Legal

Data Processing Addendum

Last updated: June 15, 2026 · Effective date: June 15, 2026

This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Sequesign Terms of Service or other written agreement between Sequesign Inc. (“Sequesign”) and the customer (“Customer”) that references or incorporates it (together, the “Agreement”). This DPA applies where and to the extent Sequesign processes Personal Information on Customer’s behalf in connection with the Services. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

In the event of a conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses, where applicable under Annex D, the Standard Contractual Clauses control.

1. Definitions

Applicable Data Protection Laws: all privacy and data protection laws and regulations applicable to a party’s processing of Customer Personal Data under this DPA, including U.S. state privacy laws such as the CCPA and comparable laws of Virginia, Colorado, Connecticut, Utah, Texas, and other states, and, where and to the extent applicable, the GDPR, the UK GDPR, and the Swiss Federal Act on Data Protection.

CCPA: the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, together with its implementing regulations.

Customer Personal Data: Personal Information contained in Customer Content that Sequesign processes on Customer’s behalf under the Agreement and this DPA.

Personal Information or Personal Data: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, and that is protected as personal information or personal data under Applicable Data Protection Laws.

Processing, Controller, Business, Processor, Service Provider, Sub-processor, Consumer, Data Subject, Sale, Share, Targeted Advertising, and Sensitive Personal Information: have the meanings given to them, or to their functional equivalents, under Applicable Data Protection Laws.

Security Incident: a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data processed by Sequesign or its Sub-processors. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as pings, port scans, failed log-in attempts, or denial-of-service attempts that do not result in access.

Standard Contractual Clauses or EU SCCs: the standard contractual clauses for the transfer of personal data to third countries annexed to European Commission Implementing Decision (EU) 2021/914. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner.

2. Roles and scope of processing

With respect to Customer Personal Data, Customer is the Controller or Business and Sequesign is the Processor or Service Provider. Where Customer is itself a processor acting on behalf of a third-party controller, Sequesign acts as a Sub-processor, and Customer remains responsible for its obligations to that controller.

Where Sequesign determines the purposes and means of processing, including for account administration, billing, security, fraud prevention, witness-log integrity, and operation of the Services, Sequesign acts as an independent Controller or Business, and that processing is governed by the Sequesign Privacy Policy rather than this DPA.

The subject matter, duration, nature and purpose of the processing, the types of Customer Personal Data, and the categories of Data Subjects are described in Annex A.

3. Customer instructions and responsibilities

Sequesign will process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement and this DPA and as conveyed through Customer’s configuration and use of the Services, unless required to process by applicable law, in which case Sequesign will inform Customer of that legal requirement before processing, unless the law prohibits such notice.

Customer instructs Sequesign to process Customer Personal Data as necessary to provide and operate the Services, including storage, retrieval, verification, export, deletion, retention enforcement, security, troubleshooting, support, billing-related metadata, and compliance with law and contractual obligations.

Customer is responsible for the accuracy and lawfulness of Customer Personal Data and of its instructions, and for establishing any legal basis, notice, or consent required for Sequesign to process Customer Personal Data. In hash-only mode, Sequesign does not receive or store the underlying evidence content, and processes only cryptographic hashes and limited metadata.

Sequesign will inform Customer if, in its reasonable opinion, an instruction infringes Applicable Data Protection Laws. This does not oblige Sequesign to provide legal advice or to monitor Customer’s compliance.

4. Sequesign processing obligations

Sequesign will process Customer Personal Data only for the purposes described in Annex A and the Agreement, and not for its own purposes. Sequesign will comply with the obligations applicable to it as a Processor or Service Provider under Applicable Data Protection Laws.

5. United States state privacy laws

This Section applies to the extent the CCPA or another U.S. state privacy law applies to the processing of Customer Personal Data. With respect to that data, Sequesign is a Service Provider under the CCPA and a Processor under comparable state laws.

Sequesign will not:

Sequesign certifies that it understands the restrictions set out in this Section and will comply with them. Sequesign will provide a level of privacy protection consistent with the requirements that Applicable Data Protection Laws impose on a Service Provider or Processor.

Sequesign will notify Customer if it determines that it can no longer meet its obligations under Applicable Data Protection Laws. On reasonable notice, Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data.

Where required by Applicable Data Protection Laws, Sequesign will assist Customer in complying with consumer and data subject rights requests, in maintaining reasonable security, and in fulfilling deletion, correction, and access obligations, as further described in Sections 7, 9, and 11.

6. Confidentiality of personnel

Sequesign will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and access it only on a need-to-know basis to provide the Services.

7. Security

Sequesign will implement and maintain technical and organizational measures designed to protect Customer Personal Data appropriate to the risk, as described in Annex B. Sequesign may update its security measures from time to time, provided that the updates do not materially decrease the overall protection of Customer Personal Data.

8. Sub-processors

Customer provides Sequesign with a general authorization to engage Sub-processors to process Customer Personal Data. The Sub-processors authorized as of the effective date are listed in Annex C.

Sequesign will impose on each Sub-processor, by written contract, data protection obligations no less protective than those in this DPA, to the extent applicable to the services the Sub-processor provides. Sequesign remains responsible for the performance of its Sub-processors’ obligations under this DPA.

Sequesign will provide Customer with notice of any new or replacement Sub-processor at least 15 days before authorizing that Sub-processor to process Customer Personal Data, by updating Annex C, by a sub-processor notice, or by a mechanism that allows Customer to subscribe to updates. Customer may object to a new Sub-processor on reasonable data protection grounds by notifying Sequesign within the notice period. The parties will work together in good faith to resolve the objection. If the objection is not resolved, Customer’s sole and exclusive remedy is to terminate the affected portion of the Services in accordance with the Agreement.

9. Data subject and consumer requests

Taking into account the nature of the processing, Sequesign will assist Customer by appropriate technical and organizational measures, insofar as reasonably possible, to respond to requests by individuals to exercise their rights under Applicable Data Protection Laws, including rights of access, correction, deletion, portability, restriction, objection, and opt-out.

If Sequesign receives a request directly from an individual relating to Customer Personal Data, Sequesign will not respond to the request other than to acknowledge it or direct the individual to Customer where appropriate, and will forward the request to Customer without undue delay, unless prohibited by law.

10. Security incidents

Sequesign will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data. The notification will describe, to the extent then known and reasonably available, the nature of the Security Incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Sequesign will provide further information as it becomes available.

Sequesign will take reasonable steps to mitigate the effects of the Security Incident and will cooperate with Customer’s reasonable requests for information needed to meet Customer’s own notification obligations. Sequesign’s notification of or response to a Security Incident is not an acknowledgment of fault or liability.

11. Deletion and return of data

On termination or expiry of the Agreement, Sequesign will, at Customer’s choice, delete or return Customer Personal Data, subject to the export window set out in the Agreement, which is at least 30 days unless a shorter period is permitted under the Agreement, and subject to any minimum retention floor, legal hold, backup cycle, or audit-log integrity requirement. After the export window, Sequesign may delete Customer Personal Data in accordance with its retention policies, backup practices, and applicable law.

Customer Personal Data retained in backups will be deleted in the ordinary course of Sequesign’s backup cycles. In hash-only mode, Sequesign holds only cryptographic hashes and limited metadata and does not hold the underlying evidence content.

12. Audits and information

Sequesign will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including through documentation describing its security measures and, where available, third-party reports, attestations, or certifications.

Where Applicable Data Protection Laws grant Customer an audit right, Customer, or an independent auditor appointed by Customer and bound by confidentiality, may audit Sequesign’s compliance with this DPA, subject to reasonable advance notice, no more than once in any 12-month period unless required by a supervisory authority or following a Security Incident affecting Customer Personal Data, during business hours, without disrupting Sequesign’s operations, without access to other customers’ data or to Sequesign’s confidential or security-sensitive information beyond what is necessary, and at Customer’s expense. The parties will first seek to satisfy audit requests through documentation and responses to reasonable questionnaires.

13. International data transfers

Sequesign processes Customer Personal Data in the United States and in other locations where it or its Sub-processors operate. As described in the Agreement and the Privacy Policy, Sequesign does not currently target or localize the Services for the European Economic Area, the United Kingdom, or Switzerland.

Hosted evidence content and other Customer Personal Data are stored and processed in the United States. Sequesign does not currently offer regional data residency or in-region storage for any particular jurisdiction. Customer is responsible for determining whether the United States storage location is appropriate for the Customer Personal Data it submits.

If and to the extent the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection applies to the processing and Customer Personal Data is transferred from those jurisdictions to a country that does not provide an adequate level of protection, the transfer mechanisms in Annex D apply, including the EU SCCs and the UK Addendum, which are incorporated into this DPA by reference when activated.

14. Impact assessments and consultation

To the extent the GDPR or UK GDPR applies, Sequesign will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities relating to the processing, taking into account the nature of the processing and the information available to Sequesign.

15. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to a party’s liability means the aggregate liability of that party under the Agreement and this DPA together. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Laws, including, where the Standard Contractual Clauses apply, liability to data subjects under those clauses.

16. Term, survival, and general

This DPA takes effect when the Agreement incorporating it takes effect and continues for as long as Sequesign processes Customer Personal Data. Provisions that by their nature should survive, including those governing confidentiality, deletion and return, liability, and the Standard Contractual Clauses where applicable, survive termination until all Customer Personal Data has been deleted or returned.

This DPA is governed by the law and venue specified in the Agreement, except to the extent Applicable Data Protection Laws or the Standard Contractual Clauses require otherwise. If any provision of this DPA is held unenforceable, the remaining provisions remain in effect. This DPA may be executed or accepted electronically and through incorporation into the Agreement.

Annex A. Description of processing

Roles of the parties: Customer is the Controller or Business. Sequesign is the Processor or Service Provider.

Subject matter: Sequesign’s provision of the Services, a cryptographic receipt, witness, and audit-trail platform for AI agent actions.

Duration: the term of the Agreement, together with any applicable retention, export, and deletion periods described in the Agreement and this DPA.

Nature and purpose of processing: hosting, storage, retrieval, content-addressed organization, verification, witnessing, export, deletion, retention enforcement, security and abuse prevention, troubleshooting, support, billing-related metadata, and related operation of the Services.

Types of Customer Personal Data: the categories of Personal Information that Customer chooses to submit to or generate through the Services. Depending on Customer’s configuration and use, this may include identifiers, account and user identifiers, organization and workspace identifiers, agent and signing-key identifiers, identifiers of attestation participants such as approver and counterparty names, email addresses, and public keys, and any Personal Information contained in hosted evidence content or receipt metadata that Customer submits. In hash-only mode, processing is limited to cryptographic hashes and metadata. Customer controls and is responsible for the content it submits, including whether it submits Sensitive Personal Information.

Categories of Data Subjects: individuals whose Personal Information Customer chooses to submit to or process through the Services, which may include Customer’s personnel, administrators, end users, counterparties, and any individuals whose data appears in the evidence content or receipt metadata Customer submits.

Frequency of processing: continuous, as directed by Customer’s configuration and use of the Services.

Annex B. Technical and organizational measures

Sequesign maintains technical and organizational measures designed to protect Customer Personal Data appropriate to the risk, including the following:

Sequesign may update these measures from time to time, provided the updates do not materially decrease the overall protection of Customer Personal Data.

Annex C. Approved sub-processors

The following Sub-processors are authorized to process Customer Personal Data as of the effective date of this DPA:

Sub-processor Service or role Processing location
Cloudflare Object storage, content delivery, security, and related infrastructure United States
Fly.io Application hosting United States
Railway Landing page and marketing website hosting United States
Neon Managed PostgreSQL database hosting United States
Stripe Payment processing and billing United States
WorkOS Authentication and single sign-on United States
Resend Transactional and notification email delivery United States
Microsoft Business email and productivity United States

Annex D. European, UK, and Swiss transfers

This Annex applies only if and to the extent the GDPR, the UK GDPR, or the Swiss Federal Act on Data Protection applies to the processing of Customer Personal Data under this DPA. It does not otherwise impose obligations on the parties.

EU transfers

Where the GDPR applies and Customer Personal Data is transferred from the European Economic Area to a country without an adequacy decision, the EU SCCs are incorporated into this DPA and apply as follows: Module Two (Controller to Processor) applies; where Customer acts as a processor, Module Three (Processor to Processor) applies; the optional docking clause in Clause 7 applies; in Clause 9, Option 2 (general written authorization) applies, with the notice period stated in Section 8 of this DPA; the optional language in Clause 11 does not apply; Clause 17 is governed by the law of Ireland unless otherwise required; and the supervisory authority and forum under Clause 18 are those of the relevant member state. Annexes I, II, and III of the EU SCCs are populated by Annex A, Annex B, and Annex C of this DPA, respectively.

UK transfers

Where the UK GDPR applies, the UK Addendum is incorporated into this DPA and applies to the relevant transfer, with the EU SCCs completed as set out above and the UK Addendum’s tables populated by the corresponding information in this DPA.

Swiss transfers

Where the Swiss Federal Act on Data Protection applies, the EU SCCs apply with the adjustments needed for Swiss law, including references to the GDPR being read as references to the Swiss Act where appropriate, and the competent supervisory authority being the Swiss Federal Data Protection and Information Commissioner.

Acceptance

This DPA is incorporated into and forms part of the Agreement. Where a signed copy is required, the parties may execute it below.

Customer Sequesign Inc.
Signature: Signature:
Name: Name:
Title: Title:
Date: Date: