# Data Processing Agreement v1.0

**Parties:** Informis Labs (Processor) · P.IVA 05049350266 · Treviso (TV) · Italy
**Customer:** [Customer legal name] (Controller)
**Effective date:** [DATE]

## 1. Subject matter

Processor provides AI-assisted IT decision analysis services as described
in the Order Form. Processing is necessary to perform the contracted service.

## 2. Nature and purpose

Analysis of IT incident data, risk assessments, policy documents provided
by Controller. Duration: for the term of the service agreement.

## 3. Type of personal data

May include: IT system identifiers, incident descriptions, personnel role
references. No special category data (Art. 9 GDPR) is required or expected.

## 4. Sub-processors

| Sub-processor | Location | Purpose | DPA link |
|---|---|---|---|
| OpenAI, Inc. | US | LLM inference (Analyst node) | https://openai.com/policies/data-processing-addendum |
| Anthropic PBC | US | LLM inference (Critic node) | https://www.anthropic.com/legal/dpa |
| Google DeepMind | US/EU | LLM inference (Synthesizer node) | https://cloud.google.com/terms/data-processing-addendum |
| Moonshot AI (Kimi) | CN/EU endpoints | LLM inference (coverage validation) | [link when available] |
| Railway | US | Backend hosting | https://railway.app/legal/dpa |
| Vercel | US/EU | Frontend CDN | https://vercel.com/legal/dpa |

## 5. Data retention

Uploaded documents: deleted within 24 hours of analysis completion.
Analysis metadata (Evidence Pack): retained for 90 days; configurable per tenant.

## 6. Security measures (Art. 32 GDPR)

Encryption in transit (TLS 1.3), encryption at rest (AES-256),
access control (RBAC), audit logging.

## 7. Data subject rights

Controller is responsible for handling data subject requests.
Processor assists within 72 hours of documented request.

## 8. Governing law

Italian law; jurisdiction: Court of Treviso.

---
*This is a template v1.0. Have your legal counsel review before first MSA signing.*