Document — Culprit Data Processing Agreement

Culprit — Data Processing Agreement

Effective Date: [To be set on signing] Last Updated: 2026-05-10

This Data Processing Agreement ("DPA") is entered into between:

• Feida Management Consulting Co. Ltd, a limited company organized under the laws of Taiwan with its principal place of business at 7F., No. 51, Ln. 128, Jingye 1st Rd., Taipei 104051, Taiwan (the operator of the Culprit platform; "Culprit," "Processor"); and
• [Customer Name] ("Customer," "Controller").

Each a "Party" and together the "Parties."

This DPA supplements and is incorporated into the Culprit Terms of Service or other written agreement between the Parties governing Culprit's provision of the Services to Customer (the "Principal Agreement"). In the event of conflict between this DPA and the Principal Agreement as to personal data matters, this DPA controls.

1. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Principal Agreement. The following terms have the meanings set forth below:

1.1 "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including (as applicable) the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), the Maryland Online Data Privacy Act ("MODPA"), and other U.S. state comprehensive privacy laws.

1.2 "Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," and related terms have the meanings given in the GDPR (and, for CCPA-covered data, the corresponding CCPA terms "Business," "Service Provider," "Consumer," and "Personal Information" apply).

1.3 "Customer Personal Data" means Personal Data processed by Culprit on Customer's behalf under the Principal Agreement.

1.4 "Standard Contractual Clauses" or "SCCs" means the EU Commission's standard contractual clauses for the transfer of personal data to third countries, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended from time to time.

1.5 "UK IDTA" means the UK International Data Transfer Addendum to the SCCs, as published by the UK Information Commissioner's Office.

1.6 "Subprocessor" means any third party engaged by Culprit that processes Customer Personal Data.

2. Roles and Scope

2.1 Roles. For Customer Personal Data processed in connection with the Services, Customer is the Controller (or, where applicable, a Processor acting on behalf of a third-party Controller) and Culprit is the Processor. For CCPA purposes, Customer is the Business and Culprit is a Service Provider.

2.2 Scope. Culprit will process Customer Personal Data only on documented instructions from Customer. The Principal Agreement, Documentation, and this DPA constitute Customer's complete and documented instructions. Additional instructions outside the scope of the Principal Agreement require Culprit's written agreement.

2.3 Compliance with law. Each Party will comply with its respective obligations under Applicable Data Protection Law. Culprit will inform Customer if, in its opinion, an instruction violates Applicable Data Protection Law.

2.4 CCPA notice. Culprit will not (i) sell or share Customer Personal Data; (ii) retain, use, or disclose Customer Personal Data for any purpose other than the specific purposes of performing the Services or as permitted under the CCPA; (iii) retain, use, or disclose Customer Personal Data outside the direct business relationship between the Parties; or (iv) combine Customer Personal Data with personal information from another source, except as permitted for service-provider activities under the CCPA.

3. Details of Processing

3.1 Subject matter. Provision of the Services described in Section 2 of the Terms of Service — namely, ingestion of Customer telemetry, event clustering into incidents, and AI-assisted RCA — together with related account management, authentication, security, and support activities.

3.2 Duration. Processing continues for the duration of the Principal Agreement, subject to the deletion and return obligations in Section 10.

3.3 Nature and purpose. Processing consists of collection, storage, organization, structuring, retrieval, tokenization, encryption, consultation, transmission, and deletion of Customer Personal Data, for the purpose of delivering the Services to Customer.

3.4 Categories of Data Subjects. Categories may include, depending on Customer's use:

• Customer's Authorized Users (administrators, operators);
• Customer's end-users or employees whose information appears in telemetry payloads;
• Other individuals whose information is incidentally present in alert or log data submitted by Customer.

3.5 Types of Personal Data. May include, depending on Customer's use:

• Identifiers (name, email address, usernames, user IDs, IP addresses);
• Technical identifiers (host names, session identifiers, device identifiers);
• Metadata and content of alerts, log lines, and telemetry fields;
• Authentication and account metadata for Authorized Users.

3.6 Special categories. Customer is responsible for not transmitting special-category data (racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic data, biometric data used for the purpose of uniquely identifying a natural person (including data subject to Illinois BIPA, Texas CUBI, Washington's biometric law, or analogous regimes), health data, sex life, or sexual orientation) unless the Parties have agreed in writing (including, for ePHI, through an executed Business Associate Agreement). Customer is also responsible for not transmitting (a) non-public personal information of consumers governed by the Gramm-Leach-Bliley Act, (b) education records governed by FERPA, or (c) material non-public information of public companies subject to U.S. SEC disclosure rules, in each case unless the Parties have separately agreed in writing on additional safeguards. Culprit's two-way tokenization is designed to reduce exposure of sensitive fields but does not substitute for Customer's obligations as Controller and does not authorize submission of categories of data the Services are not designed to handle.

4. Subprocessors

4.1 General authorization. Customer grants Culprit general authorization to engage the Subprocessors listed in Annex B. Culprit will:

(a) enter into written contracts with each Subprocessor imposing data-protection obligations no less protective than those in this DPA; (b) remain liable to Customer for the acts and omissions of Subprocessors with respect to Customer Personal Data, subject to the limitations of liability in the Principal Agreement; and (c) publish the current list of Subprocessors and update it when Subprocessors are added or replaced.

4.2 Notice and objection. Culprit will provide Customer at least thirty (30) days' advance notice (via in-product notice or email to the account administrator) before adding or replacing a Subprocessor that processes Customer Personal Data. Customer may object on reasonable data-protection grounds within that notice period. If Customer objects, the Parties will work in good faith to find a mutually acceptable resolution. If no resolution is reached, Customer may terminate the affected portion of the Principal Agreement, with refund of any prepaid fees on a pro-rata basis for the unused portion of the then-current paid period for the affected Services, as Customer's sole and exclusive remedy.

5. Security Measures

5.1 Culprit will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex C, taking into account the state of the art, cost of implementation, and the nature, scope, context, and purposes of processing.

5.2 Security measures specific to Culprit's architecture include:

• Two-way tokenization of detected sensitive fields on ingest, so that AI Subprocessors and internal processing components see opaque tokens rather than plaintext;
• Row-Level Security enforced at the database layer to ensure tenant isolation;
• Encryption at rest of raw alert payloads (pgp_sym_encrypt) and token mappings;
• Encryption in transit using TLS 1.2 or higher;
• Access controls (least privilege, MFA for production access, audit logging of sensitive operations);
• Audit logging of re-hydration events and authentication operations, retained in tamper-evident storage for at least 12 months.

6. Confidentiality and Personnel

Culprit ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations (by contract or statute), receive appropriate data-protection and security training, and have access to Customer Personal Data only on a need-to-know basis.

7. Data Subject Rights

7.1 Culprit will, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Customer's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection, and related rights).

7.2 If Culprit receives a request from a Data Subject relating to Customer Personal Data, Culprit will promptly forward the request to Customer and will not respond directly except to acknowledge receipt and direct the Data Subject to Customer, unless legally required to do otherwise.

8. Personal Data Breach Notification

8.1 Culprit will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 The notification will, to the extent known, include:

(a) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of Culprit's data-protection contact; (c) a description of the likely consequences; (d) a description of the measures taken or proposed to address the Personal Data Breach and mitigate possible adverse effects.

8.3 Culprit will cooperate with Customer in investigation, mitigation, and any notifications required by Applicable Data Protection Law. Customer is responsible for fulfilling its notification obligations to supervisory authorities and Data Subjects.

9. Data Protection Impact Assessments; Prior Consultation

Culprit will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities that Customer reasonably considers required under Applicable Data Protection Law, to the extent Customer does not otherwise have access to the relevant information and such information is available to Culprit.

10. Return and Deletion

10.1 On termination or expiration of the Principal Agreement, Culprit will, at Customer's choice, delete or return all Customer Personal Data, unless retention is required by law. Absent a Customer election within thirty (30) days after termination, Culprit will delete Customer Personal Data.

10.2 Timing. Active-account Customer Personal Data will be deleted within 30 days of termination; backups containing Customer Personal Data will be purged within 90 days in line with the backup-retention schedule of Culprit's database Subprocessor.

10.3 On written request, Culprit will provide a written confirmation of deletion.

11. Audits and Information Rights

11.1 Information. Culprit will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law, including current security documentation, Subprocessor list, and (when available) third-party audit reports (for example, SOC 2 Type II — currently on roadmap).

11.2 Audits. Customer may audit Culprit's compliance with this DPA at Customer's expense, no more than once per twelve (12) months except in the case of a Personal Data Breach or a requirement of Applicable Data Protection Law, on at least thirty (30) days' prior written notice, during normal business hours, in a manner that does not disrupt Culprit's operations, and subject to reasonable confidentiality obligations. The Parties will agree on scope and methodology in advance. Culprit may satisfy audit requests by providing third-party audit reports and completed security questionnaires that meet Customer's reasonable evaluation needs. If Customer reasonably determines that the documentation provided is insufficient to demonstrate compliance with this DPA, the Parties will conduct a videoconference audit not exceeding four (4) hours, on at least thirty (30) days' prior written notice and subject to a confidentiality agreement, no more than once per twelve (12) months absent a Personal Data Breach. Onsite audits, if requested, are limited to once per twenty-four (24) months and to a scope reasonably agreed by the Parties.

12. International Data Transfers

12.1 Transfer mechanism. To the extent Culprit processes or transfers Customer Personal Data subject to GDPR, UK GDPR, or FADP from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing adequate protection, the Parties incorporate by reference:

(a) the EU Standard Contractual Clauses, Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor), as applicable; (b) the UK International Data Transfer Addendum (for UK-originating data); and (c) appropriate adjustments under the FADP (for Swiss-originating data), treating Switzerland as the country of origin and the FADP as applicable law for Swiss transfers.

12.2 Completion of SCCs. The Parties agree:

• Clause 7 (docking clause): included.
• Clause 9 (use of subprocessors): Option 2 (general written authorization), with a thirty (30)-day notification period, as further described in Section 4.
• Clause 11 (redress): the optional independent dispute-resolution body is not selected.
• Clause 17 (governing law): the law of Ireland.
• Clause 18 (forum and jurisdiction): the courts of Ireland.
• Annex I.A (Parties): Data exporter — Customer; Data importer — Culprit.
• Annex I.B (Description of transfer): as set out in Annex A of this DPA.
• Annex I.C (Competent supervisory authority): as determined under Clause 13 of the SCCs.
• Annex II (Technical and organisational measures): as set out in Annex C of this DPA.
• Annex III (List of sub-processors): as set out in Annex B of this DPA.

12.3 Conflict. In the event of conflict between this DPA and the SCCs, the SCCs prevail to the extent of the conflict.

13. Liability; General

13.1 Liability. Each Party's liability under this DPA is subject to the limitation of liability in the Principal Agreement.

13.2 Conflict. In the event of conflict, this DPA prevails over the Principal Agreement on matters of data protection, except that the SCCs prevail over this DPA for transfers subject to the SCCs.

13.3 Governing law. Except for transfers governed by the SCCs (see Section 12.2), this DPA is governed by the laws of Taiwan, without regard to its conflict-of-laws rules. Venue: the Taipei District Court of Taiwan (台灣台北地方法院), except where the Parties have agreed in writing to Singapore International Arbitration Centre (SIAC) arbitration on a per-customer basis under the Service Agreement.

13.4 Severability. If any provision is held unenforceable, the remaining provisions remain in effect.

13.5 Counterparts; electronic signatures. This DPA may be executed in counterparts, including by electronic signature.

Annex A — Description of Transfer

Categories of Data Subjects: See Section 3.4. Categories of Personal Data: See Section 3.5. Special categories: See Section 3.6 (none by default; ePHI only under an executed BAA). Frequency of transfer: continuous, on a streaming basis as Customer submits telemetry, and on demand for interactive use. Nature of processing: See Section 3.3. Purpose: provision of the Services. Period of retention: active while Customer account is active; deletion within 30 days of termination; backups purged within 90 days; audit logs retained at least 12 months. Transfers to Subprocessors: See Annex B.

Annex B — List of Subprocessors

B.1 Subprocessors of Customer Personal Data

The following Subprocessors process Customer Personal Data (as defined in Section 1.3) on Culprit's behalf in connection with the Services:

| Subprocessor | Entity | Purpose | Region | |---|---|---|---| | Supabase | Supabase Inc. | Managed Postgres database and authentication | United States (us-east-1) | | Cloudflare | Cloudflare, Inc. | Workers (compute, application + edge), Queues, Durable Objects, DNS, domain registration | Global edge network | | Anthropic | Anthropic, PBC | LLM inference for Root Cause Analysis | United States | | OpenAI | OpenAI, L.L.C. | Text embedding generation for event correlation | United States | | Resend | Resend, Inc. | Transactional email delivery (invites, notifications, password resets) | United States |

All Subprocessors listed in this Section B.1 are expected to maintain SOC 2 Type II or equivalent independent security certifications and are bound by data-protection commitments at least as protective as those in this DPA. AI Subprocessors (Anthropic, OpenAI) are engaged under terms that prohibit use of Customer Personal Data for model training and apply zero-retention or short-retention policies consistent with API use. Specifically: Anthropic processes prompts and completions on a zero-retention basis when called via Anthropic's API with the zero-retention setting enabled, which is the configuration Culprit uses for production traffic; Anthropic's published policy is to retain prompts and completions only for the period necessary to provide the response unless legally required (typically not exceeding 30 days for trust-and-safety review of API traffic where the zero-retention setting is not in effect). OpenAI processes embedding inputs under OpenAI's API data-handling policy, which provides for retention of API inputs for up to 30 days for abuse monitoring and then deletion, and prohibits use of API inputs for model training. Culprit's tokenization architecture ensures AI Subprocessors receive only opaque tokens, not plaintext Personal Data, regardless of these subprocessor retention windows. Customers seeking a current statement of any Subprocessor's published retention policy may request it at privacy@theculprit.ai.

B.2 Disclosed processors of account billing data (not Customer Personal Data)

The following processor receives only account-owner billing identifiers (name, billing address, payment-method token, transaction history). It does not process Customer Personal Data within the meaning of Section 1.3, because the data it handles is collected from the account owner directly for the purpose of paying for the Services and is not data that Culprit processes on Customer's behalf in performing the Services. It is disclosed here for transparency and is subject to its own published privacy notice and data-protection terms.

| Processor | Entity | Purpose | Region | |---|---|---|---| | Paddle | Paddle.com Market Limited (UK) and Paddle, Inc. (US) | Merchant-of-record billing, payment processing, sales-tax calculation and remittance, invoicing | United Kingdom and United States |

Paddle never receives Customer incident data, tokenization keys, or end-user Personal Data flowing through the alert pipeline. The notice and objection procedures in Section 4.2 apply by analogy to changes in this billing-processor disclosure.

Annex C — Technical and Organizational Measures

1. Access control. Role-based access control; least-privilege principle; MFA required for production access; prompt access revocation on personnel changes.

2. Authentication. Strong password requirements; session management with HTTP-only, secure cookies; rate-limited login endpoints.

3. Encryption. TLS 1.2+ in transit; pgp_sym_encrypt for raw alert payloads at rest; encrypted token mappings; encrypted database backups.

4. Tenant isolation. Row-Level Security policies enforced at the database layer; tenant_id scoping on all queries; a dedicated helper wraps auth.uid() so tenant identity cannot be bypassed.

5. Tokenization pipeline. Sensitive fields replaced with opaque tokens at ingest, before any call to external AI Subprocessors; plaintext re-hydration is limited to authenticated sessions with matching tenant_id, is performed server-side, and is audit-logged.

6. Pseudonymization / minimization. The tokenization architecture materially reduces the personal data exposed to downstream processors. Logs and metrics are scrubbed of plaintext.

7. Resilience. Managed Postgres with point-in-time recovery; geographically distributed edge compute; queue-backed asynchronous processing with retries and dead-letter queues.

8. Incident management. Documented incident-response runbooks; on-call rotation; breach-notification workflows; post-incident review.

9. Vulnerability management. Dependency scanning; regular patching of managed services; scheduled security reviews.

10. Personnel. Confidentiality obligations by contract; security and privacy training.

11. Audit logging. Authentication events, admin actions, and re-hydration operations are logged and retained in tamper-evident storage for at least 12 months.

12. Physical security. Customer Personal Data is hosted exclusively in data centers operated by Culprit's infrastructure Subprocessors (Supabase / Cloudflare). Those data centers maintain SOC 2 Type II (or equivalent) certifications covering 24x7 facility monitoring, biometric or multi-factor physical access controls, visitor logging, environmental controls (fire suppression, climate, power redundancy), and secure media disposal. Culprit personnel do not maintain any on-premises copy of Customer Personal Data and do not store Customer Personal Data on local devices outside of break-glass operational tooling, which when used is encrypted at rest and access-logged.

Signatures

Customer Name: [Customer Name] Authorized Signatory: [Signature] Title: [Title] Date: [Date]

Culprit — Feida Management Consulting Co. Ltd Name: [Authorized Signatory] Title: [Title] Date: [Date]