Data Processing Addendum
Effective date: [EFFECTIVE_DATE]. Processor: C2Consultants, LLC, registered at [COMPANY_ADDRESS]. Product: Binary Intelligence.
This page describes the operational data-processing posture. EU/EEA, UK, and Swiss customers, and any B2B customer that requires a signed DPA, will be issued one prior to first sale; that signed document supersedes this page.
1. Roles
The Customer is the Controller. C2 is the Processor. C2 processes Personal Data only on documented instructions from the Customer (this DPA and the EULA constitute the instructions).
2. Personal data processed
By design, Binary Intelligence is engineered to minimize Personal Data. The categories that may be processed in normal operation are:
- Account Personal Data: the email address used at checkout and (for billing) the Customer's billing address (collected by Stripe).
- Telemetry: anonymized error signatures, remediation outcomes, performance metrics. Excludes machine names, user identifiers, file contents, and other PII by design. See Privacy.
- Support Data: any information you submit through a support ticket, including the diagnostic bundle if you attach one (PII is redacted from the bundle by the client).
3. Subprocessors
C2 uses the following subprocessors in delivering the Software and the website services. Customers are notified at least 30 days before adding or replacing a subprocessor.
- Microsoft Azure (United States; regional storage configurable) — hosting for the Licensing Issuance API, customer portal, Mimir corpus, MSI hosting.
- Stripe, Inc. (United States) — payment processing, billing, tax compliance, customer portal for billing.
- Microsoft 365 / Microsoft Graph — transactional email delivery (activation emails, magic links, support replies).
An always-current subprocessor list is available on request at legal@binaryintelligence.ai.
4. International transfers
For Customers in the EEA, UK, or Switzerland, C2 relies on the EU Standard Contractual Clauses (and UK/Swiss addenda where applicable) for transfers to the United States. C2 will execute SCCs on request.
5. Security
C2 maintains a security program appropriate to the risk, including:
- HTTPS-only public surface with HSTS; TLS 1.2+ minimum.
- License envelopes signed in Azure Key Vault using RS256-PSS; private keys never leave the HSM.
- Activation keys stored only as
sha256(pepper || key). - Customer-portal cookies are HttpOnly + Secure + SameSite=Lax with server-side HMAC signing.
- Stripe webhook signatures verified on every event.
- Logging excludes activation keys, envelope JSON, and other secrets.
6. Sub-processor audits
Microsoft (Azure, M365) and Stripe maintain SOC 2 / ISO 27001 attestations; their attestation reports are available through their trust portals on request.
7. Data subject rights
C2 assists the Customer in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) without undue delay. The Customer is the primary point of contact for its end users; C2 acts on instructions from the Customer.
8. Personal data breach notification
C2 notifies the Customer without undue delay (and in any case within 72 hours of awareness) of a Personal Data breach affecting the Customer's data.
9. Retention and deletion
On termination of the subscription, C2 retains license-audit metadata (claim IDs, issuance/renewal/revocation events) for the period required to maintain the integrity of the licensing system (typically 7 years). Customer-account Personal Data (e.g. email address) is deleted within 30 days of a verified deletion request, except where retention is required by law.