Skip to main content
← Back to Home

Data Processing Agreement

Last updated: March 31, 2026

1. Definitions

  • "Controller" means the Customer, who determines the purposes and means of processing personal data.
  • "Processor" means Sovereign Matrix (Pty) Ltd, which processes personal data on behalf of the Controller.
  • "Data Subject" means any identified or identifiable natural person whose personal data is processed under this Agreement.
  • "Personal Data" means any information relating to a Data Subject, including names, email addresses, IP addresses, and any other data defined as personal data under applicable law.
  • "Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion.

2. Scope

This Data Processing Agreement ("DPA") applies to all processing of personal data by Sovereign Matrix on behalf of the Customer in connection with the Customer's use of the Sovereign Matrix platform and related services. This DPA supplements and forms part of the main service agreement between the parties.

3. Processing Details

3.1 Categories of Data

  • Contact information (names, email addresses, phone numbers)
  • Business data (company names, job titles, organizational information)
  • AI-generated content (text, images, code, voice outputs produced by agents)
  • Usage data (agent interactions, feature usage, performance metrics)

3.2 Purpose of Processing

Personal data is processed solely for the purpose of providing the Sovereign Matrix platform services, including AI agent execution, workflow automation, analytics, billing, and customer support.

3.3 Duration

Processing shall continue for the duration of the service agreement between the Controller and Processor, and for such additional period as may be required by applicable law for data retention.

4. Obligations of the Processor

Sovereign Matrix, as Processor, shall:

  • 4.1Process personal data only on documented instructions from the Controller, unless required by applicable law.
  • 4.2Ensure that all persons authorized to process personal data are bound by appropriate obligations of confidentiality.
  • 4.3Implement appropriate technical and organizational security measures, including encryption in transit (TLS 1.3), encryption at rest (AES-256 for API keys), role-based access control, and audit logging.
  • 4.4Assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, and objection) within 30 days of receipt.
  • 4.5Delete or return all personal data to the Controller upon termination of the service agreement, unless retention is required by applicable law. Deletion shall be completed within 30 days.

5. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors. The Processor shall notify the Controller at least 30 days in advance of any intended changes to this list.

Sub-processorPurposeLocation
NVIDIAAI model inference (NIM, NeMo Guardrails, embeddings)USA
Google (Gemini)AI model inference, embeddingsUSA
Anthropic (Claude)AI model inference, computer useUSA
ClerkAuthentication and user managementUSA
NeonPostgreSQL database hostingUSA
VercelApplication hosting, CDN, edge functionsGlobal
ResendTransactional email deliveryUSA

6. International Data Transfers

Where personal data is transferred outside of the Controller's jurisdiction, the Processor shall ensure appropriate safeguards are in place in accordance with applicable data protection law. For transfers from the European Economic Area, United Kingdom, or South Africa, the parties shall rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, or such other mechanism as may be recognized as providing adequate protection under applicable law.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach. The notification shall include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to mitigate the breach.

8. Contact

For questions regarding this Data Processing Agreement or to exercise data protection rights, contact the Processor's designated privacy contact:

Sovereign Matrix (Pty) Ltd

Email: privacy@sovereignmatrix.agency

Privacy Policy | Security | SLA | Home