Data Processing Addendum

1. Status of this addendum

This page summarizes Cytra’s Data Processing Addendum (DPA) — a template we make available to customers who require one. It is a template ready for execution, not a signed agreement, and nothing here represents that a signed DPA is already in place.

A signed customer agreement (order form or master subscription agreement) governs the commercial relationship. Where it and the DPA conflict on data protection, the DPA controls; where the agreement and a privacy policy conflict, the agreement controls for that customer’s data.

2. Roles & scope

For the personal data Cytra processes on your behalf, you are the controller and Cytra (Wentzel Investments LLC, trading as Wentzel.ai) is the processor. Where you act as a processor for a third party, Cytra is a sub-processor and the same obligations flow down.

Cytra processes that data only on your documented instructions — the agreement, the DPA, and your use of the platform — to provide the AI-governance platform and managed MCP gateway, unless required to do otherwise by law.

3. Sub-processors

You provide general written authorization for Cytra to engage the sub-processors we list, each under a contract imposing data-protection obligations no less protective than the DPA. We give notice before a new sub-processor begins processing your personal data so you can object on reasonable grounds.

4. Security measures

Cytra applies the Article 32 measures described on our trust page: encryption in transit (TLS 1.2+), encryption at rest (AES-256), tenant isolation, least-privilege access, a per-tenant tamper-evident audit log, and managed secret storage. Our SOC 2 Type II and HIPAA BAA posture is in process — aligned and audit-ready, not certified.

5. Data-subject rights & breach notification

Cytra assists you, by appropriate technical and organizational measures, in responding to data-subject requests under Articles 12–23 GDPR. We notify you without undue delay, and within 72 hours, after becoming aware of a personal data breach affecting your data, with the information you need to meet your own obligations.

6. Return, deletion & audit

On termination we make your data available for export for 30 days, then delete or return it at your choice unless retention is required by law. We make available the information reasonably necessary to demonstrate compliance and, where available, may satisfy an audit request with a third-party attestation under NDA.

7. International transfers

Cytra processes and stores data in the United States. For EEA, UK, and Swiss customers, transfers are governed by the Standard Contractual Clauses, the UK IDTA, and the Swiss adaptations, incorporated by reference. Cytra does not currently offer EU-only data residency — see the data-residency statement on our sub-processors page.

8. Request an executable copy

To execute a DPA, email legal@cytra.io or reach us through the contact page, referencing your organization and your order form. The DPA incorporates our sub-processor list by reference. See also our Privacy Policy and Terms of Service.