This Data Processing Agreement ("DPA") supplements and is incorporated into the CentaurX Terms of Service between CentaurX Inc. ("Processor") and the customer ("Controller"). This DPA applies when CentaurX processes personal data on behalf of the customer in the context of providing the Service.

This DPA is intended to comply with the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA) where applicable.

1. Definitions

Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable data protection law.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

Controller: The customer entity that determines the purposes and means of processing personal data.

Processor: CentaurX Inc., which processes personal data on behalf of the Controller.

Sub-processor: Any third party engaged by CentaurX to assist in processing personal data.

2. Scope of Processing

CentaurX processes personal data on behalf of the Controller solely to provide the Service as described in the Terms of Service. The categories of personal data processed may include:

Contact data from connected CRM platforms (names, email addresses, company affiliations, roles)
Communication metadata (email send/open/click events, meeting records)
Deal and pipeline data associated with natural persons
User account data of Controller's team members using the platform

Processing is limited to the purposes of providing, maintaining, and improving the Service as instructed by the Controller.

3. Controller Instructions

CentaurX shall process personal data only in accordance with the Controller's documented instructions, which are set by the Controller's configuration of the Service, integration permissions granted, and agent actions approved by the Controller's authorized users.

CentaurX shall immediately inform the Controller if it believes an instruction infringes applicable data protection law.

4. Security Measures

CentaurX implements appropriate technical and organizational security measures as described in our Security Policy, including:

AES-256-GCM encryption of integration tokens and sensitive configuration data
TLS 1.3 for all data in transit
Role-based access control with tenant isolation
Complete audit trails of all agent actions
Penetration testing and vulnerability scanning

5. Sub-processors

CentaurX uses the following categories of sub-processors to operate the Service:

| Sub-processor | Purpose | Location | |---|---|---| | Google Cloud Platform | Cloud infrastructure, compute, and storage | United States | | Stripe | Payment processing | United States | | Postmark / SendGrid | Transactional email delivery | United States |

CentaurX ensures all sub-processors are bound by data protection obligations equivalent to those in this DPA. CentaurX will provide at least 14 days' notice of material changes to sub-processors.

6. Data Subject Rights

CentaurX will assist the Controller in fulfilling its obligations to respond to data subject rights requests (access, rectification, erasure, portability, objection) to the extent technically feasible. Requests received directly by CentaurX that relate to the Controller's data will be forwarded to the Controller.

7. Data Breach Notification

CentaurX will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA. Notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

8. Data Transfers

Where personal data originating in the EEA or UK is transferred outside those territories, CentaurX implements appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) as adopted by the European Commission. A copy of the applicable SCCs is available upon request at legal@centaurx.io.

9. Audit Rights

The Controller may, with 30 days' written notice and at its own cost, conduct or commission an audit of CentaurX's data processing activities covered by this DPA, no more than once per calendar year. CentaurX will provide reasonable assistance and cooperation.

10. Deletion and Return

Upon termination of the Service or at the Controller's written request, CentaurX will delete or return all personal data processed under this DPA within 30 days, except where retention is required by law.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

12. Contact and Execution

To execute this DPA or request a signed copy, contact legal@centaurx.io.

This DPA is effective as of the date you first access the Service and supersedes any prior data processing agreements between the parties.

Data Processing Agreement (DPA)