Data Processing Addendum

This Data Processing Addendum ("DPA") supplements our Terms of Service (or any separately-signed Master Services Agreement). By using the Service after the date at the top of this page, you agree to this DPA on behalf of yourself and the entity you represent.

For a counter-signed PDF (often required by enterprise procurement teams), email privacy@autono.sh with your company name and signing authority. We will send back a counter-signed copy at no cost.

Unless otherwise defined here, capitalised terms have the meaning given in our Terms of Service or in the GDPR.

• "Customer" (also "you") means the entity that has agreed to the Terms of Service.
• "System2" (also "we," "us") means Autono Labs, Inc., a Delaware corporation, which operates the System2 service. ("System2" is the product name; the contracting legal entity is Autono Labs, Inc.)
• "Customer Personal Data" means personal data within Customer Content that System2 processes on Customer's behalf as part of providing the Service.
• "Data Protection Laws" means the EU GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, and any other applicable data-protection or privacy law.
• "SCCs" means the Standard Contractual Clauses adopted by the European Commission in Decision 2021/914.
• "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.
• "Subprocessor" means any third party engaged by System2 to process Customer Personal Data, as listed at /subprocessors.

For Customer Personal Data, Customer is the "controller" (or, if Customer is itself acting as a processor for an upstream controller, Customer is a "processor"), and System2 is a "processor" (or "subprocessor," as applicable).

For account data and product telemetry that System2 collects to operate, secure, and improve the Service (described in our Privacy Policy), System2 is a controller in its own right. That data is out of scope for this DPA but is governed by our Privacy Policy.

System2 processes Customer Personal Data only on Customer's documented instructions. The Terms of Service, the Service's feature configuration in Customer's workspace, and Customer's interactions with the Service constitute Customer's instructions.

If System2 is required by law to process Customer Personal Data outside those instructions, we will (where legally permitted) inform Customer before processing.

The categories of data subjects, personal data, and processing activities covered by this DPA are described in Annex I (below). The duration of processing is the term of the Terms of Service plus the retention period described in our Privacy Policy.

System2 ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations (by employment agreement or contract) and are trained in our security and privacy practices.

System2 implements appropriate technical and organisational measures to protect Customer Personal Data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure. The measures are described in Annex II (below) and on our Security page.

Customer authorises System2 to engage Subprocessors to process Customer Personal Data, subject to the terms of this Section 7. The current list of Subprocessors is at /subprocessors and is incorporated into this DPA.

System2 will:

• Sign a written agreement with each Subprocessor that imposes data protection obligations no less protective than those in this DPA;
• Remain liable to Customer for the acts and omissions of its Subprocessors;
• Provide at least 30 days' advance notice of any new or replacement Subprocessor by updating /subprocessors and notifying account admins.

Customer may object to a new Subprocessor on reasonable data-protection grounds within the notice period. If we can't agree on an alternative, Customer may terminate the affected portion of the Service for cause without penalty.

Taking into account the nature of the processing, System2 will assist Customer (by appropriate technical and organisational measures, where possible) to fulfil Customer's obligations to respond to requests by data subjects exercising their rights under Data Protection Laws. Most rights can be self-served via the Service's account-management features; for the remainder, contact us at privacy@autono.sh.

If a data subject contacts System2 directly with a rights request, we will (where lawful) forward it to Customer rather than respond ourselves.

System2 will notify Customer's account admin contact(s) without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include, to the extent known at that time:

• The nature and scope of the breach;
• The categories and approximate number of data subjects and records affected;
• The likely consequences and the measures taken or proposed to address the breach.

We will provide subsequent updates as the investigation progresses.

System2 will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities, where required by Data Protection Laws and taking into account the information available to System2.

System2 will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On reasonable request and no more than once per 12-month period (unless required by a regulator or following a material security incident), System2 will:

• Respond to a security questionnaire reasonable in scope and timing;
• Provide copies of relevant audit reports (e.g. SOC 2 once available) under NDA;
• Allow Customer to conduct an audit (or to mandate an independent third-party auditor at Customer's expense) of System2's data-processing facilities, with reasonable advance notice and during business hours, in a way that does not unreasonably disrupt the Service.

For transfers of Customer Personal Data from the EEA, UK, or Switzerland to a country not the subject of an adequacy decision, the parties agree:

• EEA transfers — the SCCs (Module 2: controller-to-processor; Module 3: processor-to-processor, where applicable) are incorporated by reference. The optional docking clause applies. Annex I and II of this DPA serve as Annex I and II of the SCCs.
• UK transfers — the UK Addendum is incorporated by reference, with Customer as the data exporter and System2 as the data importer. Tables 1-3 are completed by reference to Annex I and II of this DPA.
• Swiss transfers — the SCCs apply with references to GDPR construed as references to the Swiss FADP, and supervisory-authority references construed as the Swiss FDPIC where the transfer is exclusively governed by Swiss law.

On termination of the Terms of Service, System2 will (at Customer's choice) delete or return all Customer Personal Data to Customer, and delete existing copies, unless legally required to retain them. The Service's standard retention schedule (described in our Privacy Policy) applies as the default unless Customer requests otherwise.

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under Data Protection Laws.

In the event of any conflict, the order of precedence is: (1) the SCCs (where applicable); (2) this DPA; (3) the Terms of Service or any separately-signed master agreement.

• Subject matter— provision of an AI-powered operations platform ("System2") that processes messages and connected-service data on Customer's instruction.
• Nature and purpose — hosting, transmitting, displaying, and analysing Customer Content; calling Anthropic to generate AI responses; calling third-party Integrations Customer has connected.
• Categories of data subjects — Customer's authorised users (operators, admins), Customer's employees and contractors mentioned in Customer Content, third parties whose data Customer chooses to send through the Service.
• Categories of personal data — names, email addresses, profile data, message content, files attached to chats, OAuth credentials for Integrations, and any personal data Customer chooses to include in Customer Content.
• Special category data — none, by default. Customer should not submit special category data without separate written agreement.
• Frequency of transfer — continuous, as Customer uses the Service.
• Retention period — for the term of the Service plus 30 days after account deletion, plus standard backup-expiry, plus longer where legally required (see our Privacy Policy).
• Subprocessors and recipients — see /subprocessors.
• Competent supervisory authority (SCC Clause 13) — for EEA exporters, the supervisory authority of the data exporter's establishment. For non-EEA exporters subject to GDPR, the supervisory authority of System2's appointed EU Article 27 representative once designated; until designation is complete, EEA data subjects may lodge complaints with the supervisory authority of their habitual residence, place of work, or place of the alleged infringement.

System2 maintains the technical and organisational measures described on our Security page, which include (at minimum):

• Encryption — TLS 1.3 in transit; AES-256 at rest in the database; AES-256-GCM at the application layer for OAuth tokens and Integration credentials.
• Access control — named-engineer access only, via SSO and short-lived credentials; tenant isolation enforced by application middleware.
• Resilience — multi-machine production deploy; daily backups; point-in-time recovery; automated rollback on smoke failure.
• Monitoring — error tracking via Sentry (with server-side redaction of authorization/cookie headers and a defined list of sensitive body keys); uptime via Better Stack; deploy events posted to internal channels.
• Personnel — all staff bound by written confidentiality obligations and access only on a need-to-know basis. Formal background checks and a recurring security-training program will be introduced as the team grows; their absence today reflects company size, not policy.
• Incident response — documented playbook; 72-hour notification SLA; post-incident review.

The authorised Subprocessors processing Customer Personal Data on System2's behalf as of the date at the top of this page are:

The canonical, continuously-updated list lives at /subprocessors. Changes are made in accordance with Section 7 (30-day prior notice and right to object).

Order of precedence. In the event of a conflict between this DPA and the Terms, this DPA controls for the subject matter it covers. Where the SCCs apply, they prevail over both for transfers within their scope.

Assignment.Neither party may assign this DPA without the other's prior written consent, except that either party may assign it to an affiliate or in connection with a merger, acquisition, or sale of substantially all of its assets, in each case on notice to the other party. Any attempted assignment in breach of this section is void.

Severability. If any provision of this DPA is held unenforceable, the remaining provisions remain in effect, and the parties will replace the unenforceable provision with one that achieves, as closely as legally permissible, the original intent.

No third-party beneficiaries. Except for data subjects' rights under the SCCs and GDPR (which the parties acknowledge), this DPA creates no rights in any third party.

Email privacy@autono.sh with your company name and the email address you'd like the signed PDF sent to. We respond within 5 business days. There is no fee.