Terms of Service – Gjallarhorn Behavioral Observability Platform

10. Exclusions

• AI classifier degradation: Degradation of the Layer 3 (LLM) classifier to Layer 1-only operation due to third-party API unavailability (Infomaniak / Mistral). L1 detection continues to operate normally during such periods. Service credits do not apply when L1 remains available, regardless of L3 status. The ai_classification_used field in scan responses indicates whether L3 was active for any given scan.

Status: Live Effective Date: March 30, 2026 Governing Law: Swiss Law (Canton of Aargau) Jurisdiction: Courts of Aarau (Bezirksgericht Aarau), Canton of Aargau, Switzerland

1. Service Overview

1.1 Service Description

Gjallarhorn is an API-first behavioral observability and compliance audit platform that enables companies to monitor, log, and analyze the decisions and actions of AI agents they operate or deploy. Gjallarhorn is provided as a Software-as-a-Service (SaaS) API; it is not a turnkey compliance solution, but a tool to support compliance and operational visibility.

1.2 Service Tiers

Gjallarhorn is offered under three service tiers:

Full pricing details, rate limits, and top-up rates: see docs/PRICING.md.

1.3 Eligibility

You may use Gjallarhorn only if:

• You are a legal entity (company, partnership, non-profit, or government agency) OR an individual developer (Developer tier only)
• You are at least 18 years old (or meet the legal age of majority in your jurisdiction)
• You are not restricted by law, sanctions, or criminal conviction from using software services
• You have read and agree to these Terms of Service

1.4 Free Tier Compliance Disclaimer

The Developer (free) tier is designed for evaluation and development purposes only. It is not suitable for regulatory compliance purposes. EU AI Act Article 12 compliance requires a minimum 6-month audit trail, which is available on paid tiers (Tool Supplier and Enterprise) only. If your use case requires compliance documentation or regulatory audit trail retention, you must upgrade to a paid tier.

2. Account and Registration

2.1 Account Creation

To use Gjallarhorn, you must create an account by providing:

• Email address
• Password (or OAuth/SSO credentials)
• Organization name (if registering as a company)
• Billing address (for paid tiers)

You are responsible for maintaining the confidentiality of your password and API keys. You agree to notify us immediately of any unauthorized access.

2.2 Account Security

• You must use a strong, unique password
• You must enable multi-factor authentication (MFA) if offered
• You are liable for any activity on your account, whether authorized or not
• If you suspect unauthorized access, contact support immediately

2.3 Account Termination

You may terminate your account at any time by requesting deletion via your account dashboard. We will delete your data within 30 days (see Section 13 for data deletion terms).

We may suspend or terminate your account if:

• You violate these Terms of Service
• You engage in fraud, abuse, or illegal activity
• You fail to pay invoices for 30 days after due date
• Your use violates applicable law or infringes third-party rights

We will provide 30 days' notice of termination unless immediate suspension is necessary for security or legal compliance.

3. Acceptable Use Policy

3.1 Permitted Uses

You may use Gjallarhorn to:

• Monitor and log the behavior of AI agents you operate or deploy
• Analyze agent decision patterns for optimization and debugging
• Generate audit trails and compliance documentation
• Aggregate behavioral data to identify trends or anomalies across your agent fleet
• Export logs and telemetry for further analysis in your own systems

3.2 Prohibited Uses

You must NOT use Gjallarhorn to:

1. Surveillance of Individuals: Use behavioral telemetry to track, monitor, or surveil natural persons without their explicit, informed consent. This includes:

   • Creating permanent behavioral profiles of individuals based on agent telemetry
   • Sharing agent telemetry with third parties for the purpose of individual tracking
   • Using telemetry to infer sensitive personal characteristics (religion, sexual orientation, political views, health status)

2. Individual Profiling: Build or maintain datasets designed to classify, discriminate against, or make decisions about specific natural persons based on agent behavioral data, unless:

   • You have a lawful basis (e.g., explicit consent, contractual necessity)
   • You provide transparency and opt-out mechanisms
   • You comply with GDPR, nDSG, and applicable AI regulations

3. Deception:

   • Misrepresent the purpose of behavioral monitoring to data subjects
   • Use telemetry to manipulate, deceive, or coerce individuals
   • Hide or obscure the involvement of AI agents in decisions affecting natural persons

4. Illegal Activity:

   • Use Gjallarhorn to facilitate fraud, identity theft, or financial crime
   • Circumvent authentication, access controls, or encryption mechanisms
   • Violate intellectual property rights, defamation laws, or other legal rights

5. Abuse and Exploitation:

   • Launch denial-of-service (DoS) attacks or attempt to disrupt service
   • Probe for security vulnerabilities without written permission (unauthorized penetration testing)
   • Reverse-engineer or attempt to extract Gjallarhorn source code or proprietary algorithms
   • Scrape or bulk-export other users' data without authorization

6. Harmful Content:

   • Submit data containing child sexual abuse material (CSAM)
   • Transmit malware, viruses, or malicious scripts
   • Store hateful, violent, or harassing content intended to target individuals or groups

7. Regulatory Violation:

   • Use Gjallarhorn in a manner that violates the EU AI Act, GDPR, nDSG, or other applicable data protection or AI governance regulations
   • Circumvent audit, transparency, or documentation requirements

3.3 Enforcement

If we become aware of violations, we will:

1. First Notice: Notify you of the violation and request remediation within 7 days
2. Suspension: If not remedied, suspend your account pending investigation
3. Termination: Terminate your account and delete your data if violations are severe, repeated, or involve illegal activity

We may report suspected illegal activity to law enforcement.

3.4 Your Responsibility

You are solely responsible for ensuring your use of Gjallarhorn complies with applicable law. This includes:

• Obtaining necessary consent from data subjects before collecting or processing their data via agents
• Ensuring agents operated by you comply with GDPR, nDSG, AI Act, and sector-specific regulations
• Maintaining accurate records of data processing purposes and legal bases
• Notifying individuals of the involvement of AI agents in decisions affecting them

4. Data Controller and Processor Roles

4.1 Customer as Data Controller

When you use Gjallarhorn to monitor agents, you are the data controller with respect to any personal data those agents process or that is included in behavioral telemetry you send to Gjallarhorn. You are responsible for:

• Determining the legal basis for processing personal data through your agents
• Obtaining necessary consent or authorization from data subjects
• Documenting your processing activities and purposes
• Ensuring compliance with GDPR Articles 5–11 (data protection principles)
• Responding to data subject rights requests (access, erasure, portability, objection)
• Notifying supervisory authorities in case of data breaches

4.2 Gjallarhorn as Data Processor

Gjallarhorn processes agent telemetry and related data on your behalf, acting as a data processor. Gjallarhorn will:

• Process data only on your documented instructions
• Maintain confidentiality and security of your data
• Provide reasonable technical and organizational measures (see DPA and Privacy Policy)
• Comply with GDPR Article 28 obligations (including sub-processor management, data subject rights support, and audit cooperation)
• Delete your data upon termination (unless retention is required by law)

A detailed Data Processing Agreement (DPA) is provided as Appendix A for enterprise customers and any customer processing EU personal data. This DPA may be incorporated into a separate agreement or this Terms of Service by reference.

4.3 Data Ownership

• You own all data you upload to Gjallarhorn (agent telemetry, customer data, configuration). You grant Gjallarhorn a license to process, store, and display this data within your account for the purposes of service delivery.
• Gjallarhorn owns the Gjallarhorn platform, including software, algorithms, user interface, and accumulated operational data (in anonymized, aggregated form).
• You may not claim ownership over or license Gjallarhorn platform features to third parties.

5. Intellectual Property

5.1 Gjallarhorn Platform

All intellectual property rights in the Gjallarhorn platform (software, documentation, API specification, user interface, algorithms, database schema) are owned by Gjallarhorn and protected by copyright, trademark, and trade secret law.

You receive a limited, non-exclusive, non-transferable license to use the Gjallarhorn platform solely to monitor your own AI agents in accordance with these Terms of Service.

5.2 Open-Core SDK

Gjallarhorn provides open-source SDK components under the MIT License. You may use, modify, and distribute these components in accordance with the MIT License terms.

MIT License permissions:

• Use for commercial and private purposes
• Modify and distribute freely
• Include proper attribution to Gjallarhorn

MIT License requirements:

• Include the original license and copyright notice in any distribution
• Provide a copy of the MIT License with any derivative work

5.3 Your Data and Agents

You retain all ownership rights in:

• Agent code, configurations, and instruction sets
• Agent telemetry and operational logs (subject to Gjallarhorn' right to process them as data processor)
• Feedback, suggestions, and feature requests you provide

By submitting feedback, you grant Gjallarhorn a royalty-free, worldwide, perpetual license to use it for product improvement.

5.4 Third-Party Content

Gjallarhorn may include third-party libraries, APIs, or services. These are licensed under their respective terms (e.g., Apache 2.0, MIT, GPL). See /legal/THIRD_PARTY_LICENSES for details.

6. Compliance Responsibility

6.1 Your Compliance Obligation

Gjallarhorn is a tool for supporting compliance and observability; it is not a compliance guarantee.

You are solely responsible for ensuring your use of AI agents complies with applicable law, including:

• GDPR (EU Regulation 2016/679): Articles 5–11 (data protection principles), Article 13–14 (transparency), Article 21–22 (automated decision-making)
• Swiss nDSG (Federal Data Protection Act): Articles 6–7 (lawfulness, transparency)
• EU AI Act (Regulation 2024/1689): Articles 3–7 (prohibited AI practices), Article 12 (documentation and record-keeping)
• Sector-specific laws: E.g., HIPAA (healthcare), GDPR+LGPD (Brazil), regional consumer protection laws

6.2 Gjallarhorn's Role

Gjallarhorn supports compliance by providing:

• Detailed behavioral telemetry for 6+ months (enabling AI Act Article 12 compliance)
• API access to export logs and generate audit trails
• Data retention flexibility (up to 24 months)
• Documentation of processing (assist with data processing agreements, privacy notices)

Gjallarhorn does NOT:

• Automatically ensure your agents meet legal standards
• Perform conformity assessments or audits on your behalf
• Certify compliance with GDPR, AI Act, or other regulations
• Assume liability for your compliance failures

6.3 Customer Due Diligence

Before deploying agents in regulated sectors (healthcare, finance, employment, criminal justice), you must:

• Conduct a Data Protection Impact Assessment (DPIA) under GDPR Article 35
• Complete a conformity assessment under EU AI Act Article 5
• Document your processing activities and legal basis
• Implement transparency and opt-out mechanisms where required
• Notify individuals when AI agents are involved in decisions affecting them

6.4 Optional Scan Content Retention

For paid tiers (Professional, Business, Enterprise), you may optionally request that Gjallarhorn retain the raw scan content alongside the scan result by setting retain_content: true in the scan request body. Red-team tier scans have content retention enabled by default.

When content retention is active:

• The raw scan payload is stored in scan_results.scan_content for 90 days, after which it is automatically purged.
• Retained content is used solely for detection model improvement purposes (see §4.2).
• You may request immediate deletion of retained content via the erasure endpoint (DELETE /v1/agents/{agent_id}/erasure), which will trigger a full tombstone and crypto-erasure of all associated records.
• You remain the Data Controller for any personal data contained in the scan content (see §4.1).

The Developer (free) tier may not use retain_content=true. Requests with this flag set on the free tier will be processed normally but content will not be stored.

7. Service Scope and Limitations

The Gjallarhorn injection scanner is a heuristic first-layer detection tool, not a comprehensive security guarantee. It detects common prompt injection patterns using string and rule-based matching. It cannot detect — and makes no representation about detecting — all prompt injection techniques, including but not limited to: Unicode lookalike substitutions, whitespace insertion attacks, base64-encoded payloads, semantic injection, or multi-step chained attacks.

Gjallarhorn is designed to reduce risk, not eliminate it. Do not rely on Gjallarhorn as your sole security control for AI agent deployments.

Gjallarhorn does not warrant that:

• All prompt injection attempts will be detected or blocked
• The instruction monitor will identify all instances of instruction forgetting or behavioural drift
• Use of Gjallarhorn constitutes compliance with any regulatory framework
• Scan results are free from false positives or false negatives

Any language in documentation or marketing materials describing the platform as providing "protection" refers to a layer of risk reduction, not a guarantee of security.

8. Regulatory Compliance Disclaimer (EU AI Act)

Gjallarhorn is a technical observability and monitoring tool. It is not a conformity assessment body and does not provide certified compliance with the EU AI Act or any other regulatory framework.

Use of Gjallarhorn may assist you in producing evidence and audit trails relevant to your own conformity assessment obligations, but:

• Gjallarhorn makes no representation that use of its services satisfies your obligations under EU AI Act, GDPR, nDSG, or any sectoral regulation
• You remain responsible for your own conformity assessment, technical documentation, and regulatory filings under EU AI Act Article 11 and Article 43
• Gjallarhorn has conducted an internal analysis concluding that it operates as general-purpose observability tooling and does not fall within the EU AI Act Annex III high-risk system categories; however, this analysis has not been independently verified and you should obtain your own legal advice on this question as it relates to your use case

9. Intellectual Property — LLM-Generated Outputs

When you submit a system prompt for instruction extraction, Gjallarhorn transmits it to a third-party LLM inference service (Infomaniak SA, Switzerland) and returns structured rule artifacts derived from your input.

All extracted rules, structured outputs, and other LLM-generated artifacts derived from your system prompt are your property. Gjallarhorn claims no intellectual property rights over outputs generated from your input data, regardless of the legal uncertainty surrounding AI-generated content in any jurisdiction.

Gjallarhorn retains a non-exclusive, royalty-free licence to store and process these artifacts solely for the purpose of providing the contracted service to you. This licence terminates upon account deletion or erasure request.

10. Service Levels and Availability

10.1 Uptime Commitment

10.2 Uptime Measurement

Uptime is measured by Gjallarhorn's ability to respond to API health check requests (HTTP 200 from /health endpoint) from multiple geographic locations. Planned maintenance windows are excluded (announced 7 days in advance).

10.3 Maintenance Windows

Gjallarhorn may perform maintenance during scheduled windows (typically Sundays 02:00–04:00 UTC). Critical security updates may be deployed with 24 hours' notice.

10.4 Service Credits

If actual uptime falls below the SLA for Tool Supplier or Enterprise tiers, you are eligible for service credits:

• 99.0%–98.0% uptime: 5% monthly credit
• 98.0%–95.0% uptime: 10% monthly credit
• <95.0% uptime: 25% monthly credit + option to terminate without penalty

Credits are applied to your next invoice; they do not constitute a refund. Credits are your sole remedy for uptime failures.

10.5 Exclusions

Gjallarhorn is not liable for downtime caused by:

• Your network or device failure
• Third-party services (DNS providers, CDNs, payment processors)
• Distributed denial-of-service (DDoS) attacks or security incidents beyond Gjallarhorn's reasonable control
• Force majeure (natural disasters, war, pandemics)
• Your misconfiguration or misuse of the API

10.6 Performance

Gjallarhorn aims to maintain:

• API latency: <500ms median response time (p95: <2s) under normal load
• Log ingestion: Behavioral telemetry available for querying within 60 seconds of submission
• Concurrent connections: Support for 1,000+ concurrent API clients per enterprise account

Performance is subject to network conditions, API usage rates, and data volume. Excessive usage may incur rate limiting (see Section 16.8).

10.7 Rate Limiting

To protect platform stability, Gjallarhorn enforces API rate limits:

Rate-limited requests receive HTTP 429 responses. Retry with exponential backoff (recommended: 2s, 4s, 8s).

10.8 No Guaranteed Data Recovery

Gjallarhorn maintains regular backups; however, we do not guarantee recovery of deleted or corrupted data. You are responsible for maintaining your own backups if data loss would be catastrophic.

11. Limitation of Liability

11.1 Disclaimer of Warranties

GJALLARHORN IS PROVIDED "AS-IS" AND "AS-AVAILABLE." EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, GJALLARHORN DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING:

• MERCHANTABILITY (fitness for a particular purpose)
• NON-INFRINGEMENT (that the service does not violate third-party rights)
• TITLE (ownership and valid transfer of rights)
• AVAILABILITY, ACCURACY, RELIABILITY, COMPLETENESS

11.2 Limitations on Liability

TO THE MAXIMUM EXTENT PERMITTED BY SWISS LAW, IN NO EVENT SHALL GJALLARHORN BE LIABLE FOR:

1. Indirect or Consequential Damages: Lost profits, lost revenue, lost data, lost opportunity, diminished goodwill, business interruption, or any indirect, incidental, consequential, or punitive damage, even if advised of the possibility

2. Direct Damages Cap: In no case shall Gjallarhorn's total liability under this Agreement exceed:

   • Free tier: CHF 0 (no liability)
   • Paid tiers: The amount you paid for Gjallarhorn in the 12 months preceding the claim (or CHF 500, whichever is greater)

3. Exceptions to Cap:

   • Claims for bodily injury or death (capped at CHF 1,000,000 per incident)
   • Your indemnification obligations (Section 14)
   • Either party's gross negligence or intentional misconduct
   • Breaches of confidentiality (Section 15)

11.3 Basis of the Bargain

You acknowledge that the fees charged for Gjallarhorn reflect the allocation of risk in this Section 17. If Gjallarhorn liability were unlimited, costs would be prohibitively higher.

11.4 Assumption of Risk

You assume all risk of loss, damage, or interruption resulting from your use of Gjallarhorn. You are responsible for implementing your own disaster recovery, backup, and business continuity measures.

12. Intellectual Property Indemnification

12.1 Gjallarhorn Indemnification

Gjallarhorn will defend you against third-party claims that the Gjallarhorn platform, as used in accordance with these Terms, infringes a U.S. or EU copyright, trademark, or trade secret, provided you:

• Notify Gjallarhorn promptly of the claim
• Grant Gjallarhorn sole control of defense and settlement
• Cooperate reasonably in the defense

12.2 Remedies

If the Gjallarhorn platform is enjoined or you determine it is infringing, Gjallarhorn may at its option:

• Obtain the right for you to continue using it
• Replace or modify it to make it non-infringing
• Terminate your account and refund fees paid for the remainder of the term

Gjallarhorn has no liability if the infringement claim arises from:

• Your modification of the platform
• Your combination of the platform with third-party services
• Your use of the platform in a manner not authorized by this Agreement

12.3 Your Indemnification

You will defend Gjallarhorn against third-party claims arising from:

• Your agent code, data, or content
• Your use of Gjallarhorn in violation of this Agreement
• Your violation of applicable law

13. Data Deletion and Termination

13.1 Upon Your Termination

If you terminate your account or subscription, Gjallarhorn will:

1. Cease processing new data submissions within 48 hours
2. Retain your data for 30 days (to allow you to export or retrieve it)
3. Delete all data at the end of the 30-day period, unless:
   • You have paid invoices due, in which case we may retain data for debt collection
   • A legal hold or regulatory requirement mandates retention (e.g., tax records for 7 years)
   • You request longer retention and agree to extended storage fees

13.2 Upon Gjallarhorn Termination

If Gjallarhorn terminates your account due to violation of these Terms or non-payment:

1. We will provide 30 days' notice (except for severe violations or illegal activity, which may result in immediate suspension)
2. You may export your data during the notice period
3. At termination, your data will be securely deleted unless a legal hold applies

13.3 Export and Portability

You may request export of your agent telemetry and account data at any time via:

• API: Bulk download endpoint (if available)
• Support request: Contact support@gjallarhorn.watch for manual export

Exports are provided in standard formats (JSON, CSV) within 15 days of request.

13.4 Secure Deletion

Deleted data is securely erased using cryptographic overwriting (AES-256 or equivalent) to prevent recovery.

14. Indemnification by Customer

You will indemnify and hold harmless Gjallarhorn, its affiliates, and their officers, directors, employees, and agents from any third-party claim, demand, or action arising from:

1. Your violation of this Agreement
2. Your violation of applicable law
3. Your infringement or violation of third-party intellectual property rights
4. Your agent code, data, or content
5. Your use of Gjallarhorn in an unauthorized manner

You will pay all reasonable costs of defense, including attorneys' fees, settlement amounts, and judgments.

15. Confidentiality

15.1 Confidential Information

Each party may share the other with non-public, proprietary information ("Confidential Information"). The recipient agrees to:

• Maintain secrecy using the same care it uses for its own confidential information (reasonable care)
• Use the information solely to perform this Agreement
• Disclose only to employees and contractors who need to know and are bound by similar confidentiality obligations

15.2 Exceptions

Confidential Information does not include information that:

• Is publicly available through no breach of this Agreement
• Is rightfully obtained from a third party without confidentiality obligations
• Is independently developed without reference to the other party's information
• Is required to be disclosed by law or court order (with advance notice if legally permissible)

15.3 Return or Destruction

Upon termination, each party will return or destroy the other's Confidential Information, except:

• One archival copy may be retained by legal/compliance
• Information retained as required by law may be retained

15.4 Governing Law Interaction (GDPR)

Notwithstanding the choice of Swiss governing law (Section 16), Gjallarhorn acknowledges that GDPR obligations apply where Gjallarhorn processes personal data on behalf of EU-established data controllers. Swiss law governs contractual disputes that do not engage mandatory EU data protection obligations. Where GDPR mandatory provisions conflict with Swiss contractual law, GDPR takes precedence for data protection matters.

16. Governing Law and Dispute Resolution

16.1 Governing Law

This Agreement is governed by the laws of Switzerland, specifically the Canton of Aargau, without regard to conflict of law principles. The UN Convention on the International Sale of Goods does not apply.

16.2 Jurisdiction and Venue

Any dispute arising from this Agreement is subject to the exclusive jurisdiction of the Courts of Aarau (Bezirksgericht Aarau), Canton of Aargau, Switzerland. Both parties consent to this jurisdiction and waive any objection based on inconvenient venue or forum non conveniens.

16.3 Dispute Resolution Process

Before pursuing litigation, the parties will attempt to resolve disputes through:

1. Negotiation (30 days): Senior representatives of each party will discuss and attempt to resolve the dispute.
2. Mediation (30 days): If negotiation fails, either party may request mediation. The parties will share costs of a neutral mediator.
3. Litigation: If mediation fails, either party may initiate proceedings in the Courts of Aarau.

16.4 Attorneys' Fees

Except where prohibited by law, the prevailing party in any dispute may recover reasonable attorneys' fees and costs from the non-prevailing party.

17. General Provisions

17.1 Entire Agreement

This Agreement, including any exhibits and the Privacy Policy, constitutes the entire agreement between you and Gjallarhorn regarding your use of the platform. It supersedes all prior negotiations, understandings, and agreements.

17.2 Amendments

Gjallarhorn may amend this Agreement at any time by posting an updated version. Material amendments (those that significantly reduce your rights or increase your obligations) will be announced with at least 30 days' notice.

Your continued use of Gjallarhorn after the effective date constitutes acceptance of the amended terms. If you disagree with material amendments, you may terminate your account within 30 days for a full refund of prepaid fees.

17.3 Severability

If any provision of this Agreement is found invalid or unenforceable by a court of competent jurisdiction, that provision will be modified to the minimum extent necessary to make it enforceable, or if that is not possible, severed. The remaining provisions will remain in full force and effect.

17.4 Waiver

No waiver of any provision of this Agreement is effective unless in writing and signed by the waiving party. Failure to enforce a right does not constitute waiver of that right.

17.5 Assignment

Neither party may assign this Agreement without the other's written consent, except:

• Gjallarhorn may assign to a successor company in the event of acquisition, merger, or sale of substantially all assets
• You may not assign; your account is personal to your organization

Attempted unauthorized assignment is void.

17.6 Relationship

This Agreement does not create a partnership, joint venture, agency, or employment relationship between you and Gjallarhorn. Neither party is authorized to bind or commit the other.

17.7 Notices

Legal notices must be sent to:

For Gjallarhorn:

• Legal entity: Daniel Sidler (trading as Gjallarhorn)
• Email: support@gjallarhorn.watch (all legal, compliance, and support inquiries)
• Mail: Parkweg 11, 5000 Aarau, Canton of Aargau, Switzerland

For You:

• Email address on file in your account

Notices are effective upon receipt (email) or three business days after posting (mail).

17.8 Survival

Sections that should survive termination (confidentiality, limitation of liability, indemnification, governing law) remain in effect after termination or expiration.

18. Contact

Questions about these Terms of Service?

• Email: support@gjallarhorn.watch (support, legal, and compliance — single inbox)
• Mailing Address: Parkweg 11, 5000 Aarau, Canton of Aargau, Switzerland
• Legal entity: Daniel Sidler (trading as Gjallarhorn)

End of Terms of Service

Appendix A: Data Processing Agreement (DPA) Reference

For customers processing EU personal data, a full Data Processing Agreement is provided as a separate document (DPA-Template.md) or is available upon request. The DPA incorporates GDPR Article 28 requirements and defines processor obligations, sub-processors, and technical/organizational measures (TOMs).

Enterprise customers are required to execute the DPA before processing EU personal data via Gjallarhorn.