Data Processing Addendum

This DPA supplements the Exordia Cloud Terms of Service for customers who require GDPR and UK GDPR-compliant data processing terms.

Effective Date: February 18, 2026

Last Updated: February 18, 2026

1. Scope and Parties

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Exordia Cloud LLC ("Processor" / "Exordia") and the entity agreeing to these terms ("Controller" / "Customer").

This DPA applies to the processing of personal data by Exordia on behalf of Customer in connection with the provision of the Exordia Cloud platform (the "Service").

2. Definitions

Terms not defined here have the meanings given in the Terms of Service or applicable data protection law. In this DPA:

"Data Protection Laws" means the GDPR (Regulation (EU) 2016/679), UK GDPR (as retained by the Data Protection Act 2018), and any other applicable data protection legislation.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Exordia on behalf of Customer under the Terms of Service.
"Sub-processor" means any third party engaged by Exordia to process Personal Data on behalf of Customer.
"Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data approved by the European Commission (Decision 2021/914).

3. Controller-Processor Roles

3.1 Role Allocation

For the purposes of this DPA, Customer is the Controller and Exordia is the Processor. Customer determines the purposes and means of processing Personal Data submitted to the Service. Exordia processes Personal Data solely on behalf of and in accordance with Customer's documented instructions.

3.2 Customer Responsibilities

Customer is responsible for:

Ensuring a lawful basis exists for the processing of Personal Data submitted to the Service;
Providing any required notices to, and obtaining any required consents from, data subjects;
Ensuring that Personal Data submitted to the Service is accurate and up to date;
Complying with applicable Data Protection Laws in its use of the Service.

3.3 Exordia Responsibilities

Exordia shall:

Process Personal Data only on documented instructions from Customer, unless required by law;
Ensure that persons authorized to process Personal Data have committed to confidentiality;
Implement appropriate technical and organizational security measures;
Assist Customer in responding to data subject requests and data protection impact assessments;
Notify Customer without undue delay upon becoming aware of a Personal Data breach;
Delete or return Personal Data upon termination of the Service, at Customer's choice.

4. Data Processing Details

Subject Matter	Provision of the Exordia Cloud platform for consulting discovery workshops
Duration	For the term of the Terms of Service plus the data retention period
Nature and Purpose	Storage, retrieval, AI-assisted processing, and display of Customer Data to provide workshop management, requirements generation, and collaboration features
Categories of Data Subjects	Customer employees, authorized users, and third parties whose data is included in workshop content (e.g., client stakeholders)
Categories of Personal Data	Names, email addresses, profile images, IP addresses, workshop notes and content that may contain personal data, usage logs

5. Sub-processors

5.1 Authorization

Customer grants Exordia general authorization to engage Sub-processors to process Personal Data on Customer's behalf. Exordia shall ensure that each Sub-processor is bound by data protection obligations no less protective than those in this DPA.

5.2 Current Sub-processors

Sub-processor	Purpose	Location
Google Cloud Platform	Infrastructure, database, storage	United States
Google Vertex AI (Gemini)	AI processing	United States
Anthropic (Claude via Vertex AI)	AI processing	United States
Stripe	Payment processing	United States
Postmark	Transactional email delivery	United States
Upstash Redis	Rate limiting and application caching	United States

5.3 Changes to Sub-processors

Exordia shall notify Customer at least 30 days in advance of any intended changes to the list of Sub-processors, giving Customer the opportunity to object. If Customer objects on reasonable data protection grounds, the parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected Service.

6. International Data Transfers

6.1 Transfer Mechanisms

Personal Data is processed in the United States. For transfers of Personal Data from the EEA or UK to the United States, the parties agree that the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) are incorporated by reference into this DPA and completed by the Annexes set out in Schedules 1–3 below.

Module Two (Controller to Processor) applies where Customer is Controller and Exordia is Processor
The governing law shall be that of the EU Member State in which Customer is established, or Ireland if Customer is not established in the EEA
The competent supervisory authority shall be determined in accordance with Clause 13 of the SCCs
The Annexes required by the SCCs (Annex I, II, and III) are set out in Schedules 1–3 of this DPA

6.2 UK International Data Transfer Addendum

For transfers from the UK, the UK International Data Transfer Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference. In the event of conflict between the SCCs and the UK Addendum, the UK Addendum prevails for UK transfers.

7. Security Measures

Exordia implements and maintains appropriate technical and organizational measures to protect Personal Data, including:

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Controls: Role-based access control, principle of least privilege, OAuth 2.0 authentication
Infrastructure: Hosted on Google Cloud Platform with managed database services and network isolation
Audit Logging: Comprehensive audit trails of data access and administrative actions
Personnel: Access limited to authorized personnel with confidentiality obligations
Incident Response: Documented procedures for detecting and responding to security incidents

For additional details, see our Trust & Security page.

8. Data Subject Rights

Exordia shall assist Customer in fulfilling its obligations to respond to data subject requests under Data Protection Laws. Where Exordia receives a request directly from a data subject, Exordia shall promptly redirect the request to Customer unless legally prohibited from doing so.

The Service provides data export and deletion capabilities that Customer may use to fulfill data subject access, portability, and erasure requests.

9. Personal Data Breach Notification

Exordia shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:

A description of the nature of the breach, including categories and approximate numbers of data subjects affected;
The name and contact details of Exordia's point of contact;
A description of the likely consequences of the breach;
A description of the measures taken or proposed to address the breach.

10. Audit Rights

Exordia shall make available to Customer information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits conducted by Customer or an independent auditor mandated by Customer, subject to reasonable advance notice and confidentiality obligations.

11. Term and Termination

This DPA shall remain in effect for the duration of the Terms of Service. Upon termination of the Terms of Service, Exordia shall, at Customer's written request, delete or return Personal Data within a commercially reasonable timeframe (not to exceed 30 days), unless retention is required by applicable law or legitimate business purposes such as legal compliance, dispute resolution, or enforcement of agreements. Exordia shall certify deletion upon Customer's request. Data that has been anonymized or aggregated such that it can no longer identify individuals may be retained indefinitely.

12. Contact

For questions about this DPA or to request execution of the DPA, contact:

Exordia Cloud LLC

Email: admin@exordiacloud.com

Subject line: "DPA Request"

13. Schedule 1 — SCC Annex I (Parties and Transfer Details)

A. List of Parties

Data Exporter (Controller)

The Customer that has agreed to the Terms of Service and this DPA. Name, address, contact person, and activities relevant to the transfer are as set forth in the Customer's account and applicable order form or subscription.

Data Importer (Processor)

Exordia Cloud LLC. Contact: admin@exordiacloud.com. Activities: provision of the Exordia Cloud platform for consulting discovery workshops.

B. Description of Transfer

Categories of data subjects	Customer's end users, clients, and stakeholders whose data is entered into the Service
Categories of personal data	Names, email addresses, job titles, organization names, workshop notes and content that may contain personal data, usage logs (IP addresses, browser metadata)
Sensitive data	Not intentionally collected. If sensitive data is incidentally included in workshop content by the data exporter, it is processed solely for the purpose of providing the Service.
Frequency of transfer	Continuous, for the duration of the Terms of Service
Nature and purpose of processing	Hosting, storage, AI-assisted synthesis, real-time collaboration, analytics, and support services as described in the Terms of Service
Retention period	As described in Section 8 of the Privacy Policy and Section 11 of this DPA

C. Competent Supervisory Authority

The supervisory authority of the EU Member State in which the data exporter is established, or the Irish Data Protection Commission where the data exporter is not established in the EEA.

14. Schedule 2 — SCC Annex II (Technical and Organisational Measures)

The data importer implements and maintains the following technical and organisational security measures:

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256 via Google Cloud managed encryption)
Access controls: Role-based access control (RBAC), OAuth 2.0 authentication, principle of least privilege, multi-tenancy isolation via organization-scoped queries
Infrastructure security: Hosted on Google Cloud Platform (Cloud Run, Cloud SQL) with network isolation, managed firewall rules, and automatic patching
Audit logging: Comprehensive audit trails of data access, administrative actions, and authentication events with automated retention
Incident response: Documented procedures for detecting, reporting, and responding to security incidents within 72 hours
Personnel security: Access limited to authorized personnel with confidentiality obligations; background checks where applicable
Data minimization: Soft-delete with configurable retention; automated log purging; anonymization capabilities
Backup and recovery: Automated database backups with point-in-time recovery; backup retention up to 30 days

For additional details, see our Trust & Security page.

15. Schedule 3 — SCC Annex III (List of Sub-processors)

The data importer has authorized the use of the following sub-processors:

Sub-processor	Purpose	Location
Google Cloud Platform	Infrastructure hosting, database	United States
Google Vertex AI (Gemini)	AI model inference and processing	United States
Anthropic (Claude via Vertex AI)	AI model inference and processing	United States
Stripe, Inc.	Payment processing and subscription management	United States
Postmark (ActiveCampaign, LLC)	Transactional email delivery	United States
Upstash, Inc.	Rate limiting and application caching (Redis)	United States

Customer will be notified at least 30 days in advance of any changes to this list, in accordance with Section 5.3 of this DPA.

16. Execution and Incorporation

This DPA is incorporated into and forms part of the Terms of Service. By accepting the Terms of Service (whether by clicking "I agree," creating an account, or otherwise using the Service), Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its authorized users.

In the event of any conflict between this DPA and the Terms of Service, this DPA shall control with respect to the processing of Personal Data.

Enterprise customers requiring a separately countersigned copy of this DPA may request one by contacting admin@exordiacloud.com with the subject line "DPA Execution Request." Exordia will provide a PDF version with signature blocks within ten (10) business days.

← Back to Home