Data Processing Agreement

1. Introduction and Scope

This DPA applies when Intentra processes personal data on behalf of the Customer as a data processor in the course of providing the Intentra platform and related services. This DPA is incorporated into and supplements the Terms of Service entered into between Intentra and the Customer.

Definitions

• Controller means the Customer, who determines the purposes and means of processing personal data.
• Processor means AB Foundry LLC dba Intentra, which processes personal data on behalf of the Controller.
• Data Subjects means the identified or identifiable natural persons whose personal data is processed.
• Personal Data means any information relating to a Data Subject that is processed by Intentra on behalf of the Customer in connection with the Services.
• Processing means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.

2. Scope of Processing

Subject Matter

The subject matter of data processing under this DPA is the provision of AI coding AI Coding Observability services through the Intentra platform, as described in the Terms of Service.

Duration

Processing will continue for the duration of the agreement between Intentra and the Customer, as defined in the Terms of Service, unless otherwise agreed in writing.

Nature and Purpose

Intentra processes personal data for the following purposes:

• Scan metadata processing and aggregation
• Cost calculation and reporting
• Anomaly detection and alerting
• Account management and authentication
• Providing customer support

Types of Personal Data

• Email addresses
• Account identifiers
• Device identifiers
• Usage metadata (timestamps, token counts, model identifiers)
• IP addresses (logged but not stored long-term)
• Organization names

Categories of Data Subjects

• Customer employees
• Authorized users of the Customer's Intentra account

3. Customer Obligations

The Customer, as Controller, shall:

• Ensure there is a lawful basis for the processing of personal data under applicable data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
• Provide documented instructions to Intentra regarding the processing of personal data. In the absence of specific instructions, the Terms of Service and this DPA constitute the Customer's complete instructions.
• Comply with all applicable data protection laws with respect to the personal data processed under this DPA.
• Inform Intentra promptly if any processing instruction infringes applicable data protection laws.

4. Intentra Obligations

Intentra, as Processor, shall:

• Process personal data only on documented instructions from the Customer, including with respect to transfers of personal data to a third country or international organization, unless required to do so by applicable law.
• Ensure that all personnel authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Security Measures

Intentra maintains the following security measures:

• Encryption at rest using AES-256 for all stored personal data
• Encryption in transit using TLS 1.2 or higher for all data transmissions
• Access controls based on the principle of least privilege, with role-based access management
• Regular security assessments including vulnerability scanning and penetration testing
• No access to sensitive content — Intentra never accesses, stores, or processes prompts, source code, or AI responses

5. Subprocessors

The Customer acknowledges and agrees that Intentra may engage third-party subprocessors to assist in providing the Services. A current list of subprocessors is available at intentra.sh/legal/subprocessors.

• Intentra will notify the Customer at least 30 days before engaging any new subprocessor, providing details of the processing to be undertaken.
• The Customer may object to a new subprocessor within 14 days of receiving notice. If the Customer objects and Intentra cannot reasonably accommodate the objection, either party may terminate the affected Services.
• Intentra ensures that all subprocessors are bound by data protection obligations no less protective than those set out in this DPA.

6. Data Subject Rights

Intentra will assist the Customer in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection.

• Intentra will respond to Customer assistance requests within a reasonable timeframe, not to exceed 15 business days.
• Intentra may charge reasonable fees for assistance with Data Subject requests that are manifestly unfounded, excessive, or repetitive.
• If Intentra receives a request directly from a Data Subject, it will promptly notify the Customer and will not respond to the request without the Customer's authorization, unless required by law.

7. Data Breach Notification

Intentra will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting the Customer's data. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records affected
• The name and contact details of the point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

Intentra will cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of each such breach.

8. Data Return and Deletion

• Upon termination or expiration of the Terms of Service, Intentra will delete or return all personal data processed on behalf of the Customer within 30 days, unless applicable law requires further storage.
• The Customer may request an export of its data in a standard, machine-readable format prior to termination.
• Intentra may retain personal data to the extent required by applicable law, and only for the period and purposes required by such law. Any retained data will remain subject to the protections of this DPA.

9. Audits

The Customer may audit Intentra's compliance with this DPA, subject to the following conditions:

• The Customer must provide at least 30 days written notice of an audit request.
• Audits will be conducted during normal business hours and will not unreasonably interfere with Intentra's operations.
• Intentra may satisfy audit requests by providing SOC 2 Type II reports, ISO 27001 certification, or equivalent independent third-party audit reports as an alternative to on-site audits.
• The Customer shall bear its own costs of any audit, unless the audit reveals a material breach of this DPA by Intentra.

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of applicable data protection laws to the extent such limitation is not permitted by law.

11. Term and Termination

This DPA becomes effective when the Customer agrees to the Terms of Service and remains in effect for the duration of the Terms of Service. Upon termination of the Terms of Service, this DPA will automatically terminate, except for those provisions that by their nature should survive termination, including but not limited to obligations regarding data return and deletion (Section 8), liability (Section 10), and confidentiality.

12. Contact

For questions or concerns about this Data Processing Agreement, contact us at [email protected].