Data processing addendum.
This Data Processing Addendum (“DPA”) forms part of the agreement between Augur AI, Inc. (“Augur,” the “Processor”) and the customer (the “Controller”) governing the processing of Personal Data in connection with the Augur Service. Where the customer’s Master Services Agreement and this DPA conflict, this DPA controls for matters of data protection.
1. Definitions
Terms not defined here have the meanings given in the GDPR. “Data Protection Laws” means the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable laws relating to the processing of personal data. “Personal Data” means personal data as defined in the GDPR, processed by Augur on behalf of the Controller. “Sub-processor” means any third party engaged by Augur to process Personal Data.
2. Roles and scope
The Controller is the data controller of the Personal Data processed via the Service. Augur is a data processor acting on the Controller’s documented instructions. The subject matter, duration, nature, and purpose of the processing, and the categories of data subjects and personal data, are set out in Annex A.
3. Processor obligations
Augur will:
- Process Personal Data only on documented instructions from the Controller, including those in the MSA and this DPA.
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement and maintain the technical and organizational measures described in Annex B.
- Engage sub-processors only as permitted by Section 5.
- Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling its obligation to respond to requests for exercising data-subject rights.
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA.
- At the Controller’s choice, delete or return all Personal Data after the end of the provision of the Service, unless retention is required by law.
4. Controller obligations
The Controller represents and warrants that:
- It has all necessary rights and lawful bases to provide the Personal Data to Augur for processing under this DPA.
- Its instructions to Augur comply with all Data Protection Laws.
- It has provided all required notices and obtained all required consents from data subjects.
- It will respond promptly to data-subject requests and to inquiries from data protection authorities.
5. Sub-processors
The Controller authorizes Augur to engage the sub-processors listed in Annex C. Augur will notify the Controller of any intended additions or replacements at least thirty (30) days in advance, giving the Controller a reasonable opportunity to object.
Augur enters into written contracts with each sub-processor imposing data-protection terms substantially equivalent to those in this DPA. Augur remains responsible for the acts and omissions of its sub-processors as if they were Augur’s own.
6. International transfers
Where Augur transfers Personal Data outside the EEA, UK, or Switzerland to a country not subject to a relevant adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module Two, Controller-to-Processor, EU 2021/914), incorporated by reference into this DPA. For UK transfers, the UK International Data Transfer Addendum applies in addition.
7. Audits
The Controller may, no more than once per year and on at least 30 days’ written notice, audit Augur’s compliance with this DPA. Augur will reasonably cooperate, including making available documentation, completing security questionnaires, and (where necessary) permitting an on-site audit. Audits at Augur’s premises are subject to a confidentiality agreement and may be conducted by the Controller or a qualified third-party auditor bound by similar obligations.
8. Liability
The liability of each party under this DPA is subject to the limitations and exclusions in the underlying MSA.
9. Term
This DPA takes effect on the effective date of the MSA and continues for as long as Augur processes Personal Data on the Controller’s behalf. Sections by their nature surviving termination (Confidentiality, Notification of breaches, Audits, Liability) survive.
Annex A — Description of processing
| Subject matter | Provision of the Augur federal procurement intelligence platform. |
|---|---|
| Duration | Term of the MSA, plus the deletion grace period in Section 3. |
| Nature and purpose | Hosting, storage, retrieval, display, and search of Controller content; account management; audit logging. |
| Categories of data subjects | Controller’s authorized users (employees and contracted personnel). |
| Categories of personal data | Work email addresses, hashed passwords, role and status flags, session metadata, audit-log entries (timestamp, action, IP, user agent), and any content uploaded into the watchlist or preferences fields. |
| Special categories | None expected. Controller agrees not to upload special-category data (GDPR Art. 9) into the Service. |
Annex B — Technical and organizational measures
Summarized below; full detail in our Security page.
- Access control: per-user accounts, server-side role checks, no shared service accounts in the customer plane.
- Encryption: TLS 1.2+ in transit; D1 storage encrypted at rest by Cloudflare. Passwords stored as PBKDF2-SHA-256 hashes with per-user salts and 100,000 iterations.
- Network security: strict CSP, HSTS, Permissions-Policy. No inline scripts on app pages. No third-party JavaScript anywhere in the signed-in surface.
- Logging: immutable activity log captures every auth event, role change, password change, and watchlist mutation.
- Tenant isolation: per-customer Cloudflare Pages project + per-customer D1 database. No cross-tenant query path.
- Personnel: all Augur personnel with access to production systems are bound by written confidentiality obligations and complete annual security training.
- Incident response: documented runbooks; 72-hour breach notification commitment in Section 3.
Annex C — Authorized sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Hosting (Pages, Workers, D1), DNS, TLS, DDoS mitigation | USA (global edge) |
| GSA / SAM.gov | Public procurement data source (proxied requests) | USA |
| Google LLC (Google Fonts) | Web font delivery for the marketing site and login page only | USA (global) |
Up-to-date sub-processor list and changes: Privacy Policy §5.
Contact
Data protection: dpa@augurai.app
Privacy: privacy@augurai.app