Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between the customer organization (“Controller”) and Rankigi Inc., a Delaware C-Corp (“Processor”), collectively the “Parties.” This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller.

The Processor provides AI agent governance infrastructure, including tamper-evident cryptographic audit trails, policy enforcement, behavioral profiling, and compliance reporting. This DPA remains in effect for the duration of the Controller's subscription and for 90 days following termination, during which data deletion is completed.

The Processor processes data solely to provide the governance services described in the Terms of Service. Processing activities include: receiving and hashing agent event payloads; computing and storing SHA-256 hash chains; generating behavioral profiles and governance reports; evaluating and enforcing compliance policies; and providing dashboard access to audit trails and verification results.

RANKIGI is designed to minimize personal data processing. The categories of data processed include:

Hashed event metadata:SHA-256 hashes of agent event payloads, agent IDs, action types, tool identifiers, timestamps, and severity levels. Raw payloads are hashed before storage — the Processor does not store raw PII.

Account data: Name, email address, and organization name of authorized users.

Authentication tokens:API keys (peppered and hashed before storage — raw keys are not retained).

The Controller is responsible for ensuring that raw sensitive data is not included in event payloads sent to the Service.

Data subjects include: authorized users of the Controller's RANKIGI account (employees, contractors, administrators); and individuals whose data may be indirectly referenced in hashed event metadata (end users of the Controller's AI agents).

The Processor shall: process personal data only on documented instructions from the Controller; ensure that persons authorized to process personal data have committed to confidentiality; implement appropriate technical and organizational security measures; assist the Controller in responding to data subject requests; notify the Controller of any data breach without undue delay and in any event within 72 hours; assist the Controller with data protection impact assessments where required; delete or return all personal data upon termination of the agreement; and make available all information necessary to demonstrate compliance with GDPR Article 28.

The Processor uses the following sub-processors:

Supabase Inc.— Database hosting, authentication, and row-level security (US-based infrastructure; EU available for Enterprise)
Railway Corp.— Application hosting and deployment (US-based)
Stripe Inc.— Payment processing and subscription management
Intercom Inc.— Customer support and live chat

The Controller will be notified at least 30 days before any new sub-processor is engaged. The Controller may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the agreement.

Personal data is processed and stored in US-based infrastructure by default. For transfers of personal data from the EEA to the United States, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). Enterprise customers may request EU-based data residency with dedicated infrastructure. The Processor maintains appropriate safeguards for all international data transfers.

The Processor maintains the following technical and organizational security measures: encryption of all data in transit (TLS 1.3) and at rest (AES-256); SHA-256 hash chain integrity with cryptographic tamper detection; row-level security enforced at the database layer (Supabase RLS); API key authentication with peppered hashing; append-only event ledger with database-level immutability triggers preventing UPDATE and DELETE operations; RBAC access controls (admin, auditor, read-only roles); regular security assessments; and SOC 2 Type II certification (in progress, targeting Q4 2026).

In the event of a personal data breach, the Processor shall: notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach; provide the Controller with sufficient information to meet the Controller's obligations under GDPR Articles 33 and 34; cooperate with the Controller in investigating and mitigating the breach; and document the breach, its effects, and the remedial actions taken.

Upon termination of the agreement, the Processor shall: provide a 14-day window for the Controller to export data; delete all personal data within 90 days of termination; provide written confirmation of deletion upon request; and retain no copies of personal data except where required by applicable law.

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted: annually, with 30 days written notice; by the Controller or an independent third-party auditor; subject to reasonable confidentiality obligations. The Processor will cooperate fully and provide access to relevant documentation, systems, and personnel. Enterprise customers may negotiate enhanced audit provisions, including on-site inspections.