Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between the customer organization (“Controller”) and RANKIGI Inc., a Delaware C-Corp (“Processor”), collectively the “Parties.” This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller.

The Processor provides AI agent execution proof infrastructure, including tamper-evident cryptographic audit trails, policy enforcement, behavioral profiling, and compliance reporting. This DPA remains in effect for the duration of the Controller's subscription and for 90 days following termination, during which data deletion is completed.

The Processor processes data solely to provide the execution proof services described in the Terms of Service. Processing activities include: receiving and hashing agent event payloads; computing and storing SHA-256 hash chains; generating behavioral profiles and execution proof reports; evaluating and enforcing compliance policies; and providing dashboard access to audit trails and verification results.

RANKIGI minimizes personal data processing. The categories of data processed include:

Section 4(a) - Canonical Event Record:For each agent event, RANKIGI retains a canonical event record containing structured metadata (action type, tool invoked, timestamps, policy outcomes, and agent identifiers). This canonical record is used to compute and verify the tamper-evident chain hash. It does not contain raw prompt text, model outputs, or sensitive payload content unless the customer's agent explicitly includes such content in structured metadata fields. The canonical record is stored as pseudonymized data under GDPR Article 4(5). Customers may request verification of this retention constraint under Article 28(3)(h).

Section 4(b) Encrypted Evidence Retention: Customers on the applicable subscription tier may enable encrypted evidence retention by setting their organisation storage mode to encrypted. Under this mode, RANKIGI stores the canonical event record in two forms: a SHA-256 hash in the payload_canonical field (used for chain integrity verification) and an AES-256-GCM encrypted envelope in the payload_canonical_encrypted field. RANKIGI staff can access the encrypted envelope only through the reveal endpoint, which requires active authentication and writes a tamper-evident, append-only audit record for every access. The SHA-256 hash is not reversible to the original content. True customer-managed key (BYOK) support, under which RANKIGI holds no decryption capability, is targeted for Q3 2026.

Account data: Name, email address, and organization name of authorized users.

Authentication tokens: API keys (peppered and hashed before storage; raw keys are not retained).

The Controller is responsible for ensuring that raw sensitive data is not included in event payloads sent to the Service.

Data subjects include: authorized users of the Controller's RANKIGI account (employees, contractors, administrators); and individuals whose data may be indirectly referenced in hashed event metadata (end users of the Controller's AI agents).

The Processor shall: process personal data only on documented instructions from the Controller; ensure that persons authorized to process personal data have committed to confidentiality; implement appropriate technical and organizational security measures; assist the Controller in responding to data subject requests; notify the Controller of any data breach without undue delay and in any event within 72 hours; assist the Controller with data protection impact assessments where required; delete or return all personal data upon termination of the agreement; and make available all information necessary to demonstrate compliance with GDPR Article 28.

The Processor uses the following sub-processors:

Supabase - hosted Postgres + auth (US-based infrastructure)
Railway - application hosting (US-based)
Stripe - billing/payments
Resend - transactional email
Upstash - rate-limit Redis
Sigstore Rekor - anchor notarization / transparency log
FreeTSA - RFC 3161 timestamps
Sentry - application error monitoring

The Controller will be notified at least 30 days before any new sub-processor is engaged. The Controller may object to a new sub-processor within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the agreement.

Scanner-specific sub-processors are listed at rankigi.com/legal/scanner-subprocessors.

Personal data is processed and stored in the United States (AWS us-east-1) via the Processor's Railway and Supabase infrastructure. This is the only processing location currently provisioned. For transfers of personal data from the EEA to the United States, the Processor relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914) and maintains appropriate safeguards for all international data transfers. Additional regions are on the roadmap: US-West is targeted for Q3 2026 and EU-West for Q4 2026. The Processor does not currently offer EU, APAC, or Middle East data residency. Customers with dedicated regional deployment requirements should contact legal@rankigi.com.

The Processor maintains the following technical and organizational security measures: encryption of all data in transit (TLS 1.3) and at rest (AES-256); SHA-256 hash chain integrity with cryptographic tamper detection; row-level security enforced at the database layer (Supabase RLS); API key authentication with peppered hashing; append-only event ledger with database-level immutability triggers preventing UPDATE and DELETE operations; RBAC access controls (admin, auditor, read-only roles); and regular security assessments. RANKIGI provides audit trail evidence that supports your compliance program. We do not hold certifications under these frameworks.

In the event of a personal data breach, the Processor shall: notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach; provide the Controller with sufficient information to meet the Controller's obligations under GDPR Articles 33 and 34; cooperate with the Controller in investigating and mitigating the breach; and document the breach, its effects, and the remedial actions taken.

Event payload data is erased from primary storage within 90 days of subscription termination. The hash row in the audit chain is permanently retained to preserve tamper-evident verifiability; the raw payload column is tombstoned (set to null) so it is no longer readable. Cryptographic hash records cannot be deleted as they form the integrity of the audit chain. Closure-export evidence bundles reconstruct the full chain regardless of the customer's retention window because they are point-in-time compliance artifacts; this carve-out is also documented in the Privacy Policy §4.

Upon termination of the agreement, the Processor shall: provide a 14-day window for the Controller to export data; execute the deletion described above within 90 days of termination; provide written confirmation upon request; and retain no copies of personal data except where required by applicable law.

The Controller has the right to audit the Processor's compliance with this DPA. Audits may be conducted: annually, with 30 days written notice; by the Controller or an independent third-party auditor; subject to reasonable confidentiality obligations. The Processor will cooperate fully and provide access to relevant documentation, systems, and personnel. Enterprise customers may negotiate enhanced audit provisions, including on-site inspections.