Data Processing Agreement

This DPA describes how PlatCo GmbH (Canyon) processes personal data on behalf of customers in accordance with Article 28 of the GDPR. It applies in addition to your Master Services Agreement with PlatCo GmbH.

A full signable DPA is available on request and will be the binding document for commercial engagements. Email dpa@canyon.tech for a copy.

1. Subject matter

The subject matter is the provision of the Canyon platform as deployed into customer controlled infrastructure. Canyon does not store or move customer enterprise data. Queries run in place against customer data sources.

2. Roles

The customer is the data controller. PlatCo GmbH is the data processor.

3. Categories of data and data subjects

Depending on the customer configuration, personal data processed may include employee identifiers, customer identifiers, usage events and associated metadata. Data subjects are the customer's employees, contractors, customers and partners.

4. Sub processors

Canyon uses a minimal set of sub processors for the control plane and authentication. A current list is maintained at canyon.tech/legal/subprocessors (coming soon) and customers are notified of changes with a right to object.

5. Security measures

Canyon applies technical and organizational measures in line with ISO 27001 and SOC 2. Encryption in transit (TLS 1.3) and at rest (AES 256). SSO, RBAC and ABAC enforced at the data layer. Immutable audit trails. Code scanned with Semgrep, GitLeaks, Trivy, Tenable and Syft.

6. International transfers

By default, personal data stays within the EEA. Any transfers outside the EEA are protected by Standard Contractual Clauses or an adequacy decision.

7. Audits and subject requests

Canyon assists customers in responding to data subject requests and supports reasonable audits in line with GDPR Article 28(3)(h).