This Data Processing Agreement ("DPA") governs the processing of Personal Data by Sovereign Engineering ("Data Processor") on behalf of our enterprise customers ("Data Controllers").
1. Scope of Processing
The core architecture of Sovereign is designed to process machine state (DOM rendering, timing APIs, network waterfalls), not human identity.
However, because our headless probes execute your application exactly as a user would—including synthetic checkout flows and authenticated state—the Chromium browser instances may temporarily encounter Personal Data embedded within the DOM or API responses of the target application.
2. AI Diagnostic Guardrails
When an incident occurs and the AI Analyst compiles an RCA (Root Cause Analysis), Sovereign strictly scrubs textual DOM elements containing standard regex patterns for credit card numbers, Social Security Numbers, and email addresses before transmitting the payload to Google Gemini 2.0 Flash. Our subprocessor agreements prohibit the use of your telemetry data for model training.
3. Controller Obligations
As the Data Controller, you agree to:
- Avoid hardcoding production credentials or live PII into the Synthetic Flow scripts provided directly to Sovereign. Use isolated QA/Staging environments or synthetic test accounts whenever executing destructive/write actions.
- Maintain a valid legal basis (e.g., Consent, Legitimate Interest) for processing end-user data collected via the zero-dependency RUM snippet.
4. Technical Security Measures
We deploy strict technical and organizational measures (TOMs) to protect against unauthorized processing or data loss:
- All telemetry data is encrypted at rest (AES-256) and in transit (TLS 1.3).
- Probe execution occurs in isolated, ephemeral Docker containers that are instantly pruned post-flight.
- All visual DOM artifacts are stored in strictly partitioned, secure S3 buckets with time-to-live restrictions bound to your subscription tier.
- Sovereign personnel do not have logical access to visual evidence unless explicitly granted by the workspace owner via temporary Role-Based Access controls for support escalation.
5. Subprocessors
Our current, authorized list of Subprocessors engaged in handling telemetry or platform functions:
| Entity | Function | Location |
|---|---|---|
| Supabase | Identity / Relational Database | US / EU (Region-locked) |
| Google Cloud Platform | Compute / Object Storage | US / EU (Region-locked) |
| Google Vertex AI | Incident Diagnostics (Zero-retention) | US / EU |
| Fly.io | Global Edge Orchestration | Global |