Data Processing Addendum

This Addendum governs Forge Metal's processing of Personal Data on behalf of the customer, in the context of the Terms of Service and any applicable order form. Terms not defined here have the meaning given in the Terms or in GDPR Art. 4.

"Customer Personal Data" means Personal Data contained in durable customer data, operational data, or other workload artifacts processed by Forge Metal on the customer's documented instructions. "Subprocessor" has the meaning in GDPR Art. 28(4) and includes each entity listed on the subprocessor page.

This Addendum applies to processing subject to the GDPR, UK GDPR, the Swiss FADP, and — as to the rights it confers on data subjects — the California CPRA and comparable U.S. state privacy laws.

Forge Metal processes Customer Personal Data only on the customer's documented instructions, which are the Terms of Service, this Addendum, any order form, and the customer's use of the service's configured functionality (running workloads, configuring mailboxes, calling APIs). We will inform the customer if, in our opinion, a specific instruction infringes applicable data-protection law.

Personnel authorized by Forge Metal to process Customer Personal Data are bound by written confidentiality obligations that survive termination of their engagement.

Forge Metal implements the technical and organizational measures described in the Security Overview, which are designed to ensure a level of security appropriate to the risk. Those measures include:

• Hardware-virtualized microVM isolation of tenant workloads.
• Per-tenant durable-storage separation, with encryption at rest where configured.
• TLS 1.3 for all inter-service and customer-facing traffic; short-lived bearer tokens validated against the identity provider's published key set.
• Defense-in-depth via a host firewall, an inline web application firewall at the edge reverse proxy, and per-service credential isolation.
• Comprehensive audit logging and distributed-tracing observability.

The customer is responsible for ensuring the availability of Customer Personal Data by maintaining their own backups; Forge Metal does not currently provide a backup product, per the Data Retention policy.

The customer grants Forge Metal general authorization to engage the subprocessors listed at /policy/subprocessors. Each subprocessor is bound by a written agreement imposing data-protection obligations materially no less protective than those set out here.

Additions to the subprocessor list are announced with 30 days' prior notice to administrators. The customer may object to an addition within that window on reasonable data-protection grounds; if the parties cannot agree on a commercially reasonable alternative, either party may terminate the affected service.

Where processing involves the transfer of Customer Personal Data out of the EEA, Switzerland, or the UK to a jurisdiction that is not the subject of an adequacy decision, the Standard Contractual Clauses in Commission Implementing Decision (EU) 2021/914 ("EU SCCs") apply and are hereby incorporated, with Forge Metal as importer and the customer as exporter:

• Module Two (controller to processor) where the customer is a controller.
• Module Three (processor to processor) where the customer is itself a processor.

For transfers out of the United Kingdom, the UK International Data Transfer Addendum (as issued by the ICO under Section 119A of the Data Protection Act 2018) applies. For transfers out of Switzerland, the Swiss FDPIC's SCC adaptation applies. The parties select the supervisory authority, governing law, and courts specified in Annex I.C and Clause 17 as the jurisdiction of the Forge Metal entity unless an order form specifies otherwise.

Taking into account the nature of the processing and the information available, Forge Metal provides reasonable assistance to the customer in fulfilling obligations under GDPR Articles 15–22. This assistance is built into the product: export functionality, deletion on request, audit trail access. Bespoke extraction beyond that functionality may be charged at cost.

Forge Metal notifies the customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data, in line with GDPR Art. 33(2). The notice will describe the nature of the breach, categories and approximate numbers of data subjects affected, likely consequences, and the measures taken or proposed to address it.

On termination of the underlying service, Customer Personal Data is handled per the Data Retention policy: export is available for 30 days; durable data is deleted 90 days after closure; billing records are retained for the statutory windows. Backups held by upstream subprocessors are cycled out in line with those subprocessors' DPAs.

Forge Metal makes available to the customer the information necessary to demonstrate compliance with GDPR Art. 28 and allows for and contributes to audits, including inspections, conducted by the customer or an auditor mandated by the customer. The primary method is the public documentation and audit artifacts we publish — including the Security Overview, the Record of Processing Activities, this Addendum, and any SOC 2 or ISO 27001 attestations we hold. On written request, we will provide additional reasonable information needed to meet an audit obligation.

Material changes take effect 30 days after they are announced by email to the administrators on each affected organization. The effective date at the top of this page is the date the current version took effect. Prior versions of all policies live at /policy/changelog, and every change is recorded there in commit-addressable form.

Policy identifier: dpa.

Questions and requests under this policy go to dpo@anveio.com. Security reports go to security@anveio.com and take precedence over routine policy correspondence. GDPR data-protection correspondence may be directed to dpo@anveio.com; abuse reports to abuse@anveio.com.