Page: /dpa — Data Processing Agreement¶
Route: /dpa
Template: dpa.html (to be created)
Nav Link: Footer > Legal > DPA
Page Purpose¶
A Data Processing Agreement (DPA) is a mandatory legal document for any Tier-1 bank, regulated financial institution, or enterprise that processes personal data. Without this, procurement teams will block vendor onboarding entirely. GDPR Article 28 requires it.
OmniSentient — Data Processing Agreement¶
Version: 1.0
Effective Date: February 23, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between OmniSentient ("Processor") and the Customer ("Controller") and governs the processing of personal data under the OmniSentient platform.
1. Definitions¶
- "Controller": The Customer organization that determines the purpose and means of processing personal data.
- "Processor": OmniSentient, which processes personal data on behalf of the Controller.
- "Personal Data": Any information relating to an identified or identifiable natural person, as defined under applicable data protection law (GDPR, PDPB, CCPA, etc.).
- "Processing": Any operation performed upon Personal Data (collection, storage, retrieval, deletion).
- "Sub-Processor": Any third party engaged by OmniSentient to process data on behalf of the Customer.
2. Scope of Processing¶
2.1 Categories of Personal Data Processed¶
OmniSentient processes the following categories of data:
- GitHub usernames and installation IDs (linked to the GitHub App installation).
- Repository names and dependency manifests (no source code stored).
- Incident creation actor ID (for forensic audit trail).
- Notification delivery logs (email/Slack/Discord — delivery status only, not message content).
2.2 Purpose of Processing¶
OmniSentient processes this data solely to:
- Generate remediation Pull Requests.
- Maintain a tamper-evident forensic incident ledger.
- Send SLA-triggered security notifications to authorized channels.
2.3 Data Subjects¶
- Engineering team members of the Customer organization who interact with GitHub repositories covered by the OmniSentient installation.
3. Processor Obligations¶
OmniSentient shall:
1. Process Personal Data only on documented instructions from the Controller.
2. Ensure that authorized personnel are bound by confidentiality.
3. Implement appropriate technical and organizational security measures (Article 32 GDPR).
4. Not engage Sub-Processors without prior written consent of the Controller.
5. Assist the Controller in responding to data subject requests (access, deletion, portability).
6. Return or delete all Personal Data upon termination of the agreement.
4. Security Measures (Technical Controls)¶
OmniSentient maintains the following controls:
- Append-Only Forensic Ledger: Incident and event records are cryptographically chained (SHA-256) and cannot be mutated retroactively.
- Row Level Security (RLS): Database-kernel-level isolation per tenant via FORCE ROW LEVEL SECURITY. Auditor role has read-only access.
- Ed25519 Asymmetric Signing: All forensic data exports are signed with a non-repudiable digital signature.
- Encrypted Transit: All data in transit is protected with TLS 1.3.
- Encrypted at Rest: All persistent data is stored with AES-256 encryption (Supabase-managed).
- Access Logs: All administrative access to production systems is logged with actor ID and timestamp.
5. Sub-Processors¶
OmniSentient uses the following approved Sub-Processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | PostgreSQL database hosting | USA (AWS us-east-1) |
| Vercel | API hosting and edge compute | USA / Global CDN |
| Stripe | Payment processing | USA |
| Google (Gemini API) | AI log analysis | USA |
The Customer will be notified of any material changes to this Sub-Processor list with 30 days notice.
6. Data Retention¶
- Incident records: Retained for the duration of the subscription + 90 days post-termination.
- Notification logs: Retained for 12 months.
- GitHub App installation data: Deleted within 30 days of app uninstallation.
- Upon written request, data can be deleted sooner (Right to Erasure).
7. Data Transfers¶
OmniSentient currently processes data in the United States (AWS us-east-1). For Customers requiring EU or in-country data residency, this is on the roadmap as a contract-triggered Phase K deliverable.
8. Audit Rights¶
The Controller has the right to:
- Request a copy of OmniSentient's security controls documentation.
- Review the SECURITY_BOUNDARY.md and PILOT_RISK_DISCLOSURE.md documents.
- Request a signed forensic export bundle for independent verification.
- Commission a third-party security audit with 30 days notice.
9. Breach Notification¶
OmniSentient will notify the Controller of any confirmed Personal Data breach within 72 hours of becoming aware of the breach (GDPR Article 33 compliant).
10. Governing Law¶
This DPA is governed by the laws applicable to the underlying Master Service Agreement between the parties.
11. Contact¶
Data Protection contact: privacy@omnisentient.ai