🚀 Launch Special: 50% off with code LAUNCH50. Offer ends Dec 31, 2026Get Started

Data Processing Agreement (DPA)

Last updated: June 1, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Cerebion LLC ("Processor") and the customer organization ("Controller") and applies where Cerebion processes personal data on behalf of the Controller in connection with the Services.

1. Scope and Purpose

This DPA applies to the processing of personal data by Cerebion solely for the purpose of providing license validation and account management services. Cerebion does not process any data from systems analyzed by Cerebion Rivet.

2. Data Processed

Cerebion processes only the following personal data on behalf of Controller:

  • Name and work email of authorized users
  • Device fingerprints for license validation
  • Software version and OS type for support purposes

3. Processor Obligations

Cerebion agrees to:

  • Process personal data only on documented instructions from Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Controller in responding to data subject rights requests
  • Delete or return all personal data upon termination of services
  • Provide all information necessary to demonstrate compliance
  • Notify Controller within 72 hours of becoming aware of a personal data breach

4. Sub-processors

Controller authorizes Cerebion to use the following sub-processors:

  • Amazon Web Services (AWS): Infrastructure hosting and email delivery — USA
  • Stripe: Payment processing — USA

Cerebion will notify Controller of any intended changes to sub-processors with 30 days notice.

5. International Transfers

Where personal data is transferred outside the EEA, Cerebion ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

6. Security Measures

Cerebion implements the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and principle of least privilege
  • Regular security assessments and vulnerability management
  • Incident response procedures

7. Audit Rights

Controller may request an audit of Cerebion's data processing activities with 30 days written notice, no more than once per year, at Controller's expense.

8. Term

This DPA remains in effect for the duration of the Terms of Service and terminates automatically upon termination of the Services.

Request a Signed DPA

Enterprise customers requiring a signed DPA for GDPR compliance may request one by emailing legal@cerebion.com.

Contact

Data protection inquiries: privacy@cerebion.com
Cerebion LLC, Michigan, USA