Data Processing Addendum

Defining our commitment to data protection and compliance.

This Data Processing Addendum (“DPA”) forms part of the agreement between Storita.ai and its customers and governs the processing of personal data on behalf of the customer.

Roles of the Parties

  • The customer is the Data Controller
  • Storita.ai is the Data Processor

Scope of Processing

Storita.ai processes personal data solely to provide the services as instructed by the customer through configuration and usage of the platform.

Processor Obligations

Storita.ai shall:

  • Process data only on documented customer instructions
  • Ensure confidentiality of personal data
  • Implement appropriate security measures
  • Not sell or commercially exploit customer data
  • Not use customer data to train foundation AI models

Subprocessors

Storita.ai may engage subprocessors to provide parts of the service, including AI processing and observability tools.

Current subprocessors include:

  • Third-party AI model providers as listed on the Trust Center page

Storita.ai also uses self-hosted open-source tools (e.g. Langfuse) for observability; these do not transmit data to third parties.

Storita.ai remains responsible for subprocessors’ compliance with this DPA.

Security Measures

Security measures include:

  • Encryption in transit (TLS)
  • API keys and credentials encrypted at rest (Fernet symmetric encryption)
  • Role-based access controls (admin, owner, manager, member)
  • Logged administrative access

Data Subject Rights

Storita.ai will assist customers in responding to data subject requests where technically feasible.

Data Breach Notification

Storita.ai will notify the customer without undue delay upon becoming aware of a personal data breach affecting customer data.

Data Retention & Deletion

Upon termination:

  • Customer data is deleted from production systems
  • Backups may persist until routine rotation (up to 30 days)

International Transfers

Where personal data is transferred internationally, Standard Contractual Clauses (SCCs) or equivalent safeguards are applied.

Compliance

This DPA is intended to comply with:

  • GDPR
  • CCPA / CPRA