Data Processing Addendum

"Personal Data" has the meaning given in GDPR Art. 4(1) or analogous law.

"Processing" has the meaning given in GDPR Art. 4(2) or analogous law.

"Controller" means the customer (the sovereign institution).

"Processor" means CryptoMize Mothership.

"Sub-processor" means any third party engaged by Processor to process Personal Data.

"Data Subject" means an identified or identifiable natural person.

The parties acknowledge that:

Customer is the Controller of Personal Data.

CryptoMize Mothership is the Processor of Personal Data.

CryptoMize Mothership processes Personal Data only on documented instructions from Customer.

The scope, nature, purpose, duration, types of Personal Data, and categories of Data Subjects are specified in the master engagement agreement and any applicable Statement of Work (SOW).

CryptoMize Mothership agrees to:

Process Personal Data only on documented instructions.

Ensure all personnel authorized to process Personal Data are bound by confidentiality obligations.

Implement appropriate technical and organizational security measures (FIPS 140-3, Common Criteria EAL5+, ISO 27001, SOC 2 Type II).

Engage sub-processors only with Customer consent (current: Cloudflare, AWS/Azure/GCP, Plausible Analytics).

Assist Customer in data subject requests (response within 14 days).

Notify Customer of breaches within 72 hours.

Return or delete Personal Data at end of engagement.

Customer agrees to:

Provide Processor with documented instructions for processing Personal Data.

Ensure that all instructions comply with applicable data protection law.

Obtain all necessary consents from Data Subjects.

Respond to Data Subject requests directly, with Processor's reasonable assistance.

Customer data is sovereign. Processor honors:

Customer-controlled keys (BYOK/HYOK) — Customer controls encryption keys.

On-premise deployment option — Air-gapped, fully isolated.

No foreign transmission — Customer data does not leave customer jurisdiction.

Sovereign NLP — Local language models, no foreign API calls.

Source code escrow — Customer can audit, fork, self-host.

Customer data resides in the customer-selected jurisdiction. Processor does not transfer Customer data outside the customer-selected jurisdiction without Customer's prior written consent.

For any cross-border transfers required for Processor operations (support, engineering), Processor will:

Use Standard Contractual Clauses (SCCs) approved by the European Commission.

Conduct Transfer Impact Assessments (TIAs).

Implement supplementary measures as needed.

Customer has the right to audit Processor's compliance with this DPA, upon:

30 days' prior written notice.

Reasonable frequency (no more than once per year, unless mandatory breach).

During business hours.

At Customer's expense.

Processor may satisfy audit obligations by providing SOC 2 Type II reports, ISO 27001 certificates, Common Criteria certificates, FIPS 140-3 certificates, and FedRAMP authorization.

Processor will notify Customer of any Personal Data breach within 72 hours of becoming aware.

Notification will include:

Nature of the breach.

Categories of Personal Data affected.

Approximate number of Data Subjects affected.

Likely consequences.

Measures taken or proposed to address the breach.

For DPA-related inquiries:

Email: dpa@cerebras.in

Data Protection Officer: dpo@cerebras.in

Mail: CryptoMize Mothership, Data Protection Office, [Address]