Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Riven AI ("Processor") and the customer ("Controller") for the provision of the Riven AI platform. It governs the Processor's processing of Personal Data on behalf of the Controller in the course of providing the service.

• Personal Data: any information relating to an identified or identifiable natural person, as defined under applicable data-protection law.
• Controller / Processor: as defined under GDPR / UK GDPR / equivalent local laws.
• Sub-processor: any third party engaged by the Processor to process Personal Data on the Controller's behalf. The current list is published at /subprocessors.

The Processor processes Personal Data solely to provide and operate the Riven AI platform as described in the customer agreement. Processing categories include authentication, billing, telemetry necessary for service operation, and storage of Controller-uploaded content.

The Processor maintains the technical and organisational security measures described at /security, including TLS 1.2+ in transit, AES-256 at rest, AWS KMS-managed keys, IAM-scoped workload access, and ongoing vulnerability management.

The Controller authorises the Processor to engage the sub-processors listed at /subprocessors. The Processor will notify Controllers of any material change at least 30 days in advance. Each sub-processor is bound by terms at least as protective as this DPA.

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, the Processor will rely on Standard Contractual Clauses (or the UK International Data Transfer Agreement, as applicable) as the lawful transfer mechanism. The Processor implements supplementary measures consistent with applicable guidance.

The Processor will provide reasonable assistance to enable the Controller to respond to Data Subject Requests (access, rectification, erasure, restriction, portability, objection) within the time limits required by applicable law.

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data breach, with sufficient detail for the Controller to meet its own notification obligations. Specific timelines and channels will be confirmed during DPA execution.

This DPA remains in force for as long as the Processor processes Personal Data on behalf of the Controller. On termination, the Processor will, at the Controller's election, return or delete Personal Data within a reasonable period unless retention is required by applicable law.

The governing law for this DPA is the law specified in the customer's underlying service agreement. Where mandatory local law applies (for example, GDPR in the European Economic Area), the mandatory provisions of that law prevail.

To execute a signed DPA for your engagement, contact legal@riven.dev. We will provide a Word-format DPA suitable for counter-signature.