Data Processing Addendum

1. Scope and applicability

This DPA applies to personal data the Controller submits to Mycelium for processing under the engagement letter, including data ingested via the runtime’s connectors and data submitted through the inquiry form. It applies regardless of whether the Controller is established inside or outside the European Economic Area.

2. Roles

The Controller determines the purposes and means of processing of personal data. The Processor processes personal data on the Controller’s instructions, subject to the engagement letter and this DPA. Where the Controller acts as a processor for an end-customer, the Processor is a sub-processor.

3. Subprocessors

The current subprocessor list is:

• Vercel Inc.: hosting, edge delivery (United States)
• Resend, Inc.: transactional email (United States)
• PostHog, Inc.: product analytics (United States; EU instance available)
• Anthropic PBC: LLM compute, opt-in per tenant (United States)
• OpenAI, OpenRouter, MiniMax: LLM compute, opt-in per tenant (United States)

The Processor will give the Controller no less than thirty days’ notice before adding or replacing a subprocessor. The Controller may object on reasonable grounds; if the parties cannot agree, the Controller may terminate the engagement letter without penalty.

4. International transfers

Where personal data of EEA, UK, or Swiss data subjects is transferred outside the EEA or the UK, the parties incorporate the EU Standard Contractual Clauses (Module Two, Commission Implementing Decision EU 2021/914 of 4 June 2021) and the UK International Data Transfer Addendum (Version B1.0, in force 21 March 2022). Module Three applies where the Controller is itself a processor.

5. Security

The Processor maintains technical and organizational measures appropriate to the risk: TLS 1.3 in transit; AES-256 at rest; per-tenant scoping on every request, tool call, and webhook; multi-tenant JWT auth; an audit log of every read, write, and synthesis event; HMAC-validated webhooks; an in-memory async retry queue with exponential backoff and a dead-letter folder per tenant; admin-only replay endpoint; vulnerability disclosure at adelaida@diazroa.com.

SOC 2 Type II audit is on the calendar. Current readiness state is available on request.

6. Data subject rights

The Processor will assist the Controller, taking into account the nature of processing and the information available, in fulfilling the Controller’s obligations to respond to data-subject requests under applicable law (Articles 12 to 23 GDPR; CCPA; LGPD). Standard support is included in the engagement; complex or large-volume requests may carry an additional fee, named in advance.

7. Personal data breach

The Processor will notify the Controller of any personal data breach affecting the Controller’s data without undue delay and in any case within seventy-two hours of becoming aware of it, with information sufficient to enable the Controller to fulfill its breach-notification obligations.

8. Audit

The Controller may, no more than once per calendar year and on thirty days’ written notice, audit the Processor’s compliance with this DPA. The Processor will respond to reasonable security-questionnaire requests at no cost; on-site audits are at the Controller’s expense.

9. Return or deletion

On termination of the engagement letter, the Processor will, at the Controller’s choice, return or delete all personal data within ninety days, except where retention is required by applicable law.

10. Conflict

In case of conflict between this DPA and the engagement letter, this DPA controls with respect to the processing of personal data. In case of conflict with the EU Standard Contractual Clauses incorporated under Section 4, the SCCs control.