Last updated April 27, 2026
1.1. This Data Processing Agreement (the “Data Processing Agreement”), published by Supernaut AI, UAB, a company registered in Lithuania at Gedimino g. 22A 14, 44319 Kaunas (trading as Supernaut), forms part of the Terms of Service between Supernaut and the Customer for the provision of the Supernaut Service and sets out the terms upon which Supernaut will process Relevant Personal Data on the Customer’s behalf when providing the Supernaut Service and acting as a data processor.
During the course of providing the Supernaut Service, Supernaut may process Relevant Personal Data that is subject to Data Protection Laws. By using the Supernaut Service or entering into an Agreement with Supernaut, the Customer appoints Supernaut to process such Relevant Personal Data in accordance with this Data Processing Agreement.
2.1. In this Data Processing Agreement the definitions and rules of interpretation set out in the Terms of Service apply and, save where the context requires otherwise, the following words and expressions have the following meaning:
3.1. Each party acknowledges and agrees that for the purposes of the Agreement and Data Protection Laws, the Customer shall be the controller and Supernaut the processor in respect of the Relevant Personal Data.
3.2. Each party confirms that in the performance of the Agreement it will comply with Data Protection Laws.
3.3. Supernaut shall only process the types of Relevant Personal Data relating to the categories of data subjects for the specific purposes in each case as set out in Annex 1 (Data Processing Information) to this Data Processing Agreement and shall not process the Relevant Personal Data other than in accordance with the Customer’s documented instructions (whether in the Agreement or otherwise) unless processing is required by applicable law to which Supernaut is subject, in which case Supernaut shall, to the extent permitted by such law, inform the Customer of that legal requirement before processing that Relevant Personal Data.
3.4. Supernaut shall inform the Customer if, in its opinion, an instruction it receives from the Customer pursuant to the Agreement infringes the GDPR.
3.5. Supernaut shall not, and shall ensure that no Sub-processor under its contract shall, use Relevant Personal Data, Customer source code, Customer prompts or completions, or any derivative thereof to train, fine-tune, or otherwise improve any general-purpose machine-learning model. This restriction applies to data held on Supernaut-controlled infrastructure and to any data Supernaut transmits to a Sub-processor for the provision of the Supernaut Service.
4.1. The Customer warrants that it has all necessary rights to provide the Relevant Personal Data to Supernaut for the processing to be performed in relation to the Supernaut Service.
5.1. Supernaut shall treat all Relevant Personal Data as confidential and shall use reasonable efforts to inform all its relevant employees, contractors and/or any Sub-processors engaged in processing the Relevant Personal Data of the confidential nature of such Relevant Personal Data.
5.2. Supernaut shall take reasonable steps to ensure the reliability of any employee, contractor and/or any Sub-processor who may have access to the Relevant Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the Relevant Personal Data, as necessary for the purposes set out in paragraph 3.3 in the context of that person’s or party’s duties to Supernaut.
5.3. Supernaut shall ensure that all such persons or parties involved in the processing of Relevant Personal Data are subject to:
6.1. Supernaut shall implement the technical and organisational measures set out in Annex 2 (Security Measures) to this Data Processing Agreement and the Customer acknowledges that such measures ensure a level of security of the Relevant Personal Data appropriate to the risks that are presented by the processing.
7.1. The Customer hereby grants its general authorisation to the appointment of Sub-processors by Supernaut under the Agreement.
7.2. When Supernaut replaces any existing Sub-processor and/or appoints any new Sub-processor that will process Relevant Personal Data, Supernaut shall provide the Customer with at least 10 Business Days’ prior written notice (by email to the designated customer contact and by updating the public Sub-processors page). The Customer may object to the change within 30 days of receipt of such notice. Where the Customer reasonably objects on data-protection grounds and Supernaut is unable to make available a commercially reasonable alternative within a reasonable period, the Customer may terminate the affected portion of the Agreement for cause, with a pro-rata refund of any prepaid fees applicable to the period after termination.
7.3. The Customer’s sole remedy if it does not agree to the replacement or appointment of a Sub-processor shall be to terminate the Agreement.
7.4. With respect to each Sub-processor, Supernaut shall:
7.5. An up-to-date list of Supernaut’s Sub-processors is maintained at https://supernaut.dev/legal/subprocessors and may be updated from time to time in accordance with this Data Processing Agreement.
8.1. Supernaut shall refer all Data Subject Requests it receives to the Customer without undue delay and, in any event, within 2 Business Days. The Supernaut Service will enable the Customer to access, rectify and restrict processing of the Relevant Personal Data, and to erase and export the Relevant Personal Data.
8.2. In the event that the Customer cannot fulfil any Data Subject Request itself using the means described in paragraph 8.1, Supernaut shall co-operate as reasonably requested by the Customer to enable the Customer to comply with any such request.
9.1. In the case of a Personal Data Breach, Supernaut shall not later than 72 hours after having become aware of it notify the Personal Data Breach to the Customer providing the Customer with sufficient information which allows the Customer to meet any obligations to report a Personal Data Breach under Data Protection Laws.
10.1. Supernaut shall, at the Customer’s request, provide reasonable assistance to the Customer with any data protection impact assessments which are required under applicable Data Protection Laws and with any prior consultations to any Supervisory Authority of the Customer or any of its affiliates which are required under Data Protection Laws, in each case in relation to processing of Relevant Personal Data by Supernaut on behalf of the Customer and taking into account the nature of the processing and information available to Supernaut.
11.1. On cessation of processing of Relevant Personal Data by Supernaut, or termination of the Agreement, Supernaut shall permit Customer (at its option) to:
11.2. If the Customer fails to exercise its rights under paragraphs 11.1.1 and 11.1.2 above, Supernaut shall delete Relevant Personal Data from production systems (and procure that any Sub-processor does the same) within 30 days following the termination of the Agreement, and shall ensure expiry of Relevant Personal Data from backup systems within 90 days following the termination of the Agreement, in each case unless required to retain such data in order to comply with applicable laws.
11.3. Upon Customer’s written request, Supernaut shall provide written certification of deletion of Relevant Personal Data in accordance with paragraph 11.2.
12.1. Supernaut shall make available to the Customer on request all information reasonably necessary to demonstrate compliance with this Data Processing Agreement and Data Protection Laws and allow for and contribute to audits in accordance with Supernaut’s or its Sub-processors’ policies in place from time to time.
12.2. Prior to conducting any audit pursuant to paragraph 12.1, the Customer must submit an audit request to Supernaut and the Customer and Supernaut must agree the start date, scope and duration of and security and confidentiality controls applicable to any such audit.
12.3. Supernaut may (acting reasonably) object to the appointment by the Customer of an independent auditor to carry out an audit pursuant to paragraph 12.1 and, where this is the case, the Customer shall be required to appoint another auditor or conduct the audit itself.
13.1. In the event that a transfer of Relevant Personal Data to Supernaut or any Sub-processor is reasonably considered to involve a transfer of Relevant Personal Data outside of the UK and/or the EEA to a country which is not recognised by the UK ICO or the European Commission (as the case may be) as having an adequate level of protection for personal data, Supernaut shall use reasonable endeavours to enter into Standard Contractual Clauses with the relevant Sub-processor for such transfer of Relevant Personal Data.
13.2. Where Relevant Personal Data is subject to UK data-protection law, the parties shall rely on the UK ICO’s International Data Transfer Addendum to the EU Standard Contractual Clauses (or, where appropriate, the UK International Data Transfer Agreement) to govern the relevant transfer. Where Relevant Personal Data is subject to Swiss data-protection law, the parties shall rely on the Standard Contractual Clauses as adapted by the Swiss Federal Data Protection and Information Commissioner.
14.1. The Customer shall pay any reasonable costs and expenses incurred by Supernaut in meeting the Customer’s requests made under paragraphs 8, 10 and 12 of this Data Processing Agreement.
For the avoidance of doubt, each party’s liability, taken together in the aggregate, arising out of or related to this Data Processing Agreement, whether in contract, tort or under any other theory of liability, is subject to the limitations and exclusions of liability contained within the Terms of Service, and any reference to the liability of a party means the aggregate liability of that party under the Agreement (including under this Data Processing Agreement) collectively.
16.1. Any obligation imposed on Supernaut under the Agreement in relation to the processing of Relevant Personal Data shall survive any termination or expiration of the Agreement.
16.2. In the event of inconsistencies between any provision of this Data Processing Agreement and the remainder of the Agreement, the provision of this Data Processing Agreement shall prevail with regard to the parties’ obligations relating to the processing of the Relevant Personal Data.
This Annex 1 includes certain details of the processing of Relevant Personal Data as required by Article 28(3) GDPR.
| Item | Details |
|---|---|
| Subject matter, nature and purposes of the processing | Processing for the purposes of provision of the Supernaut Service and any technical support in connection with the Customer’s use of the services. |
| Duration of the processing | The duration of the Agreement. |
| Type of personal data | Personal data Customer processes using the Supernaut Service intentionally or inadvertently. |
| Categories of data subjects | Customers (if applicable) and Customers’ Users. |
As from the Commencement Date, Supernaut will implement and maintain the security measures set out in this Annex 2 to this Data Processing Agreement. Supernaut may update or modify such security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Supernaut Service.
Supernaut utilizes services to provide the infrastructure (data centres, servers and similar) to provide the Supernaut Service. A full list of such services is available on Supernaut’s Sub-processors page on the Website: https://supernaut.dev/legal/subprocessors.
2.1. Intrusion Detection. Intrusion detection is intended to provide insight into ongoing attack activities and provide adequate information to respond to incidents. Supernaut’s intrusion detection involves:
2.2. Incident Response. Supernaut monitors a variety of communication channels for security incidents, and Supernaut’s security personnel will react promptly to known incidents.
2.3. Transit Encryption Technologies. Supernaut makes HTTPS encryption (also referred to as SSL or TLS connection) available. Supernaut servers support ephemeral elliptic curve Diffie-Hellman cryptographic key exchange signed with RSA and ECDSA. These perfect forward secrecy (PFS) methods help protect traffic and minimize the impact of a compromised key, or a cryptographic breakthrough.
2.4. Audit. Supernaut has an infrastructure and network and application audit logging for compliance and security monitoring.
2.5. Secure Coding. Code changes are reviewed via merge request before deployment; self-merging is disabled. Continuous integration runs lint and static analysis checks on each change.
2.6. Scans. GitLab automated dependency scanning runs on each change. Findings are triaged by Supernaut’s engineering leadership and remediated according to severity. Container image scanning and third-party penetration testing are not currently performed.
3.1. Business Continuity. Customer data is stored on managed infrastructure providers (Neon for relational data; Cloudflare R2 for object storage; Turbopuffer for vector data) which provide continuous backups and provider-managed redundancy as standard. Supernaut does not currently maintain a separately documented and independently tested business-continuity / disaster-recovery plan beyond the resilience guarantees of these underlying providers.
4.1. Data Storage, Isolation & Authentication. Supernaut stores data in a multi-tenant environment hosted in the European Union. Application hosting is provided by Railway in the Netherlands; the primary database (Neon), the vector store (Turbopuffer), and the sandbox execution environment (Modal) operate in EU regions. The current list of infrastructure Sub-processors and their processing locations is maintained at https://supernaut.dev/legal/subprocessors.
Supernaut logically isolates data on a per Customer basis at the application layer. Supernaut logically separates each Customer’s data from the data of other Customers, and data for an authenticated User will not be displayed to another User (unless both Users have access to the same Customer Account).
A central authentication system is used across all services to increase uniform security of data. Customer will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Supernaut Service, will enable Customer to determine the product sharing settings applicable to Users for specific purposes. Customer may choose to make use of certain logging capability that Supernaut may make available via the Supernaut Service, products and APIs.
4.2. Encryption. All persistent Customer data is encrypted at rest using AES-256 (or equivalent industry-standard cipher) by the relevant infrastructure provider, including database storage, object storage, and vector storage. Backups are encrypted to the same standard. Sandbox execution environments (Modal) are ephemeral and do not retain Customer data after task completion.
4.3. Backups & Redundancy. Backups are created continuously and incrementally to allow recovery from a failure. The backups are stored on object storage for high availability.
All Supernaut personnel are bound by written confidentiality and non-disclosure obligations as a condition of engagement. Internal security guidelines covering confidentiality, business ethics, appropriate usage, and professional standards are documented and shared with personnel as part of onboarding. Personnel must acknowledge receipt of, and compliance with, Supernaut’s confidentiality and privacy policies. Supernaut does not currently perform formal background checks or formal security training programmes.
Before onboarding Sub-processors, Supernaut conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide.