Data Processing Agreement
Last Updated: December 26, 2025
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and ATHENA Trust, Inc. ("Processor") for the provision of trust calibration services.
2. Data Processing Details
| Subject Matter | Trust calibration and bias detection for human-AI decisions |
| Duration | Term of the service agreement |
| Nature & Purpose | Analysis of decision data for trust calibration metrics |
| Data Categories | Decision records, user identifiers, timestamps, AI recommendations |
3. Sub-Processors
We use the following sub-processors:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database hosting | EU (Ireland) |
| Vercel | Application hosting | Global (Edge) |
| Cloudflare | CDN & Security | Global |
| Stripe | Payment processing | USA (PCI-DSS) |
4. Security Measures
- TLS 1.3 for all data in transit
- AES-256 encryption at rest
- Row-level security (RLS) for multi-tenant isolation
- API keys hashed with bcrypt (SALT_ROUNDS=12)
- Regular penetration testing
5. Data Retention
Decision data is retained for 2 years to support compliance audits (EU AI Act, Texas TRAIGA). Upon termination, data is deleted within 30 days unless legally required to retain.
6. International Transfers
For transfers outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by additional technical measures.
7. Breach Notification
In the event of a personal data breach, we will notify you within 48 hours of becoming aware, including the nature of the breach and measures taken.
8. Contact
For DPA inquiries, contact: security@athenatrust.ai
© 2025 ATHENA Trust, Inc. All rights reserved.