Enthos AI Data Processing Addendum (DPA)
Effective: April 24, 2026
This Data Processing Addendum ("DPA") forms part of the Enthos AI Terms of Service ("Agreement") between Masi Enterprises LLC d/b/a Enthos AI ("Enthos AI", "Processor") and the customer entity that subscribes to Enthos for team or enterprise use ("Customer", "Controller"). This DPA applies to the extent Enthos processes Personal Data on behalf of Customer in connection with the Services.
If Customer is established in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, this DPA, including the Standard Contractual Clauses incorporated by reference, applies to such processing.
1. Definitions
- "Personal Data" has the meaning given to it under applicable Data Protection Laws (e.g., GDPR Art. 4(1), CCPA/CPRA, NJDPA).
- "Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK Data Protection Act 2018 + UK GDPR, the Swiss FADP, the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), and other U.S. state privacy laws.
- "Controller", "Processor", "Data Subject", "Processing", and "Sub-processor" have the meanings given in the GDPR.
- "Services" means the Enthos AI software and related services described in the Agreement.
- "Standard Contractual Clauses" or "SCCs" means the European Commission's Standard Contractual Clauses for the transfer of Personal Data to third countries (Commission Decision 2021/914), and where applicable the UK International Data Transfer Addendum.
- "Sub-processor" means any third-party Processor engaged by Enthos that processes Personal Data on behalf of Customer.
2. Roles and Scope
2.1 Roles. For Personal Data processed in connection with the Services, Customer is the Controller and Enthos AI is the Processor. Where Customer acts as a Processor for its own end users, Enthos AI acts as a Sub-processor.
2.2 Subject matter and duration. The processing is for the duration of the Agreement and concerns the Personal Data described in Schedule 1 (Processing Activities).
2.3 Customer instructions. Enthos will process Personal Data only on documented instructions from Customer, including with regard to international transfers, except where required to do so by law. Use of the Services in accordance with the Agreement and the Documentation constitutes such documented instructions. If Enthos believes an instruction violates Data Protection Laws, it will inform Customer.
3. Sub-processors
3.1 Customer authorizes Enthos to engage the Sub-processors listed in Schedule 2 (Sub-processors). Enthos remains responsible for its Sub-processors' compliance with this DPA.
3.2 Notice of changes. Enthos will notify Customer at least 30 days before adding or replacing a Sub-processor (by updating Schedule 2 and providing notice via the Services or email). Customer may object on reasonable grounds; the parties will work in good faith to resolve the objection.
3.3 Flow-down. Enthos will impose data-protection obligations on Sub-processors that are no less protective than those in this DPA, including SCCs where required.
4. Security Measures
Enthos implements appropriate technical and organizational measures designed to protect Personal Data, including:
- Encryption in transit — TLS 1.3 for all Service traffic.
- Encryption at rest — AES-256 for data stored in Enthos-controlled infrastructure (Supabase Postgres, sidecar SQLite vault encrypted via OS-level keystore on user devices).
- Per-user local storage — On user devices, the local SQLite vault is namespaced per authenticated user (one SQLite file per Supabase user identifier). When multiple authenticated users share a device, each user's local memory is in a separate file and cannot be read, exported, or deleted by another user's session. Anonymous (unauthenticated) use shares a legacy machine-scoped vault for backwards compatibility; first sign-in transparently migrates the legacy vault into the per-user vault.
- Access controls — least-privilege RBAC; multi-factor authentication for all production access.
- Network controls — segmented production networks, automated dependency scanning, secrets stored in encrypted secret managers.
- Audit logging — application + infrastructure access logs retained for 90 days.
- Personnel — confidentiality obligations + background checks where permitted by law.
- Compliance program — SOC 2 Type II readiness program in flight; report available to enterprise customers on request once issued.
A more detailed description is provided in Schedule 3 (Security Measures).
5. Data Subject Rights
Enthos will, taking into account the nature of the processing, provide reasonable assistance to Customer (by appropriate technical and organizational measures, insofar as possible) for the fulfillment of Customer's obligations to respond to Data Subject requests under Data Protection Laws.
- The Services include built-in self-service flows for export and deletion at
enthos.ai/settings/privacy. - For requests Customer cannot fulfill via the Services, Customer may contact
privacy@enthos.ai. - Enthos will not respond directly to Data Subject requests without Customer's prior written authorization, except where legally required.
6. Personal Data Breach Notification
6.1 Enthos will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a confirmed Personal Data breach affecting Customer's Personal Data.
6.2 The notification will include, to the extent then known: the nature of the breach (categories and approximate volume of Data Subjects and records concerned), likely consequences, measures taken or proposed to address the breach, and a contact point for further information.
6.3 Enthos will cooperate with Customer in good faith to investigate and remediate the breach, including providing reasonable information needed for Customer's notifications to supervisory authorities and Data Subjects.
7. Audits
7.1 Enthos will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including:
- The most recent SOC 2 report (once available) or interim third-party security assessment.
- Penetration test summaries.
- Sub-processor list and SCC status.
7.2 Where the information made available is insufficient to demonstrate compliance, Customer may request an audit of Enthos's processing of Personal Data on reasonable advance written notice (no more than once per 12-month period, except following a confirmed breach). Audits must respect Enthos's confidentiality obligations to other customers and may be conducted by an independent qualified auditor agreed by both parties.
8. International Data Transfers
8.1 To the extent processing involves transfers of Personal Data from the EEA, UK, or Switzerland to a country not benefitting from an adequacy decision, the parties incorporate by reference:
- Module Two (Controller-to-Processor) of the SCCs for Customer-as-Controller transfers.
- Module Three (Processor-to-Processor) where Customer acts as a Processor for its own end users.
- The UK International Data Transfer Addendum (IDTA) for transfers from the UK.
- The Swiss FDPIC Adequacy Decision mechanism for transfers from Switzerland.
8.2 Where the SCCs provide options, the parties select:
- Clause 7 (docking clause): not used.
- Clause 9(a): general written authorization (Option 2), with the notice period in Section 3.2 above.
- Clause 11(a): not used.
- Clause 17 governing law: Republic of Ireland.
- Clause 18 forum: courts of Ireland.
- Annex I.A and I.B and Annex II are populated by Schedule 1 and Schedule 3 of this DPA.
- Annex III sub-processors are set out in Schedule 2.
9. Return or Deletion
Upon termination of the Agreement, Enthos will, at Customer's choice, delete or return all Personal Data to Customer, and delete existing copies, unless retention is required by applicable law. Backup copies are deleted within 90 days of termination. Customer may at any time export and delete Personal Data via the in-Service controls.
10. Liability
Each party's liability under this DPA is subject to the liability cap and exclusions set forth in the Agreement.
11. Conflict and Severability
In case of a conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Personal Data. If any provision is held unenforceable, the remainder of this DPA remains in effect.
Schedule 1 — Processing Activities (Annex I)
A. List of Parties. Controller: Customer (as identified in the Agreement). Processor: Masi Enterprises LLC d/b/a Enthos AI, New Jersey, United States.
B. Description of Processing.
| Item | Description |
|---|---|
| Categories of Data Subjects | Customer's authorized end users, employees, contractors, and any natural persons referenced in prompts, projects, or memory entries |
| Categories of Personal Data | Account identifiers (email, name), authentication tokens, prompt and project content (including any Personal Data Customer chooses to include), telemetry events (auth flow outcomes, runtime starts, classifier failures), payment metadata (handled by Stripe — Enthos does not store card numbers) |
| Special categories | None expected by design; if Customer submits special categories, Customer represents it has a lawful basis under Art. 9 GDPR |
| Frequency | Continuous, for the duration of the Agreement |
| Nature of processing | Hosting, storage, retrieval, AI-assisted generation, telemetry analytics |
| Purpose | Providing the Services as described in the Agreement |
| Retention | Telemetry: 90 days. Memory entries: until the user deletes or terminates. Account data: termination + 30 days, then deleted |
C. Competent Supervisory Authority. Where the SCCs apply, the supervisory authority of the EEA Member State of the Customer (or its EU representative) acts as the competent authority.
Schedule 2 — Sub-processors (Annex III)
| Sub-processor | Service | Data category | Location | Transfer mechanism |
|---|---|---|---|---|
| Supabase, Inc. | Authentication, Postgres database, storage | Account data, telemetry, memory metadata | United States (AWS us-east-1) | SCCs |
| Stripe, Inc. | Payment processing | Billing identifiers (no card numbers stored by Enthos) | United States | SCCs + Stripe DPA |
| Fireworks AI, Inc. | DeepSeek V4 critic inference (zero-data-retention tier) | Prompt + response content for the critic call only | United States | SCCs |
| Resend (Resend.com, Inc.) | Transactional email | Email address, email content | United States | SCCs |
| Vercel, Inc. | Web app hosting + CDN | Connection metadata, browser headers | United States / global edge | SCCs |
| Anthropic, OpenAI, Google, xAI, DeepSeek (PRC), Cerebras, Together, Groq, OpenRouter | Inference for user-selected model routes (BYO subscription except where BYOK or pass-through is enabled) | Prompt + response content | Provider data centers (primarily US; DeepSeek PRC route is opt-in only) | Provider DPA / SCCs as applicable |
The current sub-processor list is also published at enthos.ai/legal/sub-processors.
Schedule 3 — Security Measures (Annex II)
- Pseudonymization and encryption. TLS 1.3 in transit; AES-256 at rest; user-scoped database row-level security.
- Confidentiality, integrity, availability, resilience. RBAC + MFA for production; redundant backups; documented incident response runbooks; penetration testing on production releases.
- Restoration of availability. Automated daily backups; point-in-time recovery for managed Postgres; documented disaster-recovery procedures.
- Regular testing and evaluation. Annual third-party penetration tests; quarterly internal security reviews; SOC 2 Type II audit program in flight.
- User and access management. Just-in-time access; access reviews each quarter; audit logging of administrative actions.
- Data deletion. Soft-delete on user request, hard-delete after 30 days. Backup hard-delete within 90 days.
- Sub-processor management. Vendor security review prior to onboarding; written DPAs with each Sub-processor.
Contact
- Privacy: privacy@enthos.ai
- DPO contact: dpo@enthos.ai
- Legal: legal@enthos.ai
- Mail: Masi Enterprises LLC d/b/a Enthos AI, New Jersey, United States
_Document version 2026-04-24. SCC integration ready for execution by enterprise customers on request._