CTI Zero
Legal document

Data Processing Addendum

Last updated: June 19, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Agentic Labs LLC ("Processor") and the customer ("Controller") for use of the CTI Zero Service (the "Agreement"). It applies to the extent the Processor processes Personal Data on behalf of the Controller in scope of Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, or other applicable data protection laws.

1. Definitions

Capitalised terms have the meaning given in the GDPR. "Personal Data" means personal data within Customer Data processed by the Processor under the Agreement.

2. Subject matter and duration

Subject matter: provision of the CTI Zero Service. Duration: the term of the Agreement plus any period necessary to return or delete Personal Data.

3. Nature and purpose of processing

Hosting, transmission, storage, indexing, alerting, enrichment and reporting on Personal Data as configured by the Controller through the Service.

4. Categories of data subjects and Personal Data

  • Data subjects: Controller's authorised users; individuals referenced in Controller's watchlists, intelligence content or API payloads.
  • Personal Data: identifiers (name, work email, account IDs), authentication data, IP addresses, user-agent strings, usage logs, and any personal data the Controller chooses to submit.

5. Processor obligations

  • Process Personal Data only on documented instructions from the Controller (including the Agreement and Controller's use of the Service).
  • Ensure persons authorised to process Personal Data are bound by confidentiality.
  • Implement the technical and organisational measures described in Annex II.
  • Assist the Controller, taking into account the nature of processing, to respond to data subject requests.
  • Assist the Controller with security, breach notification and data protection impact assessments under Articles 32–36 GDPR.
  • At the Controller's choice, delete or return Personal Data at the end of the Agreement, save where retention is required by law.
  • Make available information necessary to demonstrate compliance and allow for audits under Section 9.

6. Sub-processors

The Controller grants general authorisation for the engagement of the sub-processors listed at Subprocessors. The Processor will inform the Controller of intended changes and give the Controller a reasonable opportunity to object. The Processor will impose data protection obligations on each sub-processor that are no less protective than this DPA, and remains responsible for their performance.

7. International transfers

Where the Processor or a sub-processor transfers Personal Data outside the EEA or the UK to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor; Module Three where applicable) and the UK International Data Transfer Addendum by reference. Annex I and Annex II of this DPA serve as the corresponding annexes to the SCCs.

8. Security incidents

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Controller's Personal Data, and will provide information reasonably required for the Controller to meet its notification obligations.

9. Audits

The Processor will make available to the Controller, on reasonable request and no more than once per year (except where required by a supervisory authority or following a Personal Data Breach), summary information about its security programme, third-party assessments and policies. On-site audits will be conducted on reasonable notice, during business hours, subject to confidentiality, and at the Controller's expense.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Annex I — Processing details

Controller and Processor: the parties to the Agreement. Categories of data subjects and Personal Data: as set out in Section 4. Nature and purpose: as set out in Section 3. Duration: the term of the Agreement.

Annex II — Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest for managed databases and storage.
  • Role-based access control, least-privilege, periodic access reviews.
  • Multi-factor authentication required for administrative access.
  • Centralised audit logging with restricted access.
  • Automated dependency and vulnerability scanning; timely patching.
  • Backups for managed services with documented retention.
  • Security and privacy training for personnel handling Personal Data.
  • Documented incident response process with defined notification timelines.
  • Vendor due diligence for all sub-processors.

Annex III — Sub-processors

The current list of authorised sub-processors is available at /legal/subprocessors.

Execution

This DPA is automatically incorporated into the Agreement when the Controller accepts the Terms of Service and uses the Service to process Personal Data. A countersigned PDF is available on request at legal@ctizero.com.