Data Processing Addendum
Last Updated: February 23, 2026 Effective Date: Upon acceptance of the Master Service Agreement
1. Scope & Purpose
This Data Processing Addendum (“DPA”) supplements the Master Service Agreement and governs the processing of personal data by Tacitus Systems on behalf of Customer in connection with the Cloud Bridge service.
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the Polish Act on Personal Data Protection (Ustawa o ochronie danych osobowych).
For definitions of capitalized terms, refer to the Master Service Agreement, Section 2.
2. Roles & Responsibilities
2.1 Cloud Bridge
- Customer is the Data Controller. Customer determines the purposes and means of processing personal data within their Cloud Bridge instance.
- Tacitus Systems is the Data Processor. Tacitus Systems processes personal data solely on behalf of and in accordance with Customer’s documented instructions.
2.2 Cortex
- Customer is the sole Data Controller. The Cortex appliance operates in an air-gapped environment. Tacitus Systems has no physical or logical access to data stored on Cortex hardware.
- Tacitus Systems has no processor role for Cortex data. The obligations in Sections 3 through 11 of this DPA do not apply to data processed exclusively on Cortex hardware, as Tacitus Systems does not process such data.
2.3 Website and Account Data
For personal data collected through the website (contact forms, analytics, account information), Tacitus Systems acts as Data Controller. This processing is governed by the Privacy Policy.
2.4 Non-Custodial Encryption & Compliance Note
Tacitus Systems’ architecture is built on non-custodial encryption: Customer holds all encryption keys, and Tacitus Systems has no means of accessing Customer Data in plaintext. This design is intentional and does not reduce Customer’s ability to comply with GDPR obligations. Because Customer — as Data Controller — is the sole party with access to the decryption keys, Customer is also the only party capable of fulfilling data subject rights requests (access, erasure, portability, rectification) with respect to the underlying data. The technical obligations in this DPA should be read in light of this architecture: Tacitus Systems provides the platform, tools, and infrastructure; Customer fulfills data subject rights requests using those tools with the keys it holds.
3. Processing Instructions
Tacitus Systems shall process personal data contained within Customer Data only:
- In accordance with Customer’s documented instructions, as specified in this DPA and the Master Service Agreement.
- As necessary to provide the Cloud Bridge services described in the Order Form.
- As required by applicable law, provided that Tacitus Systems informs Customer of the legal requirement before processing (unless prohibited by law).
If Tacitus Systems believes an instruction from Customer infringes GDPR or other applicable data protection law, Tacitus Systems shall promptly notify Customer.
4. Categories of Data & Data Subjects
The categories of personal data and data subjects processed under this DPA are determined by Customer in its capacity as Data Controller. Typical categories include:
| Category | Examples |
|---|---|
| Data Subjects | Customer’s clients, employees, counterparties, or other individuals whose data is contained in uploaded documents |
| Personal Data | Names, contact information, identification numbers, financial data, legal case details, medical records, or other categories as determined by the documents Customer uploads |
| Special Categories (Art. 9) | If Customer uploads documents containing health data, biometric data, or data revealing racial/ethnic origin, political opinions, or religious beliefs, Customer acknowledges responsibility for ensuring a valid legal basis under Article 9 GDPR |
Tacitus Systems does not independently determine or control the categories of personal data processed. Customer is responsible for ensuring that all personal data uploaded to the infrastructure has a valid legal basis for processing.
5. Sub-Processors
5.1 Authorized Sub-Processors
Customer authorizes Tacitus Systems to engage the following sub-processors:
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Scaleway | Cloud infrastructure hosting (compute, storage, networking) | EU (France/Poland) | Encrypted Customer Data volumes, VM instances |
5.2 Cortex Exemption
In Cortex Mode, no sub-processors are engaged for Customer Data operations. The appliance operates entirely on Customer’s premises without external connectivity.
5.3 Sub-Processor Changes
Tacitus Systems shall notify Customer at least thirty (30) days in advance of any intended addition or replacement of sub-processors. Customer may object to a new sub-processor on reasonable grounds related to data protection. If Tacitus Systems cannot reasonably accommodate the objection, Customer may terminate the affected services without penalty.
5.4 Sub-Processor Obligations
Tacitus Systems shall impose data protection obligations on each sub-processor that are no less protective than those in this DPA, including obligations regarding confidentiality, security measures, and data deletion.
6. Security Obligations
Tacitus Systems implements the technical and organizational security measures described in the Security Addendum. These measures include:
- AES-256-GCM encryption at rest for all Customer Data.
- TLS 1.3 encryption in transit.
- Single-tenant instance isolation with dedicated encrypted storage volumes (Cloud Bridge).
- Strict network policy ensuring no cross-tenant communication, implemented via Kubernetes namespace isolation (with NetworkPolicy enforcement) or equivalent per-customer dedicated instance deployment depending on service tier.
- Role-based access controls with group-level data segregation.
- Volatile ingestion pipeline (tmpfs) ensuring no unprocessed documents persist to storage.
- HMAC-based document deduplication preventing cross-tenant metadata correlation.
7. Data Subject Rights Assistance
Tacitus Systems shall assist Customer in fulfilling its obligations to respond to Data Subject Access Requests (DSARs) and other rights requests under GDPR Articles 15 through 22.
Upon receiving a request from a data subject that relates to Customer Data, Tacitus Systems shall:
- Promptly redirect the data subject to Customer (if the request is received directly by Tacitus Systems).
- Provide Customer with the technical tools and assistance necessary to respond to the request.
- Respond to Customer’s instructions regarding the request within ten (10) business days.
Tacitus Systems shall not independently respond to data subject requests concerning Customer Data unless instructed by Customer or required by law.
8. Data Protection Impact Assessment Assistance
Upon Customer’s request, Tacitus Systems shall provide information reasonably necessary for Customer to conduct Data Protection Impact Assessments (DPIAs) under Article 35 GDPR, including:
- Description of the processing operations performed by Tacitus Systems.
- Technical and organizational security measures in place.
- Data flow documentation for the Cloud Bridge infrastructure.
9. Audit Rights
9.1 Customer Audit
Customer may audit Tacitus Systems’ compliance with this DPA once per calendar year. Audits shall be conducted upon at least thirty (30) days’ written notice, during normal business hours, and at Customer’s expense.
9.2 Third-Party Audit
Customer may appoint an independent third-party auditor, at Customer’s expense, subject to Tacitus Systems’ reasonable approval (not to be unreasonably withheld) and the auditor’s execution of a confidentiality agreement.
9.3 Audit Documentation
Tacitus Systems shall make available the following documentation upon request:
- Security Addendum and any updates.
- Sub-processor list and DPA status.
- Records of processing activities relevant to Customer’s data.
- Data flow diagrams for Customer’s Cloud Bridge instance.
10. Data Deletion & Return
10.1 During the Agreement
Customer may delete Customer Data at any time through the platform interface. Deletion follows the procedure described in the Security Addendum: encrypted file deletion, vector database purge, and SQLite/Qdrant vacuum operations. Because all documents are encrypted at rest with AES-256-GCM using Customer-held keys, deletion of the encrypted file renders the data permanently inaccessible without requiring physical overwrite.
10.2 Upon Termination
Within thirty (30) days following termination of the Master Service Agreement:
- Data Export. Customer may export Customer Data through the platform’s data export functionality.
- Certified Erasure. Following the export window, Tacitus Systems shall permanently erase all Customer Data from Cloud Bridge infrastructure.
- Certification. Tacitus Systems shall provide a written certification of erasure upon Customer’s request.
10.3 Retention Exceptions
Tacitus Systems may retain limited metadata (account identifiers, billing records) as required by Polish tax law (Ordynacja podatkowa, typically 5 years). Such retained data does not include Customer Data, Customer Content, or Vector Embeddings.
11. International Data Transfers
11.1 Cloud Bridge
All Cloud Bridge infrastructure is hosted within the European Economic Area (Scaleway, France/Poland). Customer Data processed through Cloud Bridge does not leave the EEA.
11.2 No Third-Country Transfers
Tacitus Systems does not transfer Customer Data to countries outside the EEA. If a transfer becomes necessary in the future (e.g., due to sub-processor changes), Tacitus Systems shall: (a) notify Customer in advance, (b) implement appropriate safeguards under GDPR Chapter V (Standard Contractual Clauses or adequacy decisions), and (c) provide Customer with the right to object and terminate.
11.3 Cortex
Data on Cortex hardware resides exclusively at Customer’s premises. No data transfers occur, as the appliance operates without external network connectivity.
12. Breach Notification
In the event of a personal data breach affecting Customer Data processed under this DPA, Tacitus Systems shall:
For the purposes of this Section, Tacitus Systems is deemed to have “become aware” of a breach at the point when a member of its security or engineering team confirms that a security incident has resulted in, or is reasonably likely to have resulted in, unauthorized access to or disclosure of Customer Data. Automated monitoring alerts alone, prior to human review and confirmation, do not start the notification clock.
- Notify Customer within 48 hours of becoming aware of the breach.
- Provide all information reasonably available regarding the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- Cooperate with Customer in fulfilling Customer’s notification obligations under GDPR Articles 33 and 34.
- Provide a post-incident report within thirty (30) days.
13. Duration & Termination
This DPA remains in effect for the duration of the Master Service Agreement. Upon termination of the Master Service Agreement, Tacitus Systems shall process Customer Data only as necessary to fulfill its obligations under Section 10 (Data Deletion & Return) and applicable law.
14. Liability
The liability of each party under this DPA is subject to the limitations and exclusions set forth in the Master Service Agreement, Section 7.
15. Contact
For DPA-related inquiries, audit requests, or data protection questions:
Tacitus Systems Ul. Krótka 7 97-200 Tomaszów Mazowiecki Poland Email: contact@tacitussystems.com