DéjàDéjài
Effective Date: December 19, 2025

DPA & Subprocessors

This Data Processing Addendum ("DPA") forms part of the Master Services Agreement ("Agreement") between Déjà Inc. ("Processor") and the Customer ("Controller").

1. Definitions & Scope

"Payload Data" refers to transient, high-sensitivity technical data ingested for analysis, including stack traces, source code snippets, variable values, and environment states. "Metadata" refers to the calculated cryptographic hashes, correlation links, and resolution timestamps retained by Déjà.

2. The "Ephemeral Processing" Standard (The Incineration Clause)

This is the core architectural warranty of the Déjà platform.

Volatile Processing

Processor warrants that all Payload Data is processed exclusively in volatile memory (RAM).

Zero-Disk Persistence

Processor warrants that raw Payload Data is never written to non-volatile storage (HDD/SSD/Database) at rest.

Immediate Destruction

Upon the generation of the "Verified Artifact Signature" (as defined in US Patent App. 19/430,349), the raw Payload Data is immediately overwritten or garbage collected from memory. Only the resulting cryptographic hashes (Metadata) are retained.

3. Prohibition on Generative AI Training

Processor covenants that it shall not use Customer Data (Payloads or Metadata) to train, fine-tune, or vectorize any Large Language Models (LLMs) or generative inference engines. This prohibition applies to:

  • Global / Public Foundation Models.
  • Internal / Proprietary Models.
  • Third-Party Subprocessor Models.

4. Security Measures (TOMs)

Processor implements the following Technical and Organizational Measures:

  • Encryption: Data in transit is encrypted via TLS 1.3. Metadata at rest is encrypted via AES-256.
  • Entropy Gating: Processor employs an edge-layer "Integrity Filter" to reject and discard unverifiable or minified payloads before they enter the processing pipeline.
  • Network Isolation: Processing occurs within a logically isolated Virtual Private Cloud (VPC) with no public ingress to database layers.

5. Subprocessors

Processor utilizes a minimized supply chain. Customer consents to the following Subprocessors:

  • Amazon Web Services (AWS): Infrastructure & Hosting (USA). Data is encrypted at rest.
  • GitHub / GitLab: Identity Provider & Read-Only API Access. Used strictly for commit verification.
  • Stripe: Payment Processing.

Processor shall provide 30 days' notice before adding new Subprocessors.

6. Data Subject Rights & Deletion

Right to be Forgotten

Upon a deletion request, Processor executes a "Cryptographic Shred" of the Controller's tenant key. This renders all retained Metadata mathematically irretrievable instantly, satisfying GDPR Article 17 without requiring physical disk scrubbing (as no raw data resides on disk).

Audit Rights

Controller may audit Processor's compliance via the "Audit Extraction API" or by requesting the latest SOC 2 Type II report (when available).

7. International Transfers

For transfers of Personal Data from the EEA, UK, or Switzerland to the US, the parties agree to abide by the Standard Contractual Clauses (SCCs) annexed to this DPA.