Data Processing Agreement (DPA)

1.1 This Agreement governs the processing of personal data by the Processor on behalf of the Controller in connection with the operation of the Sielum SaaS service pursuant to Art. 28 GDPR.

1.2 This Agreement remains in force for the duration of the main service agreement.

1.3 After termination of the main agreement, the provisions of this Agreement remain in effect until all personal data has been fully deleted.

Purpose: Operation of the Sielum SaaS infrastructure on Hetzner Cloud (Germany) to enable the Controller to monitor and govern the use of AI coding tools on company-managed endpoints for IT security purposes.

Nature of processing: Collection, storage, retrieval and deletion of telemetry data from endpoint agents deployed by the Controller.

Data subjects: Employees of the Controller operating company-managed devices with the Sielum agent installed.

Categories of personal data:

Explicitly NOT processed: AI prompt/response content, file contents, API key values, keystrokes, personal communications.

• 3.1 Processing only on documented instructions of the Controller (Art. 28(3)(a) GDPR).
• 3.2 Confidentiality obligations for all persons authorised to process data.
• 3.3 Technical and organisational measures (Art. 32 GDPR): TLS 1.3, mTLS agent authentication, Keycloak OIDC/RBAC, PostgreSQL Row-Level Security, audit logging, automated deletion, EU-only infrastructure (Hetzner Cloud DE).
• 3.4 No additional sub-processors without written authorisation; §5 sub-processors are pre-approved.
• 3.5 Assistance with data subject rights (Art. 15–21 GDPR), including the Art. 17 deletion function in the service.
• 3.6 Assistance with Art. 32–36 GDPR obligations (security, breach notification, DPIA).
• 3.7 Deletion of all data within 30 days of service termination.
• 3.8 Provision of all evidence documents upon request; support for audits.

• 4.1 Responsibility for the lawfulness of processing, including required consents and Works Council agreements.
• 4.2 Immediate notification of the Processor upon discovery of any irregularities.
• 4.3 Ensuring that only authorised persons access the service.

5.1 The following sub-processors are approved:

5.2Changes to the sub-processor list are announced with at least 30 days' notice. The current list is available at sielum.io/legal/sub-processors.

6.1 Personal data is processed exclusively on infrastructure within the EU/EEA (Hetzner Cloud DE, data centres in Falkenstein and Nuremberg). No transfers to third countries occur.

6.2 Sielum is not subject to the US CLOUD Act. Hetzner Cloud GmbH is a German company with no US parent.

• 7.1 Default telemetry retention period: 90 days (configurable by the Controller in the dashboard).
• 7.2 Automated deletion after the configured retention period.
• 7.3 All data deleted within 30 days of service termination.

• 8.1 Personal data breaches reported without undue delay, within 72 hours where feasible.
• 8.2 Notification content: nature of the breach, categories and approximate number of data subjects, likely consequences, measures taken.
• 8.3 Notifications sent to the Controller's designated contact and to legal@sielum.io.

This Agreement is governed by the law of the Federal Republic of Germany. The place of jurisdiction for all disputes is Tostedt, Germany, to the extent permitted by law.

For questions about this DPA or to request a countersigned copy: legal@sielum.io

CyberCitizen UG (haftungsbeschränkt)
Westerberg 4, 27419 Sittensen, Germany