Data Processing Agreement

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in the GDPR. "Processing" means any operation performed on Personal Data. "Controller" means the entity determining the purposes and means of Processing. "Processor" means the entity Processing Personal Data on behalf of the Controller.

2. Scope of Processing

OmegaEngine processes decision metadata on behalf of the Customer. Decision payloads may contain Personal Data depending on the Customer's use case. OmegaEngine acts as a Processor when handling such data.

3. Data Security

• All data encrypted at rest with AES-256
• All data encrypted in transit with TLS 1.3
• Access controls with role-based permissions
• Continuous automated adversarial testing of our own decision pipeline
• SOC 2-aligned controls (not yet independently audited)

4. Sub-processors

OmegaEngine is BYOK-only: we never send your decision data to LLM providers — you call your own provider (OpenAI, Anthropic, Google, Mistral, etc.) directly with your own API key, so that provider is your sub-processor, not ours. Customer will be notified of changes to sub-processors with 30 days notice.

• Vercel — application hosting and edge compute
• Supabase — PostgreSQL database hosting
• Upstash — Redis (rate limiting, entitlements)
• Stripe — payment processing
• PostHog — product analytics
• Sentry — error monitoring

5. Data Retention

Decision audit trails are retained for 90 days by default. Enterprise customers may configure custom retention periods. Data is permanently deleted upon account termination upon request.

6. Data Subject Rights

OmegaEngine will assist Customer in responding to data subject requests including access, rectification, erasure, and portability. Requests should be directed to privacy@omegaengine.ai.