BaselineOS — Data Processing Agreement (DPA)

BaselineOS — Data Processing Agreement (DPA)

Effective Date: April 14, 2026 Version: 1.0

This Data Processing Agreement (“DPA”) forms part of the agreement between GTCX — Global Trade & Compliance Exchange (“Processor”, “we”, “us”) and the entity agreeing to these terms (“Controller”, “you”, “Customer”) for the provision of BaselineOS services.

---

1. Definitions

• Personal Data: any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
• Data Protection Laws: GDPR (EU), NDPC Act (Nigeria), POPIA (South Africa), DPA (Kenya), Data Protection Act (Ghana), and any other applicable data protection legislation.
• Processing: any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• Sub-processor: any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope of Processing

2.1 Nature and Purpose

BaselineOS processes data to provide AI operations services including:

• Language expression and terminology enforcement
• Context management for AI operations
• Artifact production and provenance tracking
• Organizational memory and pattern learning

2.2 Categories of Data

• Organization profile data (name, industry, vertical)
• User identifiers (user IDs, persona assignments)
• AI interaction data (prompts, outputs, corrections)
• Organizational memory (learned patterns, behavioral data)
• Configuration data (layer settings, terminology rules)

2.3 Data Subjects

• Customer employees and authorized users
• Individuals referenced in AI-processed content (as determined by Customer’s use)

2.4 Duration

Processing continues for the duration of the service agreement. Upon termination, Section 9 applies.

3. Processor Obligations

The Processor shall:

a) Process Personal Data only on documented instructions from the Controller, unless required by law.

b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality.

c) Take all measures required pursuant to Article 32 of the GDPR (security of processing), including:

• AES-256 encryption of credentials at rest
• TLS 1.2+ for all data in transit to third-party AI providers
• SQLite WAL mode with filesystem-level access controls for local data
• Per-agent credential scoping with audit trails
• Input sanitization and prompt injection protection

d) Not engage another processor without prior specific written authorization of the Controller. See Section 5 for current sub-processors.

e) Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).

f) Delete or return all Personal Data upon termination of service, at the Controller’s choice.

g) Make available to the Controller all information necessary to demonstrate compliance with this DPA.

4. Controller Obligations

The Controller shall:

a) Ensure it has a lawful basis for processing Personal Data through BaselineOS.

b) Provide clear instructions to the Processor regarding the processing of Personal Data.

c) Ensure that any Personal Data provided to BaselineOS does not include Special Category Data (Article 9 GDPR) unless explicitly agreed in writing.

5. Sub-processors

5.1 Current Sub-processors

Sub-processor	Purpose	Data Location	Data Processed
Anthropic, PBC	AI model inference (Claude)	United States	Prompts and outputs sent for LLM processing
OpenAI, Inc.	AI model inference (optional)	United States	Prompts and outputs when OpenAI models selected
Amazon Web Services	AI model inference via Bedrock (optional)	Configurable region	Prompts and outputs when Bedrock models selected

5.2 Local Processing

BaselineOS stores organizational memory, configuration, terminology, and learned patterns locally on the Controller’s infrastructure. This data is not transmitted to GTCX or any sub-processor unless the Controller explicitly configures external integrations.

5.3 Sub-processor Changes

The Processor shall notify the Controller at least 30 days before adding or replacing a sub-processor, providing the Controller an opportunity to object.

6. Data Transfers

6.1 AI Provider Data Transfers

When BaselineOS sends prompts to AI providers (Anthropic, OpenAI, Bedrock), the following applies:

• Data is transmitted via TLS 1.2+
• AI providers process data per their own DPAs (linked in Section 6.3)
• BaselineOS supports model routing to keep sensitive operations on self-hosted models (no external transfer)
• Offline mode eliminates all external data transfers

6.2 Cross-Border Transfers

For transfers outside the Controller’s jurisdiction:

• Standard Contractual Clauses (SCCs) are incorporated by reference
• The Processor shall implement supplementary measures as required by the Controller’s applicable law

6.3 Sub-processor DPAs

• Anthropic: https://www.anthropic.com/policies/privacy
• OpenAI: https://openai.com/policies/data-processing-addendum
• AWS: https://aws.amazon.com/compliance/data-processing-addendum/

7. Security Measures

7.1 Technical Measures

• Encryption at rest: AES-256-CBC for credential vault, SQLite for organizational data
• Encryption in transit: TLS 1.2+ for all external API calls
• Access control: per-agent credential scoping, trust-scored authorization
• Input validation: prompt injection detection (11 patterns), secret scanning (5 patterns)
• Rate limiting: per-endpoint and per-operation limits on destructive actions
• Audit trail: immutable provenance tracking on all artifacts and context changes

7.2 Organizational Measures

• Access to production systems limited to authorized personnel
• Security incident response within 72 hours of detection (see Section 8)
• Regular dependency audits and vulnerability scanning

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach. The notification shall include:

a) Nature of the breach, categories and approximate number of data subjects affected

b) Contact details of the Processor’s data protection point of contact

c) Likely consequences of the breach

d) Measures taken or proposed to address the breach

9. Data Deletion and Return

Upon termination of the service agreement:

a) The Controller may export all organizational data using exportOrganizationalMemory() and exportRegistry() APIs.

b) The Processor shall delete all Personal Data within 30 days of termination, unless retention is required by applicable law.

c) Local data stored in .baseline/ directories remains under the Controller’s control and is not affected by termination.

d) The Processor shall certify deletion in writing upon request.

10. Audit Rights

The Controller may audit the Processor’s compliance with this DPA:

a) Upon 30 days’ written notice

b) No more than once per calendar year (unless a breach has occurred)

c) During normal business hours

d) The Processor may satisfy audit requests by providing SOC 2 Type II reports or equivalent certifications when available.

11. Liability

The Processor’s total liability under this DPA shall be subject to the limitations set forth in the underlying service agreement.

12. Governing Law

This DPA shall be governed by the laws applicable to the underlying service agreement between the parties.

---

For the Controller:

Name: ___________________________

Title: ___________________________

Signature: ___________________________

Date: ___________________________

For GTCX (Processor):

Name: ___________________________

Title: ___________________________

Signature: ___________________________

Date: ___________________________