Data Processing Agreement
Last updated · 2026-05-19 · v0.1 (stub — counsel-reviewed version publishes before GA)
1. Roles
For data the Platform processes on behalf of your child company, the child company is the Controller and 0h1bai is the Processor.
2. Subject matter
Operation of your child company under the Platform's services, including agent-driven product, support, marketing, finance, and compliance activities.
3. Duration
For the duration of the Master Subscription Agreement.
4. Sub-processors
Listed publicly at /trust. We notify you 30 days before adding a sub-processor. You may object; we will work with you in good faith on alternatives.
5. Security measures
Per-tenant database schema, envelope encryption with per-tenant DEK wrapped by per-tenant KEK wrapped by platform root KEK in AWS KMS, TLS 1.3 in transit, append-only audit log with cryptographic chaining.
6. Sub-processor flow-down
Each sub-processor is bound by contractual obligations no less protective than those in this DPA.
7. Standard Contractual Clauses
Where personal data leaves the EEA / UK, the EU 2021/914 SCCs (as amended) and the UK IDTA apply.
8. Breach notification
Within 72 hours of awareness.
v0.1 stub — counsel-reviewed and counter-signable version publishes before GA.