Data Processing Agreement

• "Controller" means the Customer, the entity that determines the purposes and means of the processing of Personal Data.
• "Processor" means Cygn, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by Cygn to assist in processing Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, structuring, storage, adaptation, retrieval, use, disclosure by transmission, dissemination, erasure, or destruction.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• "DID" means a Decentralized Identifier as defined by the W3C DID Core specification.

This DPA governs the processing of Personal Data by Cygn in connection with the provision of enterprise API services for media analysis, content signing, voice identification, and audio watermarking.

The duration of this DPA shall be coterminous with the term of the Enterprise agreement between the Customer and Cygn. Upon termination of the Enterprise agreement, the provisions of this DPA relating to data deletion, return, and confidentiality shall continue to apply until all Personal Data has been deleted or returned.

Cygn processes Personal Data through automated means to provide the following services to the Customer:

• Deepfake detection: Automated analysis of media files to detect manipulated or synthetically generated content.
• C2PA content signing: Embedding cryptographic Content Credentials into media files in compliance with the C2PA standard for provenance verification.
• Document signing: Generating Ed25519 digital signatures and Vouch-Tokens for documents and API payloads.
• Audio watermarking: Embedding and detecting inaudible watermarks in audio streams for identity verification.
• Voice ID: Processing biometric voiceprint data to create and verify voice-based identity credentials.
• Provenance bundling: Aggregating signatures, timestamps, and metadata into verifiable provenance records.

The following categories of Personal Data may be processed under this DPA:

The Data Subjects whose Personal Data may be processed under this DPA are the end users of the Customer's products and services whose data is submitted to or processed via the Cygn APIs. This may include the Customer's employees, contractors, customers, and any other individuals whose media, identity data, or metadata is processed through the Service.

Cygn, as Processor, shall:

• Documented instructions: Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law. In such a case, Cygn shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
• Confidentiality: Ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for all data at rest
  • Ed25519 cryptographic signatures for identity and integrity verification
  • Automated key rotation and access controls
  • Network isolation and perimeter security
• Sub-processors: Not engage another processor without prior specific or general written authorisation of the Controller, subject to the terms in Section 7 of this DPA.
• Data Subject assistance: Assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR.
• Compliance assistance: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Cygn.
• Deletion and return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
• Audit cooperation: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

The Controller provides general written authorisation for Cygn to engage the following Sub-processors:

Cygn shall provide the Controller with at least 30 days prior written notice before adding or replacing any Sub-processor. The Controller may object to the appointment or replacement of a Sub-processor by notifying Cygn in writing within 14 days of receiving such notice. If the Controller objects, Cygn shall make reasonable efforts to make available an alternative solution. If no alternative is reasonably available, either party may terminate the affected Service with 30 days written notice.

Cygn's primary servers are located in the United States. Where Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to a country that has not received an adequacy decision from the European Commission, such transfers shall be governed by the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914.

The applicable transfer mechanisms are:

• Standard Contractual Clauses (SCCs): Module Two (Controller to Processor) of the SCCs annexed to Implementing Decision (EU) 2021/914 are incorporated by reference into this DPA and shall be deemed executed between the Customer (as data exporter) and Cygn (as data importer).
• Adequacy decisions: Where applicable, transfers may rely on adequacy decisions issued by the European Commission under Article 45 of the GDPR.
• Supplementary measures: Cygn implements supplementary technical measures including TLS 1.3 encryption in transit, AES-256 encryption at rest, and Ed25519 cryptographic signatures to provide additional safeguards for transferred data.

In the event of a Personal Data Breach, Cygn shall notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach.

The notification shall include:

• A description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned.
• The name and contact details of the data protection officer or other contact point where more information can be obtained.
• A description of the likely consequences of the Personal Data Breach.
• A description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, Cygn shall provide the information in phases without undue further delay. Cygn shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

The Controller may audit Cygn's compliance with this DPA subject to the following conditions:

• The Controller shall provide at least 30 days prior written notice of any audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with Cygn's business operations.
• The Controller may conduct no more than one audit per calendar year, unless required by a supervisory authority or following a Personal Data Breach.
• The Controller shall bear its own costs for any audit, unless the audit reveals material non-compliance by Cygn.
• Cygn shall make available relevant certifications, audit reports (such as SOC 2 Type II where available), and documentation to assist the Controller in verifying compliance.

Upon termination or expiry of the Enterprise agreement:

• The Customer may export all Personal Data processed under this DPA via the /api/v1/account/export endpoint within 30 days of termination.
• After the 30-day export period, Cygn shall permanently delete all Personal Data from its systems, including all copies, backups, and archives, unless retention is required by applicable Union or Member State law.
• Cygn shall provide written confirmation of deletion upon request from the Controller.
• Any Personal Data retained due to legal obligations shall continue to be protected in accordance with this DPA and shall be deleted as soon as the legal obligation expires.

The liability of each party under this DPA shall be subject to the exclusions and limitations of liability set forth in the main Enterprise agreement between the Customer and Cygn. Nothing in this DPA shall limit either party's liability with respect to any rights of Data Subjects under applicable data protection law.

For questions, requests, or notifications relating to this DPA, contact us at: