Data Processing Addendum

Capitalised terms used here have the meaning given in applicable data protection law (GDPR, UK GDPR, CCPA as applicable). “Customer Data” means personal data processed by DB AI Magic on the Customer's behalf through the service.

The Customer is the controller (or processor) of Customer Data. DB AI Magic is the processor (or sub-processor). This DPA applies to all processing of Customer Data by DB AI Magic during the term of the Terms of Service.

DB AI Magic will process Customer Data only on documented instructions from the Customer, including: (i) as required to provide the service in accordance with the Terms; (ii) as documented in feature configuration and admin actions; (iii) as required by law, with prior notice to the Customer where permitted.

All personnel authorised to process Customer Data are bound by written confidentiality obligations and trained on data protection at least annually.

DB AI Magic implements the technical and organisational measures described at /legal/security, which include:

• AES-256-GCM encryption of stored credentials, AES-256 at-rest for all managed storage, TLS 1.2+ in transit.
• Role-based access control, least-privilege production access, immutable audit logging.
• Vulnerability management, dependency scanning, quarterly restore drills, annual third-party penetration testing.

The Customer authorises DB AI Magic to engage the sub-processors listed at /legal/security#subprocessors. We'll give at least 30 days' prior notice of any new sub-processor that handles Customer Data, and the Customer may object on reasonable data-protection grounds.

DB AI Magic remains responsible for sub-processors' acts and omissions to the same extent as if they were its own.

DB AI Magic will provide reasonable assistance to the Customer in responding to requests from data subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection). Most of these can be served directly from in-product admin tooling.

DB AI Magic will notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Customer Data, with the information required by Article 33(3) GDPR to the extent known at the time.

Where transfers of Customer Data outside the EEA / UK / Switzerland take place, the parties rely on the EU Standard Contractual Clauses (Module 2 or 3, as applicable) and the UK International Data Transfer Addendum, which are deemed incorporated into this DPA.

DB AI Magic will make available to the Customer, on request, the information necessary to demonstrate compliance with this DPA, including current security certifications and penetration-test summaries. On-site audits may be performed once per calendar year on reasonable notice and during business hours.

On termination of the Terms, DB AI Magic will, at the Customer's choice, delete or return all Customer Data within 30 days, except where retention is required by law. Encrypted backups are purged within a further 30 days.

• Data subjects:the Customer's employees, contractors and end users whose personal data is contained in the databases the Customer connects to the service.
• Categories of data: determined by the Customer. May include identifiers, contact information, account data, transaction data, and any other category the Customer chooses to query or store.
• Nature & purpose of processing: providing a database IDE, query execution, dashboards, scheduled reports and AI features.
• Duration of processing: for the term of the Terms of Service and as required to provide the service.