DPA & subprocessors.

The Déjà platform implements a deterministic processing model in which Payload Data is processed transiently and Metadata is the only durable artifact. The pipeline is:

• Inbound webhook signal is received over TLS and held in volatile memory (RAM).
• Déjà computes deterministic fingerprints, hashes, and schema deltas from the Payload Data.
• Raw Payload Data is destroyed at the end of the request lifecycle. It is never written to durable storage.
• Only bounded Metadata is retained: signed receipts and attribution records for service operation and audit; structured ingest-rejection diagnostics (error code + validation detail, 90-day TTL) and normalized DLQ retry envelopes (validated event structure only, 30-day TTL) for service continuity in failure paths.

Déjà processes Customer Data exclusively on the Customer's documented instructions and only for the purposes set out in the principal services agreement. The lawful basis for processing is the Customer's contractual relationship with Déjà as set out in that agreement.

Déjà will not process Customer Data for any of the following purposes:

• Marketing or analytics targeting any data subject identifiable from the Customer Data.
• Combining Customer Data with data from any other Customer for the purpose of producing aggregate insights, benchmarks, or comparative analytics.
• Selling, renting, or otherwise transferring Customer Data to any third party for that party's independent purposes.
• Onward processing by any party other than the subprocessors listed in §06, except as required by applicable law and after notification to Customer where lawful.

Déjà will promptly notify the Customer if, in Déjà's reasonable opinion, an instruction from the Customer would violate applicable data protection law. Déjà is not obligated to comply with an instruction it reasonably believes to be unlawful.

Déjà does not train, fine-tune, or otherwise improve any machine learning, large language, or generative model using Customer Data. This commitment extends in full to Déjà's subprocessors, who are contractually prohibited from doing so on Déjà's behalf.

• No training of foundation models, fine-tuning datasets, or evaluation suites on Customer Data.
• No fine-tuning of any third-party model using Customer Data.
• No vectorization, embedding generation, or similarity-search index built from Customer Data for training purposes.
• No agreement with any subprocessor that grants the subprocessor a right to train on Customer Data, regardless of how the subprocessor characterizes that activity (e.g. "service improvement," "abuse detection," "telemetry").

Déjà implements technical and organizational measures appropriate to the risk presented by the processing of Customer Data. The current control set is summarized below; the full architecture is documented on the Security page and in System Documentation §11.

Déjà engages a deliberately small number of subprocessors. Each subprocessor is bound by data processing terms at least as protective as those in this DPA, including the no-generative-training covenant in §04.

Subprocessor change notice. Déjà will provide the Customer with at least 30 days' notice prior to authorizing any new subprocessor or replacing any subprocessor on the list above, unless urgent security or legal circumstances require shorter notice. Customers may object to a proposed subprocessor change on reasonable grounds, in which case the parties will work in good faith to identify a commercially reasonable alternative.

The current subprocessor list is mirrored on the Security page and is the canonical reference. In the event of inconsistency, the version published on the Security page controls.

Déjà will provide reasonable assistance to the Customer in fulfilling data subject requests under applicable law, including without limitation rights of access, rectification, erasure, restriction, portability, and objection (GDPR Articles 15–22).

• Right of access — Déjà will provide Customer with the technical means to retrieve Metadata associated with an identified data subject within the platform's data model.
• Right of rectification — Where Customer-controlled fields require correction, Customer may update them directly. Cryptographically signed Metadata (e.g. signed receipts) cannot be modified post-issuance — see §08 for the deletion path.
• Right of erasure — Déjà will execute customer-initiated deletion via cryptographic shred controls (§08) or full account deletion within commercially reasonable timeframes.
• Right of restriction — Customer may suspend processing on a per-vault basis through the platform console.
• Right of portability — Customer may export Metadata in standard formats (DSR/1.0 receipts, CSV audit logs) at any time during the term.
• Right to object — Forwarded to the Customer for evaluation; Déjà acts only on Customer's documented instructions per §03.

Déjà does not respond directly to data subjects on the Customer's behalf. Requests received by Déjà directly will be forwarded to the Customer within five business days with notification to the data subject of the forwarding.

Customer Data retention is customer-defined per vault. Default retention horizons are documented per pricing tier; customers may configure shorter or longer retention subject to tier-defined maxima.

Where Customer Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country not deemed adequate by the European Commission, the transfer relies on Standard Contractual Clauses (SCCs) or other recognized transfer mechanisms (UK IDTA, Swiss-US Data Privacy Framework where applicable).

Déjà plans to make EU regional infrastructure (AWS EU-Central) available in H2 2026 for customers requiring data residency in the European Union. Customers who require EU residency may join the waitlist; Déjà will notify waitlisted customers when regional infrastructure is generally available. Until EU regional infrastructure is available, all Customer Data is processed and stored in the United States.

Déjà will not transfer Customer Data to any country in respect of which the European Commission has issued an adequacy decision adverse to that country, except where such transfer is required by applicable law and Déjà has notified the Customer where lawful to do so.

Déjà will notify the Customer of any personal data breach (as defined under GDPR Article 4(12)) affecting Customer Data without undue delay and in any event within 72 hours of becoming aware of such breach.

The notification will include, to the extent known at the time of notification:

• The nature of the breach, including the categories and approximate number of data subjects and Metadata records affected.
• The likely consequences of the breach, to the extent assessable at the time of notification.
• The measures taken or proposed by Déjà to address the breach and, where appropriate, to mitigate its possible adverse effects.
• Déjà's point of contact for further information, including ongoing breach status updates.

Déjà will provide reasonable assistance to the Customer in fulfilling the Customer's own notification obligations to supervisory authorities and affected data subjects under applicable law.

Déjà will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including:

• SOC 2 Type II report — currently underway with target issuance Q3 2026. The report will be available under NDA to Customers on request.
• ISO 27001 certification — planned for 2027. Pre-work begins post-SOC 2 issuance.
• Penetration test summaries — most recent engagement available under NDA, with full report available to Enterprise and Sovereign tier customers.
• Subprocessor compliance documentation — available on request for any subprocessor listed in §06.

On-site audits. Customers in regulated industries may request on-site audits no more frequently than annually, with reasonable advance notice (no less than 30 days). On-site audits are at the Customer's expense and subject to mutual scheduling, scope agreement, and Déjà's reasonable security and confidentiality requirements.

Audit findings will be addressed in a remediation plan agreed between the parties, with timelines proportional to severity.

Term. This DPA is effective from the Effective Date above and continues in force for so long as Déjà processes Customer Data on the Customer's behalf. Sections governing audit support, deletion confirmation, and breach notification survive termination as long as required to give effect to data subject rights and applicable law.

Liability. The liability of each party under this DPA is subject to the limitations and exclusions set out in the principal services agreement. Nothing in this DPA limits or excludes liability that cannot lawfully be limited or excluded under applicable law.

Modifications. Déjà may revise this DPA from time to time. Material changes will be notified to the Customer at least 30 days in advance via email and published on this page with a revised "Last revised" date. Non-material changes (typographical corrections, clarifying language, formatting) take effect on publication.

Governing law. This DPA is governed by the law specified in the principal services agreement. Where the principal agreement is silent, this DPA is governed by the law of the State of Delaware, USA, without regard to conflict-of-laws provisions.

Order of precedence. Where this DPA and the principal services agreement conflict on matters of data processing, privacy, or security, this DPA controls.