Data Processing Addendum

The parties acknowledge that:

• Customer (the “Controller”) determines the purposes and means of processing the personal data uploaded to Aevrum.
• Aevrum (the “Processor”) processes such personal data only on the documented instructions of Controller, as captured in the Customer’s Aevrum account configuration, the MSA, and this DPA.

• Process personal data only on Controller’s documented instructions.
• Ensure persons authorized to process the data are bound by confidentiality obligations.
• Implement the security measures described in §5.
• Assist Controller with data-subject requests (access, correction, deletion, portability, objection).
• Notify Controller without undue delay (target: within 72 hours) of any personal-data breach affecting Controller’s data.
• Return or delete personal data on Controller’s request at end of services, per §7.
• Make available all information necessary to demonstrate compliance with this DPA.

Controller authorizes Aevrum to engage the subprocessors listed at aevrum.vercel.app/trust. Aevrum remains liable for the acts and omissions of subprocessors as if performed by Aevrum. Aevrum will notify Controller at least 30 days before adding or replacing a subprocessor; Controller may object on reasonable data-protection grounds.

Aevrum implements appropriate technical and organizational measures, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256, Postgres-level + per-org application layer for sensitive identity fields)
• Row-Level Security enforced at the database — physical isolation between organizations
• Role-based access control (Owner / Admin / Analyst / Viewer + separate Platform Admin)
• Audit logging of all privileged operations (logins, role changes, data uploads, AI calls, shares)
• Prompt-injection mitigation for AI features (sanitization + delimited untrusted-data sections)
• Periodic security testing and dependency scanning

Personal data is hosted in United States regions (Supabase us-east-1, Vercel US, Anthropic US, Resend US). For Controllers whose personal data originates in the EEA / UK / Switzerland, transfers occur under the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK Addendum where applicable. Controllers may request EU-hosted Supabase deployment; availability is evaluated per customer.

• Controller may export all organizational data at any time via Settings → Data Export.
• On Controller’s written request, Aevrum will delete personal data within 30 days, except where retention is required by law.
• Backups containing deleted data roll off within 90 days of deletion.
• The audit log retains who-did-what records for the configured retention window (default 90 days; configurable per plan).

Aevrum will respond to reasonable Controller requests to demonstrate compliance, including by providing written information about controls, third-party audit reports (when available — e.g. SOC 2 reports), and security questionnaire responses. On-site audits are available by mutual agreement and reasonable notice (no more than once per year, at Controller’s cost).

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions in the MSA.

In the event of a conflict between this DPA and the MSA in respect of the processing of personal data, this DPA prevails.

Black Line Ops LLC
legal@blacklineops.ai · privacy@blacklineops.ai