Legal

Data Processing Agreement

Standard Data Processing Agreement for Optima Forge enterprise customers.

Effective Date: March 1, 2026

Last Updated: March 1, 2026

This Data Processing Agreement ("DPA") is entered into between the entity identified in the applicable Optima Forge subscription agreement or order form ("Controller" or "Customer") and Optima Forge ("Processor" or "Company"). This DPA supplements and forms part of the Terms of Service or Master Service Agreement ("Agreement") between the parties.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, or deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection law.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "SCCs" means the Standard Contractual Clauses adopted by the European Commission for international data transfers.

2. Scope and Purpose

This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the Optima Forge Service. The Processor shall process Personal Data only as necessary to provide the Service and in accordance with the Controller's documented instructions.

The categories of Personal Data processed, the categories of Data Subjects, and the nature and purpose of processing are described in Annex A of this DPA.

3. Data Processor Obligations

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law. The Processor shall inform the Controller of any legal requirement before processing, unless prohibited from doing so.
  • Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Annex B.
  • Not engage another processor (Sub-processor) without prior written authorization from the Controller, as described in Section 5.
  • Assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection law.
  • Assist the Controller in ensuring compliance with obligations related to security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
  • At the Controller's choice, delete or return all Personal Data upon termination of the Agreement, and delete existing copies unless storage is required by applicable law.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

4. Controller Obligations

The Controller agrees to:

  • Ensure that its instructions for the processing of Personal Data comply with applicable data protection law.
  • Ensure that it has obtained all necessary consents and has a valid legal basis for the processing of Personal Data transmitted to the Processor.
  • Notify the Processor promptly of any changes to processing instructions or applicable data protection requirements.
  • Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

5. Sub-processors

5.1 Authorization

The Controller provides general written authorization for the Processor to engage Sub-processors. The Processor shall maintain a current list of Sub-processors and make it available to the Controller upon request.

5.2 Current Sub-processors

The following Sub-processors are authorized as of the effective date of this DPA:

  • Oracle Cloud Infrastructure -- Infrastructure hosting (United States)
  • Clerk -- Authentication and identity management (United States)
  • Stripe -- Payment processing (United States)
  • Turso (ChiselStrike) -- Database hosting (Configurable region)
  • Pipedream -- Third-party API connectivity (United States)
  • Cloudflare -- CDN and tunnel services (Global edge network)
  • LLM Providers -- As configured by the Controller (varies by provider)

5.3 Changes to Sub-processors

The Processor shall notify the Controller at least 30 days before engaging a new Sub-processor or replacing an existing one. If the Controller objects to a new Sub-processor, the parties shall work in good faith to resolve the objection. If no resolution is reached within 30 days, the Controller may terminate the affected Service with a pro-rata refund of prepaid fees.

5.4 Sub-processor Obligations

The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

6. International Data Transfers

When Personal Data is transferred from the EEA, UK, or Switzerland to a country that has not received an adequacy decision, the parties agree that such transfers shall be governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated by reference into this DPA.

  • For Controller-to-Processor transfers: Module Two of the SCCs applies.
  • For Processor-to-Sub-processor transfers: Module Three of the SCCs applies.
  • Enterprise customers may configure data residency routing to restrict data processing to specific geographic regions.

7. Security Measures

The Processor implements the following technical and organizational security measures:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3).
  • 8-stage ForgeGuard security pipeline for all API requests.
  • SpiceDB (Zanzibar-style) relationship-based access control.
  • OPA + Rego policy engine for fine-grained authorization.
  • Multi-tenant isolation at database, cache, and memory layers.
  • API key encryption via Agent-Vault with credential isolation.
  • Regular penetration testing and vulnerability scanning.
  • Employee access controls with role-based permissions.
  • Incident response procedures and 24/7 monitoring.
  • Physical security provided by Oracle Cloud data centers (SOC 2 certified).

8. Data Breach Notification

  • The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach.
  • The notification shall include: the nature of the breach, categories and approximate number of affected Data Subjects, likely consequences, and measures taken or proposed to address the breach.
  • The Processor shall cooperate with the Controller and provide all information necessary for the Controller to fulfill its breach notification obligations to supervisory authorities and Data Subjects.
  • The Processor shall document all breaches, including facts, effects, and remedial actions taken, and make this documentation available to the Controller upon request.

9. Audits

The Controller may audit the Processor's compliance with this DPA once per year, or more frequently if required by a supervisory authority or following a data breach. Audits shall be conducted with reasonable notice (at least 30 days) and during normal business hours. The Controller may use a qualified independent third-party auditor, subject to confidentiality obligations. The Processor shall cooperate fully with any audit and provide access to relevant facilities, systems, and documentation.

10. Term and Termination

This DPA remains in effect for the duration of the Agreement. Upon termination of the Agreement, the Processor shall, at the Controller's election, return or securely delete all Personal Data within 30 days, except where retention is required by applicable law. The Processor shall certify deletion upon request.

Annex A: Details of Processing

  • Categories of Data Subjects: Controller's employees, end users, and customers whose data is processed through the Service.
  • Categories of Personal Data: Names, email addresses, IP addresses, API request metadata, authentication tokens, and any Personal Data included in prompts or messages transmitted through the Service.
  • Nature of Processing: Routing, caching, security scanning, memory storage, analytics, and observability in connection with the AI infrastructure service.
  • Purpose of Processing: To provide the Optima Forge Service as described in the Agreement.
  • Duration of Processing: For the term of the Agreement plus the data retention period specified in the Privacy Policy.

Contact

For questions about this DPA or to request a signed copy, contact: