Effective Date: February 12, 2026
DPA & Subprocessors
This Data Processing Addendum ("DPA") forms part of the agreement between Deja, Inc. ("Processor") and the Customer ("Controller"). It defines processing boundaries, security controls, subprocessors, and data subject rights.
1. Definitions & Scope
- Payload Data: transient, high-sensitivity technical input used for processing.
- Metadata: derived hashes, bounded identifiers, and correlation records retained for deterministic recall and auditability.
- Processor does not persist full raw payloads or full repository clones.
2. Ephemeral Processing Standard
- Payloads are processed in volatile memory (RAM).
- Processor derives deterministic fingerprints (for example, hashes).
- Raw payloads are destroyed after derivation.
- Only bounded metadata required for service operation is retained.
3. No Generative Training Covenant
- No training on Customer Data.
- No fine-tuning on Customer Data.
- No vectorization/embedding-based training on Customer Data.
- This restriction extends to third-party subprocessors used to deliver the service.
4. Security Measures
- Encryption in transit (TLS) and at rest (AES-256 for retained data).
- Entropy/integrity gating for telemetry quality and safety.
- Network isolation and restricted ingress controls.
- Least-privilege access and scoped integration permissions.
5. Subprocessors
Processor uses a minimized subprocessor chain:
- Amazon Web Services (AWS): infrastructure and hosting.
- GitHub / GitLab: read-only API access for verification workflows.
Processor provides 30 days' notice before adding new subprocessors, unless urgent security or legal circumstances require shorter notice.
6. Data Subject Rights, Deletion, and Transfers
- Deletion requests are handled with cryptographic shred controls for retained tenant-linked material.
- Audit support is available via records/export endpoints and compliance processes.
- International transfers rely on recognized transfer mechanisms (including SCCs) where required.