Data Processing Addendum
Effective Date: February 7, 2026
[[SQUARE_BRACKETS]] must be replaced before launch.Current effective date shown on this page: February 7, 2026This Data Processing Addendum (this "DPA") forms part of the agreement between [[LEGAL_COMPANY_NAME]], a [[JURISDICTION]] entity ("Processor", "we", "us", or "FractionalRisk.ai"), and the customer identified in the relevant order form or online sign-up ("Controller" or "Customer") governing use of the FractionalRisk.ai platform (the "Service").
This DPA applies to the extent Customer's use of the Service involves the Processing of Personal Data (as defined in Regulation (EU) 2016/679 – the "GDPR", the UK GDPR and the UK Data Protection Act 2018, and, where applicable, the California Consumer Privacy Act as amended by the CPRA – "CCPA", and any other applicable Data Protection Laws).
A signed PDF version of this DPA is available on request from legal@fractionalrisk.ai. EU Standard Contractual Clauses (SCCs, module two) and the UK IDTA are incorporated by reference and can be countersigned as an annex.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR or in the main services agreement between the parties. In particular:
- "Customer Personal Data" means Personal Data contained within Customer Data that FractionalRisk.ai Processes on behalf of the Customer under this DPA.
- "Sub-processor" means any third party engaged by FractionalRisk.ai to Process Customer Personal Data.
- "Data Subject Request" means a request from a Data Subject to exercise rights under applicable Data Protection Laws.
2. Roles & Scope of Processing
Customer is the Controller of Customer Personal Data. FractionalRisk.ai acts as Processor. FractionalRisk.ai Processes Customer Personal Data only:
- To provide, maintain, and secure the Service in accordance with the main services agreement;
- To comply with Customer's documented and lawful instructions;
- As required by applicable law (in which case FractionalRisk.ai will inform Customer of that requirement, unless legally prohibited).
The subject-matter, duration, nature, purpose, and categories of Data Subjects & Personal Data Processed are described in Annex I below.
3. Customer Instructions
Customer's use of the Service — including its configuration, feature choices, and data uploads — constitutes documented instructions to Process Customer Personal Data. If FractionalRisk.ai believes an instruction infringes applicable Data Protection Laws, it will inform Customer without undue delay.
4. Confidentiality of Processing
FractionalRisk.ai ensures that every person authorised to Process Customer Personal Data is bound by written confidentiality obligations that survive the termination of their engagement.
5. Security of Processing
FractionalRisk.ai has implemented and maintains the technical and organisational security measures described in Annex II below, including encryption at rest and in transit, tenant database isolation, role-based access control, brute-force protection, immutable audit logs, and per-tenant LLM rate limits.
FractionalRisk.ai will assist Customer with the security-related obligations imposed on Customer by GDPR Articles 32–36 taking into account the nature of the Processing and the information available.
Customer grants FractionalRisk.ai general written authorisation to engage Sub-processors. The current list of Sub-processors is maintained in Annex III. FractionalRisk.ai will notify Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance and give Customer the opportunity to object on reasonable grounds related to data protection.
FractionalRisk.ai will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable to Customer for the Sub-processor's performance.
7. Data Subject Requests
Taking into account the nature of the Processing, FractionalRisk.ai will provide reasonable assistance — including appropriate technical and organisational measures, insofar as this is possible — to enable Customer to fulfil its obligation to respond to Data Subject Requests within statutory time limits. If a Data Subject contacts FractionalRisk.ai directly, we will forward the request to Customer without undue delay and will not respond to it ourselves except to acknowledge receipt.
8. Personal Data Breach Notification
FractionalRisk.ai will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and in any event within seventy-two (72) hours of confirmed detection. The notification will include, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it.
Where FractionalRisk.ai Processes Customer Personal Data outside the European Economic Area, the United Kingdom, or Switzerland, such transfers are governed by the applicable Standard Contractual Clauses adopted by the European Commission (Decision 2021/914 – Module Two, Controller-to-Processor) and, for the United Kingdom, the ICO's International Data Transfer Addendum ("UK IDTA"), each incorporated by reference. The parties' respective roles and contact details for the purpose of the SCCs are as specified in Annex I.
Docking Clause 7 is agreed. Optional language in Clause 11(a) is not selected. The governing law under Clause 17 is the law of [[JURISDICTION]]. The competent supervisory authority under Clause 13 is the supervisory authority of [[SUPERVISORY_AUTHORITY]].
10. Audit & Compliance Verification
Customer may verify FractionalRisk.ai's compliance with this DPA once per twelve-month period, at Customer's expense, on thirty (30) days' prior written notice, during regular business hours, and without unreasonably interfering with FractionalRisk.ai's business. FractionalRisk.ai will satisfy its obligations under this section by making available, on request, the most recent SOC 2 report and equivalent third-party attestations.
11. Deletion & Return of Data
Upon termination or expiry of the services agreement, FractionalRisk.ai will, at Customer's election, return or delete all Customer Personal Data within thirty (30) days, and delete existing copies (except to the extent applicable law requires their retention). Anonymised, aggregated data that no longer identifies a Data Subject may be retained for statistical purposes.
12. Liability
Each party's total liability arising out of or related to this DPA, whether in contract, tort, or otherwise, is subject to the limitations and exclusions of liability set out in the main services agreement.
13. Order of Precedence
In the event of a conflict between this DPA and the main services agreement, this DPA prevails to the extent of the conflict, except that the SCCs prevail over any conflicting provision of this DPA.
Annex I — Description of Processing
Data exporter (Controller): Customer, as identified in the order form.
Data importer (Processor): [[LEGAL_COMPANY_NAME]], [[REGISTERED_ADDRESS]].
Data Protection contact: privacy@fractionalrisk.ai
Categories of Data Subjects: Customer's employees, contractors, board members, and other authorised users; participants and observers invited to Tabletop Exercises; individuals identified in Customer-uploaded documents (loss runs, claims files, policy documents, culture surveys).
Categories of Personal Data: name, work email, job title, organisation, role assignments, login timestamps, IP addresses, browser/OS, decisions and messages posted during Tabletop Exercises, and any Personal Data included in Customer-uploaded documents.
Special-category data: not intended. Customer must not upload Special-category data unless it has notified FractionalRisk.ai in writing and additional safeguards have been agreed.
Frequency of Processing: continuous for the duration of the services agreement.
Retention: Customer Personal Data is retained while the services agreement is active. Audit logs retained for the greater of (a) three (3) years or (b) the period required by applicable law.
Purpose of Processing: to provide the FractionalRisk.ai enterprise risk management platform, including AI-assisted risk analysis, tabletop exercises, after-action reporting, and governance workflows.
Annex II — Technical & Organisational Measures
Access control: unique user accounts, bcrypt-hashed passwords, brute-force lockout, role-based access control at the API layer, tenant scoping via ContextVar so requests can never read another tenant's data.
Data segregation: per-tenant MongoDB databases; cross-tenant queries are architecturally impossible.
Encryption: TLS 1.2+ for all data in transit; at-rest encryption on the underlying storage provider; secrets stored only in environment variables, never in source control.
Logging & monitoring: immutable audit trail of security-relevant events (login, password reset, role change, tenant switch, Tabletop transcript entries); rate limiting on authentication and LLM endpoints.
AI safeguards: per-tenant LLM token budget with automatic throttling; prompts are constructed server-side and never include cross-tenant context; model provider (OpenAI, Anthropic, or their successors) is contractually barred from using Customer prompts for model training.
Vulnerability management: dependencies scanned by ruff / eslint / npm audit on every commit; production deployment blocked on critical severity findings.
Backup & recovery: daily automated backups of every tenant database with point-in-time restore available on request. Tested restoration at least annually.
Third-party attestations: SOC 2 Type 1 [[STATUS: pursued / obtained YYYY-MM-DD]] via [[AUDITOR_NAME]].
Annex III — Approved Sub-processors
The current list of Sub-processors engaged by FractionalRisk.ai:
| Sub-processor | Service provided | Data processed | Hosting region |
|---|---|---|---|
| Emergent Labs | Application hosting & container orchestration | All Customer Personal Data | United States |
| MongoDB, Inc. (Atlas) | Database as a service | All Customer Personal Data at rest | [[MONGO_REGION]] |
| OpenAI, L.L.C. | Large-language-model inference (via Emergent LLM Key) | Prompt content — excluded from training under API terms | United States |
| Anthropic, PBC | Large-language-model inference (conditional on Customer election) | Prompt content — excluded from training under API terms | United States |
| Resend, Inc. | Transactional email delivery (magic-link invitations, notifications) | Recipient email, name, exercise metadata | United States |
Additions or replacements to this list will be announced at least thirty (30) days in advance via email to each tenant's Platform Admin(s).
Execution
This DPA takes effect on the effective date of the main services agreement and continues until Customer's use of the Service ends and all Customer Personal Data has been returned or deleted in accordance with Section 11.
A counter-signed PDF is available on request. Digital counter-signatures (DocuSign / Adobe Sign) are accepted.
