Data Processing Agreement

1. Roles

The customer is the controller; Spyd Infotech ("Spyd") is the processor, processing personal data only on the customer's documented instructions and for the duration of the subscription.

2. Scope of processing

Spyd processes the redacted security/monitoring telemetry described in the Privacy Policy, to provide fleet monitoring, incident diagnosis, and AI explanations. Full-fidelity data remains on the customer's hosts and is not processed by Spyd Cloud.

3. Technical & organizational measures

• Authenticity: Ed25519 request signing on every agent→cloud call, verified against the host's enrolled public key (the header key is not trusted after enrollment).
• Tenant isolation: Postgres Row-Level Security on all tenant tables; the app runs as a non-superuser with the org scope set per transaction.
• Encryption in transit: TLS everywhere (Let's Encrypt via Caddy) with HSTS and a content-security policy per host.
• Data minimization: on-host redaction pipeline, proven by an automated no-leak corpus test; idempotent ingest keyed by a content hash.
• Backups: nightly logical database dumps shipped off-box (EU).
• Authentication: passwordless magic-link sign-in; short-lived, one-time tokens.

4. Sub-processors

Spyd uses the sub-processors listed at /sub-processors. Customers are notified by email of additions before a new sub-processor begins processing, with the opportunity to object within 30 days.

5. Breach notification & audit

Spyd notifies the controller without undue delay — within 72 hours of becoming aware of a personal-data breach — and makes available the information reasonably needed to demonstrate compliance with this agreement.

6. International transfers

Where processing involves a transfer outside the customer's region (e.g. AI explanations via OpenAI in the US), the parties rely on the EU Standard Contractual Clauses (SCCs).