification, DPIAs, prior consultation) taking into account the nature of processing and information available to Codia;
  • notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal-Data Breach affecting Customer Personal Data;
  • make available to Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (subject to reasonable advance notice, confidentiality and frequency limits — see §9).

5. Sub-processing

Customer authorizes Codia to engage the sub-processors listed at /docs/subprocessors and to add or replace sub-processors, subject to the following:

  • Codia will post changes at /docs/subprocessors and notify enterprise Customers by email or in-product notice at least 30 days before a new sub-processor starts processing Personal Data.
  • Customer may object on reasonable data-protection grounds within the notice period. If the objection cannot be resolved, Customer may terminate the affected Services and receive a pro-rated refund of prepaid but unused fees.
  • Each sub-processor is bound by a written contract imposing data-protection obligations at least as protective as this DPA.

6. International transfers

Where Codia transfers Personal Data outside the EEA, UK, Switzerland, Brazil, Korea, Japan, Singapore, Hong Kong, Taiwan or any other jurisdiction of the data subject to a country that is not the subject of an adequacy decision by the relevant authority, the transfer is governed by:

  • EU to third country: the 2021 EU Standard Contractual Clauses 2021/914, Modules incorporated by reference below, deemed signed by the parties upon execution of this DPA.
    • Module 2 (Controller → Processor) applies where Customer is Controller and Codia is Processor.
    • Module 3 (Processor → Sub-processor) applies between Codia and its sub-processors.
    • Clause 7 (docking) is not used.
    • Clause 9(a) option 2 (general written authorization) applies with 30 days' notice.
    • Clause 11(a) optional wording is not included.
    • Clause 17 option 1 applies; the governing law is the law of Ireland.
    • Clause 18(b) venue is the courts of Ireland.
    • Annex I.A, I.B, I.C populated by reference to Annex A and Annex C of this DPA.
    • Annex II populated by reference to Annex B of this DPA.
  • UK to third country: the UK Addendum B.1.0 to the EU SCCs (ICO-issued) or the International Data Transfer Agreement (IDTA), each deemed signed by the parties.
  • Switzerland: the EU SCCs as amended to reflect FDPIC guidance.
  • Brazil: LGPD-compliant contractual clauses, and where necessary, Customer's explicit consent.
  • Korea: cross-border transfer consent under PIPA Article 28, obtained by Customer from its end users.
  • Japan: APPI Article 28 disclosure and consent, obtained by Customer from its end users.

Codia is evaluating self-certification under the EU–US Data Privacy Framework, the UK Extension and the Swiss–US DPF. Until certification is in place, transfers rely on the SCCs and mechanisms described above.

7. Data-subject requests

Codia will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures — including self-service deletion, data-export and rectification tools within the Services — in fulfilling Customer's obligation to respond to requests exercising rights under GDPR, UK GDPR, LGPD, PIPA, CCPA/CPRA and similar laws.

Where Codia receives a data-subject request directly, Codia will promptly forward it to Customer and not respond except on Customer's instructions or as required by law.

8. Return or deletion

Upon termination of the Services, Codia will, at Customer's choice, delete or return all Personal Data processed on Customer's behalf within 30 days (the "Grace Period") and delete existing copies, except to the extent applicable law requires retention. Backups are rolled off within 90 days.

9. Audit

Codia will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including the most recent SOC 2 Type II / ISO 27001 reports where available. Customer may request an on-site audit with 30 days' advance written notice, no more than once per 12-month period, during business hours and subject to confidentiality — provided that audits prompted by a suspected material breach or by a competent authority are not subject to the frequency cap.

10. CCPA Service-Provider terms

With respect to Personal Information subject to the CCPA/CPRA:

  • Codia is a "Service Provider" and will not (i) "sell" or "share" Personal Information, (ii) retain, use or disclose Personal Information other than for the specific business purposes of providing the Services, (iii) retain, use or disclose Personal Information outside the direct business relationship, or (iv) combine Personal Information received from Customer with Personal Information received from other sources, except as permitted by the CCPA/CPRA and regulations thereunder.
  • Customer may take reasonable steps to ensure that Codia uses Personal Information consistent with Customer's obligations under the CCPA/CPRA.
  • Codia will notify Customer if it determines it can no longer meet these obligations.

11. Liability

The liability of each party under this DPA is subject to the exclusions and limitations in the Agreement.

12. Term and termination

This DPA is effective from the date Customer accepts it (by executing an order form, subscribing to a paid plan, or continuing to use the Services) and remains in force for as long as Codia processes Personal Data on Customer's behalf.

13. Order of precedence

In the event of any conflict between this DPA, the SCCs and the Agreement, the following order of precedence applies: (1) the SCCs, (2) this DPA, (3) the Agreement.

Annex A — Description of Processing

  • Subject matter: Provision of the Services described in the Agreement.
  • Duration: Term of the Agreement plus the Grace Period described in §8.
  • Nature and purpose: Hosting, storage, processing of User Content and account data; generation of AI outputs in response to Customer prompts.
  • Categories of data subjects: Customer's employees, contractors, end users, and persons depicted in User Content submitted by Customer.
  • Categories of Personal Data: Contact data (name, email); account credentials; User Content that Customer chooses to submit (which may include files, images, documents and text); usage data; device and log data.
  • Sensitive data: Customer should not submit special-category data (GDPR Art. 9) or equivalent sensitive data unless expressly agreed in writing.
  • Frequency of processing: Continuous for the Term.
  • Retention: As specified in the Privacy Policy §7 and §8 of this DPA.

Annex B — Technical and Organizational Measures

Codia maintains a security program that includes, at minimum:

  • Encryption: TLS 1.2+ in transit; AES-256 at rest for stored artifacts.
  • Network security: AWS VPC isolation, security groups, WAF.
  • Access control: Role-based access control; least-privilege provisioning; SSO and MFA for employees; quarterly access reviews; secret rotation.
  • Personnel: Background checks where permitted by law; security training on hire and annually.
  • Vendor management: Written DPAs; security review before onboarding.
  • Incident response: 24×7 on-call; breach-notification process compliant with GDPR Art. 33, LGPD Art. 48 and applicable law.
  • Vulnerability management: Continuous dependency scanning; annual third-party penetration testing; vulnerability-disclosure channel at [email protected].
  • Business continuity / disaster recovery: Multi-AZ deployment; regular backup testing.
  • Audit and monitoring: Security logging and alerting; retention for at least 90 days.
  • Certifications / attestations: SOC 2 Type II and ISO/IEC 27001 readiness in progress.

Annex C — Authorized Sub-processors

See /docs/subprocessors, as updated from time to time.

Questions: [email protected].