1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR or in the Terms of Service. “Customer Personal Data” means Personal Data Processed by us on Customer’s behalf.
2. Roles
Customer is the Controller (or, where Customer is itself a Processor, the relevant Controller is upstream of Customer) and we are the Processor. The subject-matter, duration, nature, and purpose of Processing, and the categories of Data Subjects and Personal Data, are set out in Annex I.
3. Processor obligations
- We Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by Union or Member State law.
- We ensure that persons authorised to Process Customer Personal Data have committed to confidentiality.
- We implement appropriate technical and organisational measures (Annex II) and assist Customer in fulfilling its obligations to respond to data-subject requests.
- We notify Customer without undue delay (target: 24 hours, maximum 72 hours) after becoming aware of a Personal Data Breach.
- We delete or return all Customer Personal Data after the end of the provision of services and delete existing copies unless retention is required by law.
4. Sub-processors
Customer provides general written authorisation for the engagement of sub-processors. We maintain a current list at /sub-processors.html and notify Customer at least 30 days before adding or changing a sub-processor. Customer may object on reasonable grounds; if the objection cannot be resolved, Customer may terminate the affected service on a pro-rata refund.
5. International transfers
Where Customer Personal Data is transferred outside the EEA/UK, the parties enter into Module 2 (Controller-to-Processor) of the European Commission’s Standard Contractual Clauses 2021/914 (SCCs) and, where applicable, the UK International Data Transfer Addendum, both of which are incorporated by reference. The optional docking clause is selected. Disputes under the SCCs are subject to the courts of Ireland; the supervisory authority is the Irish Data Protection Commission.
6. Audits
We make available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for audits, including inspections, conducted by Customer or another auditor mandated by Customer, on reasonable notice and during business hours, no more than once per 12 months (or after a Personal Data Breach). Audit findings are confidential.
Annex I — Description of Processing
Categories of Data Subjects: Customer’s employees, contractors, and end-users; SAP system users whose identifiers appear in extracted records.
Categories of Personal Data: business contact identifiers (name, email, role), SAP-system identifiers (user ID, employee number, cost centre), audit-log metadata. Special categories of data should not be entered into the system; if they are, they are processed only as incidental content of customer-provided records.
Nature and purpose: hosting of audit-log mirrors, MCP catalogues, and SBOM artefacts; processing telemetry from opted-in CLI users.
Duration: term of the agreement plus 90 days for export.
Annex II — Technical & organisational measures
- ISO/IEC 27001:2022 and SOC 2 Type II controls in scope for production systems.
- Encryption: TLS 1.3 in transit, AES-256-GCM at rest, customer-managed keys available on Enterprise.
- Strict separation of duties; production access requires hardware-MFA and quorum approval for sensitive paths.
- Vulnerability management: critical CVEs patched within 7 days; quarterly third-party pen-test.
- Continuous backup with point-in-time restore, tested quarterly.
- Personnel training on security and privacy at hire and annually.
A counter-signable PDF of this DPA is available on request at legal@sapctl.dev.