Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into between:

• Data Processor: Catalyst Neuromorphic Ltd, Company No. 17054540, 71-75 Shelton Street, London WC2H 9JQ, United Kingdom.
• Data Controller: The customer entity identified in the associated service agreement.

This DPA supplements the Terms of Service and governs the processing of personal data by the Processor on behalf of the Controller when using Catalyst Cloud services.

Subject matter: Provision of neuromorphic cloud simulation services.

Duration: For the term of the service agreement plus any retention period.

Categories of data subjects: Customer’s employees, contractors, and end users.

Types of personal data: Email addresses, IP addresses, usage logs, API access records. Neural network definitions and simulation data are treated as confidential business data, not personal data, unless the Controller specifies otherwise.

Nature and purpose: Authentication, billing, compute execution, usage tracking, support.

The Processor shall:

• Process personal data only on documented instructions from the Controller.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality.
• Implement appropriate technical and organisational measures (encryption at rest and in transit, access controls, audit logging).
• Not engage another processor without prior written authorisation from the Controller.
• Assist the Controller in responding to data subject access requests.
• Delete or return all personal data at the end of the service agreement, at the Controller’s choice.
• Make available to the Controller all information necessary to demonstrate compliance.

Current sub-processors:

• Fly.io — Application hosting (London, UK)
• Amazon Web Services — Object storage, FPGA compute (us-east-1)
• Cloudflare — CDN, DNS, DDoS protection (global)
• Stripe — Payment processing (USA)
• Resend — Transactional email (USA)

The Controller will be notified at least 30 days before any new sub-processor is engaged.

Where personal data is transferred outside the UK or EEA (e.g. to US-based sub-processors), the Processor ensures appropriate safeguards are in place, including the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) as applicable.

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. Notification shall include the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed.