Data Processing Agreement

1. Definitions

The following terms have the meanings given in GDPR Article 4 unless otherwise specified:

• Personal Data — any information relating to an identified or identifiable natural person (“data subject”).
• Processing — any operation or set of operations performed on Personal Data, whether or not by automated means (collection, recording, storage, use, disclosure, erasure, etc.).
• Controller — the natural or legal person who determines the purposes and means of Processing Personal Data. Here: the Customer.
• Processor — the natural or legal person who processes Personal Data on behalf of the Controller. Here: Reglint LLC.
• Sub-processor — any third party engaged by Reglint to process Personal Data for the purpose of providing the Services.
• Data Subject — an identified or identifiable natural person whose Personal Data is processed.
• Services — the Reglint AI compliance scanning service, including the static code analysis feature and the runtime AI agent monitor (POST /api/monitor/scan), as described in the Terms of Service.
• GDPR — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data.
• SCCs — Standard Contractual Clauses for the transfer of Personal Data to third countries, as adopted by the European Commission.

2. Scope and Purpose

This Data Processing Agreement (“DPA”) governs Reglint's Processing of Personal Data on behalf of the Customer in connection with the Services. It supplements the Terms of Service and is incorporated by reference therein. In the event of conflict between this DPA and the Terms of Service on matters of data protection, this DPA controls.

Reglint processes Personal Data solely to provide the Services as instructed by the Customer and in accordance with applicable law. Reglint shall not process Personal Data for its own purposes or for purposes unrelated to the Services, except where required by law.

The Customer, as Controller, is responsible for:

• ensuring it has a lawful basis for submitting Personal Data to Reglint for processing;
• providing required notices to Data Subjects about their data being processed through Reglint; and
• obtaining any necessary consents before submitting Personal Data to the Services.

3. Categories of Personal Data Processed

Depending on how the Customer uses the Services, Reglint may process the following categories of Personal Data:

3.1 Account and Identity Data

• Email address, full name, and company name provided at registration
• Authentication credentials (stored as bcrypt hashes — plaintext passwords are never stored)

3.2 Scan Content

• Layer 1 (Static code analysis): code snippets and repository content submitted by the Customer, which may contain identifiers, comments, or other data attributable to natural persons
• Layer 2 (Runtime AI agent monitor): AI agent prompt and output pairs submitted via POST /api/monitor/scan, which may contain Personal Data relating to end users of the Customer's application
• System prompts and agent configurations submitted by the Customer

3.3 Usage and Audit Data

• API call timestamps, endpoint names, HTTP status codes, and response latency
• Compliance scan decisions (BLOCK / REDACT / ALERT / PASS) and matched regulatory pattern identifiers
• Scan mode, regulatory framework, and industry sector metadata

3.4 Billing Data

• Stripe customer ID and subscription status (card numbers and CVVs are never processed or stored by Reglint)

Special categories of data: Reglint does not intentionally collect special categories of Personal Data (health data, racial or ethnic origin, political opinions, etc.) about Customers themselves. However, scan payloads submitted by the Customer may contain such data about end users. The Customer is responsible for ensuring an appropriate lawful basis exists under GDPR Article 9 before submitting such data.

4. Sub-Processors

The Customer provides general written authorization for Reglint to engage the following sub-processors. All sub-processors are bound by data processing agreements consistent with this DPA and applicable law.

Reglint will notify the Customer at least 30 days before adding or replacing a sub-processor via email to the account address on file. The Customer may object to a new sub-processor within that 30-day period by emailing privacy@reglint.ai. If the parties cannot resolve the objection, the Customer may terminate the Services with a full pro-rated refund of any prepaid fees for the unused period.

5. Security Measures (Article 32 GDPR)

Reglint implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

5.1 Technical Measures

• Encryption at rest: AWS RDS database volumes are encrypted using AES-256. S3 objects use server-side encryption.
• Encryption in transit: All data is transmitted over TLS 1.2 or higher. HTTP traffic is automatically redirected to HTTPS.
• Authentication: API access requires signed tokens with 24-hour expiry. Dashboard access requires authenticated Cognito sessions.
• API key security: API keys are stored as hashed values in the database; the raw key is displayed only once at time of issuance.
• Password security: Customer passwords are stored as bcrypt hashes. Plaintext passwords are never persisted.
• Network isolation: Infrastructure is deployed within a VPC in AWS us-east-1 with appropriate security group controls.

5.2 Organizational Measures

• Role-based access control (RBAC): Access to production systems and customer data is restricted to personnel who require it to perform their duties.
• Audit logging: Access to production infrastructure and databases is logged.
• Security reviews: Reglint conducts periodic security reviews of infrastructure configuration, access controls, and dependency vulnerabilities.
• Sub-processor vetting: Sub-processors are evaluated for security posture prior to engagement.

5.3 Limitations

No security system is impenetrable. The measures described above represent Reglint's current baseline; they will be updated as technology and threat landscape evolve. Reglint does not currently hold SOC 2 Type II certification but intends to pursue it; see Section 10 (Audit Rights) for related commitments.

6. Data Subject Rights

Reglint will provide reasonable assistance to the Customer to enable the Customer to fulfill its obligations to Data Subjects under GDPR Articles 15–22, including:

• Article 15 — Right of access: Reglint will provide the Customer with data exports upon request.
• Article 16 — Right to rectification: Reglint will correct inaccurate account data promptly upon written instruction.
• Article 17 — Right to erasure: Reglint will delete Personal Data upon instruction, subject to legal retention obligations and the schedules in Section 8.
• Article 18 — Right to restriction of processing: Reglint will pause processing upon instruction while a dispute is under review.
• Article 20 — Right to data portability: Reglint will provide Personal Data in a structured, machine-readable format upon request.
• Article 21 — Right to object: Reglint will forward documented objections to the Customer for resolution.

Requests relating to Customer account data (email, name, billing) that the Customer cannot self-service may be directed to privacy@reglint.ai. Reglint will respond within 30 days.

7. Personal Data Breach

Breach notifications will include, to the extent known at the time of notification:

• The nature of the Personal Data breach, including the categories of data involved;
• The categories and approximate number of Data Subjects affected;
• The categories and approximate number of Personal Data records affected;
• The name and contact details of Reglint's point of contact for further information;
• The likely consequences of the Personal Data breach; and
• The measures taken or proposed to address the breach and mitigate its effects.

Where all information is not yet available, Reglint will provide it in phases as it becomes known. The Customer is responsible for notifying the relevant supervisory authority and affected Data Subjects as required by applicable law, including GDPR Articles 33 and 34.

Breach notifications should be sent to the Customer's account email address on file. For breach-related inquiries, contact privacy@reglint.ai.

8. Data Retention and Deletion

• Scan content containing Personal Data (Layer 1 code snippets and Layer 2 prompt/output pairs): automatically and irreversibly purged after 90 days.
• Anonymized scan metadata (audit fields that contain no raw scan content and are not linkable to individual Data Subjects after purge): retained indefinitely for product improvement and detection accuracy.
• Account data (email, name, hashed credentials): retained until account deletion, then purged within 30 days.
• Billing records: retained for 7 years to comply with U.S. tax law (IRC § 6001) and Virginia recordkeeping requirements.

Upon termination of the Services or upon the Customer's written request, Reglint will delete all Personal Data (excluding billing records subject to legal retention) within 30 days. The Customer may request earlier deletion of scan content by emailing support@reglint.ai. Reglint will confirm deletion in writing upon completion.

9. International Transfers

Personal Data submitted to the Services is primarily processed in the United States (AWS us-east-1, Northern Virginia). Reglint and its sub-processors process data in the US.

For transfers of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, Reglint relies on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): Reglint agrees to be bound by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as Processor for transfers of EEA Personal Data. Upon request, Reglint will execute the applicable SCC modules.
• UK International Data Transfer Addendum: For UK data transfers, Reglint will execute the UK IDTA where required.

By using the Services and agreeing to this DPA, the Customer acknowledges and consents to the transfer and processing of Personal Data in the United States under the mechanisms described above. Customers with specific transfer restrictions should contact privacy@reglint.ai before initiating data processing.

10. Audit Rights

• Documentation: Reglint will provide the Customer, upon written request, with documentation and information reasonably necessary to demonstrate compliance with this DPA (e.g., this DPA itself, sub-processor agreements, security policies).
• Audit reports: Once available, Reglint will provide SOC 2 Type II or equivalent audit reports on request. Reglint is not currently SOC 2 certified and will notify Customers when certification is obtained.
• On-site audits: The Customer may request an on-site audit of Reglint's data processing operations no more than once per calendar year. On-site audits require: (a) at least 30 days' prior written notice; (b) execution of a confidentiality agreement; and (c) agreement on the scope, timing, and duration of the audit. Costs of on-site audits are borne by the Customer.
• Cooperation: Reglint will cooperate reasonably with the Customer and any auditors appointed by the Customer, subject to the confidentiality of third-party data and proprietary information.

11. Term and Termination

This DPA is effective as of the Effective Date and remains in force for as long as Reglint processes Personal Data on behalf of the Customer.

This DPA terminates automatically upon expiry or termination of the Terms of Service, subject to any obligations that survive termination. Surviving obligations include:

• Reglint's obligation to delete or return Personal Data per Section 8;
• Reglint's obligation to notify the Customer of breaches discovered after termination that relate to data processed during the term; and
• Any obligations required by applicable law.

12. Governing Law

This DPA is governed by the laws of the Commonwealth of Virginia, United States, without regard to its conflict-of-law rules, except where mandatory provisions of the GDPR or other applicable data protection law impose different requirements, in which case those mandatory provisions shall apply to the extent of the conflict.

Disputes relating to this DPA shall be subject to the dispute resolution mechanism in the Terms of Service, including the binding arbitration clause and any applicable carve-outs for regulatory enforcement actions.

13. Contact

• Data Protection Inquiries: privacy@reglint.ai
• General Support: support@reglint.ai
• Legal: legal@reglint.ai
• Company: Reglint LLC, Commonwealth of Virginia, USA (Entity ID: 12015362)

For requests to execute a signed DPA or SCC addendum (e.g., for enterprise contracts), contact legal@reglint.ai.

14. Acceptance