Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the RuneSignal Subscription Agreement between:

• Controller: The entity accessing RuneSignal services (the "Customer").
• Processor: RuneSignal Ltd ("RuneSignal"), the operator of the RuneSignal platform.

Capitalised terms not defined herein have the meanings set out in the Subscription Agreement. "Personal Data", "Processing", "Data Subject", and "Supervisory Authority" have the meanings given by GDPR (EU 2016/679).

RuneSignal processes Personal Data on behalf of the Customer solely to provide the RuneSignal platform services, including:

• Storing and signing AI agent action logs (provenance ledger)
• Routing human-in-the-loop approval requests
• Generating EU AI Act compliance evidence packages
• Providing anomaly detection and governance intelligence

Categories of data processed: agent identifiers, user account information (email, display name), audit event metadata, and any data fields submitted by the Customer in API payloads.

Data subjects: Customer employees, Customer's end users whose actions are audited, and AI agents registered to the Customer's tenant.

The Customer shall:

• Ensure it has a lawful basis for processing Personal Data before submitting it to the RuneSignal API.
• Provide all required notices and obtain necessary consents from data subjects.
• Not instruct RuneSignal to process Personal Data in a manner that would violate applicable law.
• Ensure that only authorised personnel access the RuneSignal dashboard and API keys.

RuneSignal shall:

• Process Personal Data only on documented instructions from the Customer, unless required to do so by EU or Member State law.
• Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
• Implement the technical and organisational measures described in Section 5.
• Not engage sub-processors without the Customer's prior written or electronic authorisation (see Section 7).
• Assist the Customer in responding to Data Subject rights requests, insofar as reasonably possible given the nature of processing.
• Notify the Customer without undue delay (and within 72 hours where feasible) upon becoming aware of a Personal Data breach affecting Customer data.
• Delete or return all Personal Data upon termination of the Subscription Agreement, at the Customer's election, within 30 days.

RuneSignal maintains the following measures:

• Encryption at rest: All data stored in Supabase (PostgreSQL) is encrypted using AES-256.
• Encryption in transit: All data transmitted via TLS 1.2 or higher.
• Cryptographic signing: Every audit event is signed with Ed25519. Signatures are immutable and append-only.
• Tenant isolation: Row-Level Security (RLS) enforced at the database layer ensures strict per-tenant data isolation.
• Access control: Multi-Factor Authentication (TOTP, AAL2) enforced for all dashboard access. API keys are stored as SHA-256 hashes only.
• Rate limiting: Per-tenant rate limits enforced at the edge to prevent abuse.
• Audit logging: All administrative access and data operations are logged to the immutable audit ledger.

RuneSignal retains Customer Personal Data for the duration of the active Subscription Agreement plus a 30-day grace period. Upon written request, RuneSignal will:

• Delete all Personal Data from live systems within 30 days of termination.
• Delete all Personal Data from backups within 90 days of termination.
• Provide written confirmation of deletion upon request.

Note: Cryptographic signatures in the immutable audit ledger may reference pseudonymised event identifiers that cannot be deleted without breaking the integrity chain. These references do not contain Personal Data in identifiable form.

RuneSignal engages the following sub-processors to provide the platform services:

RuneSignal will notify the Customer of any intended addition or replacement of sub-processors with at least 10 days' notice. The Customer may object in writing within that period.

Where Personal Data is transferred outside the European Economic Area (EEA), RuneSignal ensures an adequate level of protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).
• Transfers only to sub-processors that maintain EU-equivalent adequacy under their own DPAs.

Customers with EU data residency requirements should configure their tenant to use EU-region Supabase and Vercel deployments via the Data Residency settings in the RuneSignal dashboard.

The Customer may, upon 30 days' written notice and no more than once per calendar year, request:

• A copy of RuneSignal's most recent security posture summary or third-party audit report.
• Written responses to a reasonable security questionnaire (up to 50 questions).

On-site audits require mutual agreement and are subject to reasonable confidentiality obligations.

This DPA is governed by the laws of England and Wales (for EU/UK customers) or the laws of the State of Delaware, USA (for customers outside the EU/UK), unless otherwise specified in the Subscription Agreement.

Data protection enquiries: privacy@runesignal.ai

RuneSignal Ltd, registered in England and Wales.