DPA

Data Processing Addendum

The terms under which Cord4 acts as a processor for customer data — aligned with GDPR, UK GDPR, India DPDP Act and CCPA/CPRA.

Last updated · April 2026Cord4 Technologies

In plain English

When we operate systems on your behalf, you stay the data controller and we act as processor under GDPR, DPDP and equivalent laws. Our obligations, subprocessor list, transfer mechanisms, AI-specific commitments and audit rights are all set out below.

01

Purpose of this DPA

This Data Processing Addendum (“DPA”) supplements the Master Services Agreement (MSA) between Cord4 and the Customer, and governs any processing of personal data that Cord4 performs as a processor on the Customer's behalf. It applies to engagements subject to the EU/UK GDPR, the India DPDP Act 2023, the California CCPA/CPRA, and any similar framework the parties identify.

02

Roles of the parties

The Customer is the data controller and determines the purpose and means of processing. Cord4 acts as the data processor and processes personal data only on documented instructions from the Customer — which are set out in the applicable Statement of Work (SOW).

03

Nature, scope & categories

Unless varied by the SOW, the default processing scope is:

  • Subject matter. Software development, operations and support services.
  • Duration. The term of the MSA plus any mutually agreed return / deletion period.
  • Nature & purpose. Engineering, QA, hosting administration, incident response, analytics and AI-workload operation.
  • Data categories. Identification data, contact data, professional data, usage/telemetry, and any additional categories identified in the SOW. Special categories of data are processed only when the SOW explicitly requires it.
  • Data subjects. Customer's end users, employees, contractors and prospects.
04

Cord4's obligations as processor

  • Process personal data only on the Customer's documented instructions;
  • Bind every employee and contractor with a confidentiality obligation;
  • Implement the technical and organisational measures described on the security page;
  • Assist the Customer with data-subject requests, DPIAs and regulator consultations to the extent required;
  • Notify the Customer of a personal data breach without undue delay and no later than 72 hours after discovery;
  • On the Customer's choice, return or irreversibly delete personal data at the end of the engagement.
05

Subprocessors

The Customer grants Cord4 a general authorisation to engage subprocessors, subject to written flow-down obligations that are no less protective than this DPA. A current list is available at [email protected] and typically includes cloud infrastructure providers (AWS, GCP, Vercel, Cloudflare), communication tools (Slack, Google Workspace, Microsoft 365), engineering tooling (GitHub, Linear, Sentry), and — for AI workloads — frontier model providers operated under zero-retention terms (Anthropic, OpenAI, Google).

We notify customers of material subprocessor changes at least 30 days in advance, giving a right to object on reasonable grounds.

06

International transfers

Where personal data is transferred outside the UK / EEA / India, Cord4 relies on an adequacy decision or executes the relevant Standard Contractual Clauses and the UK International Data Transfer Addendum, along with a Transfer Impact Assessment on request. For EU customers who require EU-only processing, we operate in EU regions of our cloud providers.

07

Security measures

The measures in Annex II of this DPA mirror our Security page — encryption in transit and at rest, least-privilege access, code review, dependency scanning, background-checked personnel, logging, backups, tested incident response, and SOC 2 / ISO 27001-aligned controls.

08

AI-specific commitments

  • We use only API tiers with zero retention and no training for third-party models;
  • We keep a record of every model / prompt / dataset combination used in a client workload, for the engagement's duration plus 12 months;
  • We run eval and prompt-injection regression suites before any prompt or model change in production;
  • For regulated data, we isolate retrieval indices per-tenant and apply PII redaction at the gateway.
09

Audit rights

Customers may verify compliance by requesting our latest SOC 2 Type II or ISO/IEC 27001 report, or — for material engagements and at reasonable intervals, with 30 days' notice — commissioning an on-site audit at their expense through a mutually agreed qualified auditor under confidentiality.

10

Liability & governing law

Liability under this DPA is subject to the cap and exclusions in the MSA, unless applicable law provides otherwise. Governing law and venue match those in the MSA.

11

Signing the DPA

If you need a signed counterpart, email [email protected] with your entity name, the client / project it attaches to, and any required variations. We counter-sign within 2 business days.

Still have questions?

Reach our team at [email protected]. We respond within 24 hours on business days.

Contact us