gigamcp

Data Processing Addendum

Effective: 2026-04-01

This Data Processing Addendum ("DPA") forms part of the Gigamcp Terms of Service between Bord OÜ (operator of the Gigamcp platform; "Processor") and the Customer ("Controller") and reflects the parties' agreement on the Processing of Personal Data, as defined in the EU GDPR (Regulation 2016/679) and the UK GDPR.

1. Definitions

"GDPR", "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" have the meanings given in the GDPR. "SCCs" means the Standard Contractual Clauses approved by EU Commission Decision 2021/914.

2. Subject matter & duration

Processor will Process Personal Data on behalf of Controller for the duration of the Service Agreement, solely to provide the Gigamcp platform — a multi-tenant MCP server with retrieval-augmented knowledge over Customer-provided sources.

3. Nature & purpose of Processing

  • Hosting Customer accounts (workspace, members, groups).
  • Indexing Customer-supplied documents to enable retrieval-augmented generation by AI agents and Customer-installed MCP clients.
  • Operating audit logs, billing, and security telemetry.
  • Sending transactional email (invites, billing receipts, security notices).

4. Categories of Data Subjects

  • Controller's employees, contractors, and authorized end users.
  • Individuals identified in documents that Controller chooses to ingest.

5. Categories of Personal Data

  • Identity and contact data (name, email, profile photo, organization membership, role).
  • Authentication metadata (WorkOS user ID, last-login timestamp, IP address, user-agent, session identifiers).
  • Usage telemetry (tool invocations, audit-log events).
  • Any Personal Data contained in Customer-supplied documents and chat-style queries submitted to the MCP server.

6. Processor obligations

  1. Process Personal Data only on documented instructions from Controller (including those in this DPA and the platform's configuration UIs), unless required to do so by EU or Member State law.
  2. Ensure that personnel authorized to Process Personal Data are contractually bound to confidentiality.
  3. Implement the technical and organizational measures described in Annex II (Security Measures) below.
  4. Use only the Sub-processors listed in Annex III, and notify Controller at least 30 days in advance of any change.
  5. Provide reasonable assistance to Controller in responding to Data Subject requests, DPIAs, and Supervisory-Authority consultations.
  6. Notify Controller without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data Breach.

7. International transfers

Personal Data is hosted in the EU (AWS eu-central-1, Frankfurt) by default. Where Sub-processors process data outside the EEA, transfers are governed by the SCCs (Module 2 or 3 as applicable), supplemented by appropriate technical safeguards (encryption in transit and at rest, key management).

8. Audits

Controller may, no more than once per year, request: (a) a copy of Processor's most recent SOC 2 Type II report, (b) responses to a reasonable security questionnaire, and (c) an on-site audit conducted with reasonable notice and at Controller's expense, subject to confidentiality.

9. Deletion / return

Upon termination of the Service Agreement, Controller may export its data via the GDPR-export API. Processor will delete all Customer Personal Data within 30 days of termination, except where retention is required by law (financial records: 7 years per Estonian Raamatupidamise seadus § 12).

Annex I — Details of Processing

See sections 3-5 above.

Annex II — Security Measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS).
  • Strict tenant isolation via Postgres Row-Level Security.
  • OpenSearch queries are mandatory-filtered by tenant_id and audience tags; cross-tenant retrieval is architecturally impossible.
  • AWS WAFv2 in front of the application load balancer (managed rules + per-IP rate limiting).
  • Sentry and CloudWatch monitoring with on-call rotation; PII scrubbed from error reports.
  • Daily encrypted RDS snapshots, retained for 7 days.
  • Annual third-party penetration testing; SOC 2 Type I attainment tracked publicly on trust.gigamcp.io (planned).

Annex III — Approved Sub-processors

The current list of Sub-processors is published in the Privacy Policy and updated whenever it changes.

Contact

Privacy / DPO: privacy@gigamcp.io.