Data Processing Addendum

1. Scope

This Data Processing Addendum ("DPA") describes the data protection terms that apply when PlanetGraph processes personal data on behalf of a customer in connection with PlanetGraph's hosted platform, API, and related services. This DPA supplements the Terms of Service or any separate agreement between PlanetGraph and the customer.

Enterprise customers may contact legal@planetgraph.ai to discuss execution, customer-specific terms, or a signed copy.

2. Roles

The customer is the controller or processor, as applicable, for customer data submitted to PlanetGraph. PlanetGraph acts as a processor or subprocessor for customer personal data processed to provide the service. PlanetGraph acts as a controller for account, billing, security, and operational metadata used to run and protect the service.

3. Processing Instructions

PlanetGraph will process customer personal data only to provide, secure, maintain, support, and improve the service, comply with documented customer instructions, and satisfy legal obligations. PlanetGraph will not sell customer personal data.

4. Security Measures

PlanetGraph maintains technical and organizational measures designed to protect customer data, including encryption in transit, encryption at rest, property-level encryption, access controls, audit logging, backups, and personnel access restrictions. Additional details are available on the Security page.

5. Subprocessors

PlanetGraph may use subprocessors to provide the service. Current subprocessors are listed on the Subprocessors page. PlanetGraph will impose data protection obligations on subprocessors appropriate to the services they provide.

6. International Transfers

Where customer personal data is transferred across jurisdictions, PlanetGraph will use appropriate safeguards required by applicable data protection law, which may include Standard Contractual Clauses or other lawful transfer mechanisms.

7. Assistance and Data Subject Requests

PlanetGraph will provide reasonable assistance for data subject requests, security inquiries, and compliance obligations where required by applicable law and where the customer cannot fulfill the request through the service.

8. Deletion and Return

Upon customer request or termination, PlanetGraph will delete or return customer personal data in accordance with the agreement, the Privacy Policy, and applicable law. Verified erasure requests may require removal or anonymization across active databases, derived indexes, embeddings, graph projections, and backups according to the applicable retention lifecycle. Audit, billing, security, and legal records may be retained where required or reasonably necessary.

9. Security Incidents

PlanetGraph will notify affected customers without undue delay after becoming aware of a security incident involving customer personal data, and will provide information reasonably available to support customer investigation and regulatory obligations.

10. Audits and Reviews

PlanetGraph will make reasonable security and compliance information available to enterprise customers. Any formal audit rights, questionnaires, or evidence requests are subject to reasonable confidentiality, security, and operational limits.