Data Processing Addendum

Last updated: March 22, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written or electronic agreement between Mataki Labs LLC (“Authpipe,” “Processor,” “we,” “us,” or “our”), a Wyoming limited liability company located at 30 N Gould St Ste N, Sheridan, WY 82801, and the entity or person agreeing to these terms (“Customer,” “Controller,” “you,” or “your”) for the provision of the Authpipe platform, APIs, and related services (the “Services”) as described in the Terms of Service (the “Agreement”).

This DPA applies to the extent that Authpipe processes Personal Data on behalf of Customer in the course of providing the Services. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings given to them in the Agreement.

“Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 (“UK GDPR”); (c) the Swiss Federal Act on Data Protection (“FADP”); (d) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”); and (e) any other applicable data protection or privacy laws.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“EEA” means the European Economic Area, comprising the member states of the European Union plus Iceland, Liechtenstein, and Norway.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Authpipe on behalf of Customer in connection with the Services. This includes, but is not limited to, data defined as “personal data” under the GDPR, “personal data” under the UK GDPR, and “personal information” under the CCPA.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Authpipe.
“Processing” (and its cognates “Process,” “Processed,” and “Processes”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. For the purposes of this DPA, Authpipe is the Processor.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or any successor clauses adopted by the European Commission.
“Sub-Processor” means any third party appointed by Authpipe to process Personal Data on behalf of Customer in connection with the Services.
“Supervisory Authority” means an independent public authority established by an EU Member State, UK, or Swiss authority pursuant to Applicable Data Protection Law.

2. Roles and Scope

2.1 Roles of the Parties

The parties acknowledge and agree that:

(a) Customer is the Controller of Personal Data and determines the purposes and means of processing Personal Data through its use of the Services.

(b) Authpipe is the Processor of Personal Data and processes Personal Data solely on behalf of Customer and in accordance with Customer’s documented instructions as described in this DPA and the Agreement.

(c) Each party shall comply with its respective obligations under Applicable Data Protection Law with respect to the processing of Personal Data.

2.2 Scope of Processing

Authpipe shall process Personal Data only to the extent necessary to provide the Services in accordance with the Agreement and this DPA. The details of processing, including the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects, are described in Annex 1 of this DPA.

2.3 Customer Obligations

Customer represents and warrants that:

(a) It has provided all necessary notices to, and obtained all necessary consents, permissions, or authorizations from, Data Subjects as required under Applicable Data Protection Law to enable the lawful processing of Personal Data by Authpipe as contemplated by this DPA.

(b) It has a lawful basis for processing Personal Data and for instructing Authpipe to process Personal Data on its behalf.

(d) It shall not transmit or cause to be transmitted any Personal Data to Authpipe that Authpipe is not authorized or instructed to process under this DPA.

3. Processor Obligations

3.1 Documented Instructions

(a) Authpipe shall process Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law to which Authpipe is subject. In such a case, Authpipe shall inform Customer of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

(b) Customer’s initial instructions are set forth in this DPA and the Agreement. Customer may issue additional reasonable written instructions consistent with the terms of the Agreement. If Authpipe believes that any instruction from Customer infringes Applicable Data Protection Law, Authpipe shall promptly notify Customer and shall not be required to comply with the infringing instruction.

(c) The Agreement (including this DPA) constitutes Customer’s complete and final documented instructions to Authpipe for the processing of Personal Data. Any additional or alternate instructions must be agreed upon separately in writing.

3.2 Confidentiality

(a) Authpipe shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(b) Authpipe shall not disclose Personal Data to any third party except as expressly permitted by this DPA, the Agreement, or as required by applicable law.

3.3 Security

(a) Authpipe shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Annex 2 of this DPA. Such measures shall include, as appropriate:

(i) the pseudonymization and encryption of Personal Data;

(ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

(iii) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and

(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

(b) In assessing the appropriate level of security, Authpipe shall take into account the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

(c) Authpipe shall take reasonable steps to ensure that only authorized personnel have access to Personal Data and that such personnel process Personal Data only as instructed by Customer, except as required by applicable law.

3.4 Data Subject Rights

(a) Taking into account the nature of the processing, Authpipe shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

(b) If Authpipe receives a request from a Data Subject in relation to Personal Data processed on behalf of Customer, Authpipe shall promptly redirect the Data Subject to Customer and notify Customer of the request. Authpipe shall not respond to the Data Subject directly unless authorized by Customer or required by applicable law.

(c) Customer acknowledges that Authpipe may charge a reasonable fee for any assistance provided under this Section 3.4, to the extent such assistance requires significant effort beyond what is included in the Services.

3.5 Data Protection Impact Assessments

Authpipe shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with Supervisory Authorities, to the extent required under Applicable Data Protection Law and taking into account the nature of the processing and the information available to Authpipe.

4. Sub-Processors

4.1 General Authorization

Customer provides general written authorization for Authpipe to engage Sub-Processors to process Personal Data on behalf of Customer, subject to the requirements of this Section 4. The current list of Sub-Processors is available at /legal/sub-processors.

4.2 Sub-Processor Obligations

Authpipe shall:

(a) Enter into a written agreement with each Sub-Processor that imposes data protection obligations no less protective than those set out in this DPA, including, in particular, providing sufficient guarantees to implement appropriate technical and organizational measures such that the processing meets the requirements of Applicable Data Protection Law.

(b) Remain fully liable to Customer for the performance of each Sub-Processor’s obligations. Where a Sub-Processor fails to fulfill its data protection obligations, Authpipe shall be liable to Customer for the acts and omissions of the Sub-Processor as if they were the acts and omissions of Authpipe itself.

4.3 Notification of New Sub-Processors

(a) Authpipe shall notify Customer before authorizing any new Sub-Processor to process Personal Data. Such notification shall be provided by updating the Sub-Processor list at /legal/sub-processors and by email notification to Customer’s designated contact or to the email address associated with Customer’s account. Authpipe shall provide at least thirty (30) days’ prior written notice before a new Sub-Processor begins processing Personal Data.

(b) Customer may subscribe to change notifications by emailing dpa@authpipe.dev.

4.4 Objection to New Sub-Processors

(a) Customer may object to Authpipe’s appointment of a new Sub-Processor by notifying Authpipe in writing within fifteen (15) days of receiving notice, provided that such objection is based on reasonable grounds relating to data protection.

(b) If Customer objects, Authpipe shall use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid processing of Personal Data by the objected-to Sub-Processor.

(c) If Authpipe is unable to provide such an alternative within thirty (30) days of receiving Customer’s objection, either party may terminate the applicable Services that cannot be provided without the use of the objected-to Sub-Processor by providing written notice. Authpipe shall refund Customer any prepaid fees for the terminated Services covering the remainder of the subscription term following the effective date of termination.

5. International Data Transfers

5.1 General

Authpipe primarily stores and processes Personal Data in the United States. To the extent that the processing of Personal Data under this DPA involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of data protection by the applicable authority, the parties agree to the following transfer mechanisms.

5.2 Standard Contractual Clauses (EEA)

For transfers of Personal Data from the EEA to countries not recognized as providing an adequate level of data protection, the parties agree that the Standard Contractual Clauses (Module Two: Controller to Processor) shall apply and are hereby incorporated by reference. For the purposes of the SCCs:

(a) The “data exporter” is the Customer and the “data importer” is Authpipe.

(b) Clause 7 (Docking Clause) shall apply.

(c) Under Clause 9 (Use of Sub-Processors), the parties select Option 2 (General Written Authorization), and Authpipe shall provide notification of Sub-Processor changes in accordance with Section 4.3 of this DPA.

(d) Under Clause 11 (Redress), the optional language shall not apply.

(e) Under Clause 17 (Governing Law), the SCCs shall be governed by the laws of Ireland.

(f) Under Clause 18 (Choice of Forum and Jurisdiction), disputes shall be resolved before the courts of Ireland.

(g) Annex I of the SCCs shall be deemed completed with the information set out in Annex 1 of this DPA, and Annex II of the SCCs shall be deemed completed with the information set out in Annex 2 of this DPA.

5.3 UK Transfers

For transfers of Personal Data from the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK Addendum”), as issued by the Information Commissioner’s Office under Section 119A(1) of the Data Protection Act 2018, shall apply and is hereby incorporated by reference. In the event of any conflict between the UK Addendum and this DPA, the UK Addendum shall prevail.

5.4 Swiss Transfers

For transfers of Personal Data from Switzerland, the SCCs as described in Section 5.2 shall apply, with the following modifications:

(a) References to the GDPR shall be interpreted as references to the Swiss FADP.

(b) References to “Member State” shall not be interpreted in a way that excludes Data Subjects in Switzerland from exercising their rights in their place of habitual residence.

5.5 Supplementary Measures

Authpipe shall implement and maintain supplementary measures as necessary to ensure that Personal Data transferred internationally receives an essentially equivalent level of protection as required by Applicable Data Protection Law. Such measures include the technical and organizational security measures described in Annex 2.

6. Personal Data Breach

6.1 Notification

(a) Authpipe shall notify Customer without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of Customer.

(b) Such notification shall include, to the extent reasonably available:

(i) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(ii) the name and contact details of Authpipe’s point of contact from whom more information can be obtained;

(iii) a description of the likely consequences of the Personal Data Breach; and

(iv) a description of the measures taken or proposed to be taken by Authpipe to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6.2 Assistance

(a) Authpipe shall cooperate with and assist Customer in investigating, mitigating, and remediating the Personal Data Breach and in complying with Customer’s obligations under Applicable Data Protection Law with respect to the Personal Data Breach, including any obligation to notify a Supervisory Authority or Data Subjects.

(b) Authpipe’s obligation to notify Customer of a Personal Data Breach shall not be construed as an acknowledgment by Authpipe of any fault or liability with respect to the Personal Data Breach.

6.3 Communication

Authpipe shall not inform any third party of a Personal Data Breach without first obtaining Customer’s prior written consent, unless notification is required by applicable law, in which case Authpipe shall, to the extent permitted by law, inform Customer of such requirement before making the notification.

7. Audits and Inspections

7.1 Audit Rights

(a) Authpipe shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Applicable Data Protection Law. Authpipe shall allow for and contribute to audits, including inspections, conducted by Customer or a third-party auditor mandated by Customer, subject to the conditions set out in this Section 7.

(b) Customer may conduct an audit no more than once per twelve (12) month period, unless an audit is specifically requested by a Supervisory Authority or Customer has reasonable grounds to believe that Authpipe is not in compliance with this DPA.

7.2 Audit Procedures

(a) Customer shall provide Authpipe with at least thirty (30) days’ prior written notice of any audit, including the proposed scope and duration of the audit.

(b) Audits shall be conducted during normal business hours, with minimal disruption to Authpipe’s operations, and in compliance with Authpipe’s reasonable security and confidentiality requirements.

(c) Any third-party auditor shall be required to execute a confidentiality agreement acceptable to Authpipe before conducting the audit. Authpipe may object to a third-party auditor that is a direct competitor of Authpipe, in which case Customer shall appoint an alternative auditor.

(d) Customer shall bear all costs associated with the audit, except where the audit reveals a material breach of this DPA by Authpipe, in which case Authpipe shall bear the reasonable costs of the audit.

7.3 Certifications and Reports

At Customer’s request, Authpipe shall provide copies of relevant certifications, audit reports (including SOC 2 reports, if available), or summaries thereof, to the extent that such documentation reasonably demonstrates compliance with this DPA. Customer agrees that such documentation may satisfy Customer’s audit rights under this Section 7, provided the documentation adequately addresses the scope of the audit.

8. Data Return and Deletion

8.1 Return of Personal Data

Upon termination or expiration of the Agreement, or upon Customer’s written request, Authpipe shall, at Customer’s election:

(a) Return all Personal Data to Customer in a commonly used, machine-readable format; or

(b) Delete all Personal Data in accordance with Section 8.2.

8.2 Deletion

(a) Upon Customer’s request or upon termination or expiration of the Agreement, Authpipe shall delete all Personal Data processed on behalf of Customer within thirty (30) days, unless applicable law requires further storage of the Personal Data.

(b) Upon deletion, Authpipe shall provide written certification of deletion to Customer upon request.

(c) Authpipe may retain Personal Data to the extent required by applicable law, provided that Authpipe shall (i) process such retained Personal Data solely for the purpose and duration required by applicable law, (ii) maintain the confidentiality and security of such retained Personal Data, and (iii) delete such Personal Data promptly upon the expiration of the applicable retention requirement.

8.3 Backup Copies

Notwithstanding the foregoing, Authpipe may retain copies of Personal Data in its backup systems for a period not to exceed ninety (90) days following deletion from production systems, after which such copies shall be permanently deleted. During such retention period, Authpipe shall maintain the confidentiality and security of such backup copies and shall not actively process them except as necessary for backup restoration purposes.

9. CCPA-Specific Provisions

9.1 Role of the Parties

For the purposes of the CCPA, Customer is a “Business” and Authpipe is a “Service Provider.” Authpipe processes Personal Data (as defined in the CCPA as “Personal Information”) on behalf of Customer solely for the business purposes specified in the Agreement and this DPA.

9.2 Restrictions on Use

Authpipe shall not:

(a) Sell or share (as those terms are defined in the CCPA) Personal Information received from Customer.

(b) Retain, use, or disclose Personal Information for any purpose other than for the business purposes specified in the Agreement and this DPA, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Services.

(c) Retain, use, or disclose Personal Information outside of the direct business relationship between Authpipe and Customer, except as expressly permitted by the CCPA.

(d) Combine Personal Information received from Customer with Personal Information received from or on behalf of another person or persons, or collected from Authpipe’s own interactions with the Data Subject, except as expressly permitted by the CCPA to perform the Services.

9.3 Compliance and Certification

Authpipe certifies that it understands and shall comply with the restrictions set forth in this Section 9. Authpipe shall notify Customer if it determines that it can no longer meet its obligations under the CCPA.

9.4 Right to Monitor

Customer shall have the right to take reasonable and appropriate steps to help ensure that Authpipe uses Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon reasonable notice, Customer may take steps to stop and remediate unauthorized use of Personal Information.

10. General

10.1 Term

This DPA shall remain in effect for the duration of the Agreement and for as long as Authpipe processes Personal Data on behalf of Customer.

10.2 Amendments

This DPA may be amended by Authpipe from time to time to reflect changes in Applicable Data Protection Law or Authpipe’s data processing practices. Authpipe shall provide Customer with at least thirty (30) days’ notice of any material amendment. Continued use of the Services following such notice constitutes acceptance of the amended DPA.

10.3 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the intent of the parties.

10.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the Agreement, except where Applicable Data Protection Law requires otherwise.

10.5 Limitation of Liability

Each party’s liability arising out of or related to this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall be construed to limit or exclude either party’s liability for breaches of confidentiality obligations, willful misconduct, or liability that cannot be limited or excluded under applicable law.

10.6 Contact

For questions about this DPA or to exercise your rights hereunder, contact:

Email: dpa@authpipe.dev
Mail: Mataki Labs LLC, 30 N Gould St Ste N, Sheridan, WY 82801

Annex 1: Details of Processing

A. List of Parties

Data Exporter (Controller):

Name: The Customer, as identified in the Agreement
Address: As specified in the Customer’s account
Contact: As specified in the Customer’s account
Activities relevant to the transfer: Use of the Authpipe platform for OAuth token management, API key management, and credential brokering for the Customer’s applications
Role: Controller

Data Importer (Processor):

Name: Mataki Labs LLC (d/b/a Authpipe)
Address: 30 N Gould St Ste N, Sheridan, WY 82801
Contact: dpa@authpipe.dev
Activities relevant to the transfer: Provision of the Authpipe platform, including OAuth token lifecycle management, API key storage, webhook secret management, and related infrastructure services
Role: Processor

B. Description of the Processing

Subject Matter of Processing:

The processing relates to Authpipe’s provision of credential management services, including OAuth token brokering, API key storage, webhook secret management, and related platform features as described in the Agreement.

Duration of Processing:

The duration of the Agreement, plus any applicable data retention period as described in Section 8.

Nature of Processing:

Collection, recording, storage, retrieval, encryption, decryption (for authorized token use), organization, adaptation, transmission (to Customer’s application and to third-party providers for token refresh), restriction, erasure, and destruction.

Purpose of Processing:

Provisioning and operating the Authpipe platform for Customer
Managing OAuth authorization flows on behalf of Customer’s end users
Storing, encrypting, and refreshing OAuth access tokens and refresh tokens
Storing and retrieving API keys and webhook secrets configured by Customer
Monitoring connection health and token validity
Providing usage analytics and reporting to Customer
Performing token refresh operations as required by third-party providers
Providing customer support

Types of Personal Data:

OAuth access tokens and refresh tokens associated with Customer’s end users
API keys and webhook secrets configured by Customer
Connection metadata (provider type, authorization scopes, token expiration timestamps, refresh status)
Provider configuration data (OAuth application credentials, callback URLs, provider-specific settings)
End user identifiers (as may be contained within tokens or provider profile data returned during OAuth flows)
IP addresses (for rate limiting, security monitoring, and audit logging)
API request metadata (timestamps, endpoints called, response codes)
Account information (name, email address) of Customer’s authorized users

Categories of Data Subjects:

Customer’s authorized users (individuals with access to the Customer’s Authpipe account)
Customer’s end users (individuals who authorize OAuth connections through Customer’s applications using the Authpipe platform)

C. Competent Supervisory Authority

The competent Supervisory Authority shall be determined in accordance with Applicable Data Protection Law. For transfers subject to the GDPR, the Supervisory Authority shall be the Data Protection Commission of Ireland.

Annex 2: Technical and Organizational Security Measures

Authpipe implements and maintains the following technical and organizational security measures to protect Personal Data. These measures are reviewed and updated periodically to reflect evolving security best practices and threats.

1. Encryption

Encryption at rest: All Personal Data, including OAuth tokens, API keys, and webhook secrets, is encrypted at rest using AES-256-GCM encryption.
Per-tenant key isolation: Each Customer tenant has dedicated, isolated encryption keys. Customer data is never encrypted with shared keys across tenants.
HSM-backed key management: Encryption keys are managed using Hardware Security Module (HSM)-backed key management services. Encryption keys are never stored in plaintext and are not accessible to Authpipe personnel.
Encryption in transit: All data transmitted between Customer applications and the Authpipe platform, and between Authpipe and third-party providers, is encrypted using TLS 1.2 or higher.
Key rotation: Encryption keys are rotated on a regular schedule and can be rotated on demand in response to a security event.

2. Access Controls

Principle of least privilege: Access to systems containing Personal Data is granted on a need-to-know basis and follows the principle of least privilege.
Multi-factor authentication: Multi-factor authentication is required for all Authpipe personnel accessing production systems and administrative interfaces.
Role-based access control: Access to Personal Data is restricted through role-based access control (RBAC) at both the infrastructure and application levels.
Unique authentication: Each authorized user has unique credentials. Shared accounts are prohibited for access to systems containing Personal Data.
Tenant isolation: Customer data is logically isolated at the application and database levels. One Customer’s data is never accessible by another Customer.

3. Infrastructure Security

Cloud infrastructure: The Authpipe platform is hosted on Google Cloud Platform with data residency in the us-central1 region.
Network segmentation: Production networks are segmented from development and corporate networks. Firewalls and security groups restrict network traffic to authorized communications only.
DDoS protection: Distributed denial-of-service mitigation is deployed at the network edge.
Vulnerability management: Infrastructure and application components are regularly scanned for vulnerabilities. Critical and high-severity vulnerabilities are remediated in accordance with defined SLAs.
Patch management: Operating systems, runtime environments, and dependencies are kept up to date with security patches.

4. Application Security

Secure development lifecycle: Authpipe follows a secure software development lifecycle (SSDLC) that includes security reviews, code reviews, and automated static analysis.
Input validation: All inputs are validated and sanitized to protect against injection attacks, cross-site scripting, and other common web application vulnerabilities.
API security: API endpoints are authenticated and authorized. Rate limiting is enforced to prevent abuse.
Secrets management: Application secrets, database credentials, and internal API keys are stored in dedicated secrets management systems and are never committed to source code repositories.

5. Monitoring and Logging

Audit logging: Access to and actions on Personal Data are logged, including authentication events, API requests, token operations, and administrative actions.
Log protection: Audit logs are stored in tamper-evident, append-only storage. Logs are retained for a minimum of twelve (12) months.
Security monitoring: Automated monitoring and alerting systems detect anomalous activity, unauthorized access attempts, and potential security incidents.
Incident response: Authpipe maintains a documented incident response plan that defines roles, responsibilities, escalation procedures, and communication protocols.

6. Business Continuity and Disaster Recovery

Backups: Personal Data is backed up regularly. Backups are encrypted and stored in geographically separate locations.
Recovery testing: Backup restoration procedures are tested periodically to ensure data can be recovered within defined recovery time objectives.
Redundancy: Critical platform components are deployed with redundancy to minimize the impact of hardware or software failures.

7. Personnel Security

Background checks: Background checks are conducted on personnel with access to production systems, to the extent permitted by applicable law.
Confidentiality agreements: All personnel with access to Personal Data are bound by confidentiality obligations.
Security training: Personnel receive security awareness training upon onboarding and on a recurring basis thereafter.
Offboarding: Access credentials are revoked promptly upon termination of employment or engagement.

8. Vendor and Sub-Processor Management

Due diligence: Sub-Processors are evaluated for their security practices and data protection capabilities before engagement.
Contractual protections: Sub-Processors are bound by written agreements that impose data protection obligations no less protective than those in this DPA.
Ongoing monitoring: Sub-Processor compliance is monitored on an ongoing basis.
Sub-Processor list: The current list of Sub-Processors is maintained at /legal/sub-processors.

9. Physical Security

Data center security: Authpipe’s cloud infrastructure provider (Google Cloud Platform) maintains physical security controls at its data centers, including 24/7 security personnel, biometric access controls, video surveillance, and environmental controls. Details are available through Google Cloud’s security documentation and compliance reports.

10. Data Minimization and Retention

Data minimization: Authpipe processes only the Personal Data necessary to provide the Services.
Retention limits: Personal Data is retained only for the duration necessary to fulfill the purposes of processing or as required by applicable law. Upon termination of the Agreement, Personal Data is deleted in accordance with Section 8 of this DPA.
Secure disposal: When Personal Data is deleted, it is securely erased from production systems and, following the backup retention period, from backup systems.