Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") forms part of the Essence.Report Terms of Service ("Agreement") between you ("Customer", "Controller") and Cobalt Stream Technologies LLC, which operates Essence.Report ("Processor", "we"). It is incorporated into the Agreement by reference and takes effect when you accept the Agreement — no separate signature is required for standard subscriptions. Enterprise customers who need a counter-signed copy may request one from legal@essence.report (see § 16).
In the event of a conflict between this DPA and the Agreement on data protection matters, this DPA prevails.
1. Definitions
Terms used but not defined herein have the meanings given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA/CPRA, or analogous laws applicable to the processing.
- "Personal Data" means any information relating to an identified or identifiable natural person processed by us on your behalf under the Agreement.
- "Customer Personal Data" means Personal Data within Customer Content as defined in the Agreement.
- "Sub-processor" means any third-party engaged by us to process Customer Personal Data.
2. Roles
2.1 Customer is the Controller of Customer Personal Data. 2.2 Essence.Report is the Processor, acting only on Customer's documented instructions.
2.3 Customer obligations. Customer warrants that, for all Customer Personal Data it submits, it has a lawful basis to process the data and to provide it to us, has given the notices and obtained the consents required of a controller, and is responsible for the accuracy and quality of the data. Customer must not submit special-category data except as provided in § 3.
3. Scope and purpose of processing
| Item | Detail |
|---|---|
| Subject matter | AI-assisted research synthesis as described in the Agreement |
| Duration | For the term of the Agreement plus retention periods in § 6 (Data retention) of the Privacy Policy |
| Nature and purpose | Generate, store, and deliver Reports based on Customer prompts and uploaded content |
| Categories of data subjects | Individuals whose data Customer chooses to include in Customer Content |
| Categories of Personal Data | As determined by Customer; we have no visibility into specific categories submitted |
| Special categories (sensitive data) | Not contemplated; Customer must not submit special-category data without first executing an addendum with us covering Article 9 processing |
4. Customer instructions
4.1 The Agreement and this DPA constitute Customer's complete and final documented instructions.
4.2 Customer may issue additional written instructions via email to legal@essence.report. We will inform Customer if, in our opinion, an instruction infringes data protection law.
4.3 We will promptly notify Customer if we determine that we can no longer meet our obligations under this DPA or applicable Data Protection Law.
5. Confidentiality
5.1 We will ensure that personnel authorised to process Customer Personal Data are subject to confidentiality obligations.
5.2 Access is granted on a need-to-know basis and only to personnel who have completed data-protection training.
6. Security measures
We implement appropriate technical and organisational measures, including:
- TLS 1.3 in transit; AES-256 at rest
- HMAC signature verification on inter-service calls
- Multi-factor authentication for administrative access
- Least-privilege role-based access control
- Audit logging of access to Customer Personal Data
- Annual penetration testing (or equivalent)
- Secrets rotation policy
- Network segmentation and Web Application Firewall
- Cost circuit breakers and anomaly detection
- Backup encryption and secure backup deletion
See § 8 of the Privacy Policy for the current measures in force.
7. Sub-processors
7.1 Customer provides general authorisation for us to engage Sub-processors. Our current Sub-processors are listed in § 4 (How we disclose personal data) of our Privacy Policy; an up-to-date list is available from legal@essence.report on request.
7.2 Notice of new Sub-processors. We will notify Customer at least 14 days before adding a new Sub-processor. Customer may object on reasonable data-protection grounds, in which case we will work in good faith to address the concern or, failing that, Customer may terminate the affected portion of the Agreement.
7.3 We remain liable for the acts and omissions of our Sub-processors as if they were our own.
8. Data Subject rights
8.1 We will assist Customer in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, objection) by:
- Providing technical means for Customer to action requests within the Service
- Forwarding requests received by us directly from Data Subjects to Customer within 5 business days
8.2 We do not respond directly to Data Subject requests about Customer Personal Data unless legally required.
9. Personal Data Breach
9.1 We will notify Customer without undue delay, and in any case within 48 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.
9.2 Notification will include, to the extent known: nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and measures taken or proposed.
9.3 We will cooperate with Customer's investigations and any required notifications to supervisory authorities or data subjects.
10. Data Protection Impact Assessment (DPIA)
We will provide reasonable assistance to Customer with DPIAs and prior consultations with supervisory authorities, taking into account the nature of processing and information available to us.
11. International transfers
11.1 To the extent Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree to the European Commission's Standard Contractual Clauses (SCCs), incorporated by reference: Module 2 (Controller-to-Processor) where Customer is a controller, and Module 3 (Processor-to-Processor) where Customer acts as a processor on behalf of a third-party controller. The following selections apply:
- Clause 7 (Docking clause): applicable
- Clause 9(a) (Sub-processor authorisation): option 2 (general written authorisation), 14 days' notice
- Clause 11(a) (Independent dispute resolution): not selected
- Clause 17 (Governing law): laws of Ireland
- Clause 18 (Forum): courts of Ireland
- Annex I.A: Data exporter = Customer; Data importer = Essence.Report
- Annex I.B: As described in § 3 above
- Annex II: As described in § 6 above
- Annex III: Sub-processors as listed in § 4 of our Privacy Policy (current list available from legal@essence.report)
11.2 For transfers from the UK, the UK International Data Transfer Addendum applies in addition to the SCCs.
12. Audits
12.1 Customer may, no more than once per year and with at least 30 days' written notice, request:
- A copy of our most recent third-party security audit reports (e.g. SOC 2, ISO 27001) where available
- Written responses to a reasonable security questionnaire
12.2 On-site audit is permitted in case of a suspected material breach, subject to mutual scheduling, NDA, and at Customer's cost unless the audit reveals our material non-compliance.
13. Deletion or return of Personal Data
Upon termination of the Agreement, we will delete or return all Customer Personal Data within 30 days, except where retention is required by law (see § 6 of the Privacy Policy). Customer may request earlier deletion at any time. On Customer's written request, we will certify in writing that deletion has been completed.
14. Liability
The liability provisions of the Agreement apply to this DPA. Where SCCs are incorporated, the SCCs' liability provisions apply between the parties for SCC-governed processing.
15. Effect of DPA
If any provision of this DPA conflicts with the SCCs, the SCCs prevail to the extent of the conflict. Otherwise, the Agreement remains in full force. This DPA supersedes any prior data processing agreement between the parties for the same Service.
16. Execution and acceptance
Standard subscriptions. This DPA is incorporated into the Agreement and takes effect automatically when you accept the Agreement. No signature is required; your electronic acceptance of the Agreement constitutes acceptance of this DPA.
Enterprise / counter-signed copy. If your procurement or compliance process requires a counter-signed DPA, email legal@essence.report with your account details. We will provide an execution copy for signature by both parties; that counter-signed copy supplements this published version for your account, and where specifically negotiated terms conflict, those negotiated terms govern for your account.
17. US State Privacy Laws (Service Provider terms)
These terms apply where we process Customer Personal Data subject to the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), or an analogous US state privacy law — with Customer as the "business" (or "controller") and us as the "service provider" (or "processor").
17.1 We process Customer Personal Data only to provide the Service under the Agreement (the "business purpose") and the documented instructions in § 4.
17.2 We will not: (a) "sell" or "share" Customer Personal Data, as those terms are defined under the CCPA; (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purpose, or outside the direct business relationship with Customer; (c) combine Customer Personal Data with personal information from another source, except as permitted by the CCPA; or (d) re-identify any de-identified data without Customer's written instruction.
17.3 We certify that we understand the restrictions in this § 17 and will comply with them, and we will notify Customer if we determine we can no longer do so.
17.4 Customer may take reasonable and appropriate steps under § 12 (Audits) to confirm our compliance with this § 17.