Data Processing Addendum
This Data Processing Addendum (“Addendum”) is entered into by and between Deskfirst, Inc. and its subsidiaries (operating under the brand name “Anomity.ai”) (together, “Anomity” or “Deskfirst”) and the entity that is a party to an Anomity Service Agreement entered into pursuant to an Anomity-issued Order Form that has been accepted and executed by both parties (the “Customer”). This Addendum applies solely in connection with the provision of the Anomity services to such Customer and its Authorized Users under the applicable Anomity Service Agreement.
For the avoidance of doubt, this Addendum does not apply to access to or use of the Anomity services that is solely pursuant to Anomity’s Terms of Service or other click-through, self-service, or evaluation arrangements without an executed Order Form, and no data processing addendum is deemed to apply in connection with such use.
WHEREAS, Anomity may be involved in processing certain personal data or personal information on behalf of Customer (“Customer Personal Data”) as part of its software-as-a-service (SaaS) platform and endpoint daemon for inventorying, classifying, governing, and auditing AI tooling on Customer’s managed endpoints (the “Services”) pursuant to an Agreement between Customer and Anomity (the “Agreement”), and the parties wish to regulate Anomity’s processing of such personal data through this Addendum.
THEREFORE, the parties have agreed to this Addendum, consisting of these parts:
Part One – General provisions
Applicable and in force: Always applies and is in force for the Services.
Part Two – EU/EEA or UK GDPR DPA
Applicable and in force: Only if the Customer is subject to the UK or EU/EEA GDPR regarding the personal data that Anomity processes for it when providing the Services.
Part Three – State Privacy Laws in the U.S.
Applicable and in force: Only if the Customer is subject to state privacy laws in the U.S. regarding the personal data that Anomity processes for it when providing the Services.
Part Four – Israeli Privacy Protection Regulations (Information Security)
Applicable and in force: Only if the Customer is subject to Israeli law regarding the personal data that Anomity processes for it when providing the Services.
Part 1 (General Provisions)
1. Scope. This Addendum and any of its Parts apply only where Anomity is processing Customer Personal Data on behalf of the Customer and based on the Customer’s instruction. It does not apply to Service Data, Aggregated Data, Feedback, Anomity’s processing of data to separately operate the Services, or to the processing required to administer the business or contractual relationship between Anomity and the Customer, which is covered by the Anomity Privacy Policy.
2. Order of Precedence. In the event of any conflicting provisions between this Addendum and the Agreement or any other agreement in place between the parties, the provisions of this Addendum shall prevail.
3. Data security. Considering the methods, the costs of implementation, and the nature, scope, context, and purposes of Anomity’s processing of Customer Personal Data, Anomity will implement and maintain security procedures and practices appropriate to the nature of the Customer Personal Data, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure (including data breaches), as further detailed in the Anomity Trust Center — https://trust.anomity.ai. Without limitation, the Endpoint Daemon performs on-device redaction of secrets so that plaintext secret values never leave the Managed Device; only metadata and a hashed fingerprint reach Anomity Cloud. Tenant isolation is enforced at the query layer, and per-device daemon credentials are bcrypt-hashed at rest.
4. Data Subject Requests. Anomity will follow reasonable Customer’s written instructions to accommodate data subjects’ requests to exercise their rights in relation to their information within the Customer Personal Data, including accessing their data, correcting it, restricting its processing, or deleting it. Anomity will pass on to Customer requests that it receives (if any) from data subjects regarding their information processed by Anomity. Anomity shall notify Customer of the receipt of such request without undue delay, together with the relevant details.
5. Return or deletion of information. Upon Customer’s written request where no subsequent further processing is required, Anomity shall, at the instruction of Customer, either delete, destroy, or return to Customer some or all (however instructed) of the personal information that it and its third-party suppliers process for Customer. Upon Customer’s request, Anomity will furnish written confirmation that the Personal Data has been deleted or returned pursuant to this section. The standard audit-trail retention period is ninety (90) days; longer retention is available on request and may be specified in the Order Form.
6. Disclosure. Unless legally prohibited, Anomity will provide Customer prompt notice of any request it receives from authorities to produce or disclose Customer Personal Data it has Processed on Customer’s behalf, so that Customer (or its customer) may contest or attempt to limit the scope of the production or disclosure request.
7. Data Breaches. Anomity shall, without undue delay, notify Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data that it becomes aware of. Anomity will investigate the breach, take all available measures to mitigate the breach, and prevent its recurrence. Anomity will cooperate in good faith with Customer on issuing any statements or notices regarding such breaches, to authorities and data subjects.
8. Subcontracting to suppliers. Customer authorizes Anomity to subcontract any of its Services consisting of the processing of the Customer Personal Data, or requiring Customer Personal Data to be processed by any third-party supplier, without the prior written authorization of Customer, provided that: (a) Anomity notifies the Customer at least ten (10) business days in advance of any new or substitute supplier, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced supplier. If Customer so objects, Anomity may not engage that new or substitute supplier for the purpose of processing Customer Personal Data, and Anomity may either select another supplier in which case the above procedure shall repeat, or, if it so chooses, terminate the Agreement or affected part of the Service; (b) Anomity shall ensure that the supplier is bound by similar obligations under this DPA; and (c) Anomity is liable to Customer for the performance of any such supplier that fails to fulfil its obligations.
9. Details of Processing. The nature and purposes of the Processing activities, categories of data subjects whose personal data may be processed, categories of personal data Processed, frequency of the Processing, the period for which the personal data will be retained, and the (sub-) processor list are all specified in Appendix A of this Addendum.
10. Confidentiality. Anomity will ensure that its staff authorized to process the Customer Personal Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
11. Disputes. Any dispute that the parties are unable to amicably resolve under this Addendum shall be subject to the sole and exclusive jurisdiction and venue specified in the Agreement.
12. Liability. Each party’s total and aggregate liability to the other party under this Addendum for any direct or indirect damages asserted in connection with this Addendum, whether in tort (including negligence), contract, indemnity, strict liability, or otherwise, is capped as specified in the Agreement.
13. Customer Acknowledgements. Customer acknowledges and represents that: (a) it is the controller (or, where it acts as a processor for its own customers, a processor) of any Customer Personal Data submitted to or generated by the Services; (b) it has lawful authority to install the Endpoint Daemon on each Managed Device on which it deploys the daemon, and to monitor that device for the purposes contemplated by the Agreement; (c) it has provided any notices and obtained any consents required under applicable employment, privacy, and surveillance laws in respect of individuals reflected in Customer Personal Data; and (d) it has determined that the Services are appropriate to the nature of the Customer Personal Data being processed.
Part 2 (EU/EEA or UK GDPR DPA)
1. Capitalized terms used in this Part 2 but not defined herein or in the Agreement shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 2 as “Data Protection Law”.
2. Customer commissions, authorizes, and requests that Anomity Process the Customer Personal Data based on the instructions of Customer. Unless agreed otherwise in the Agreement, Anomity will Process the Personal Data only on Customer’s behalf (it being understood that Customer may be acting as a processor for and on behalf of its own Customer, the Controller). Anomity and Customer are each responsible for complying with the Data Protection Law as applicable to their roles.
3. Anomity will Process the Personal Data only based on instructions from Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Services. The foregoing applies unless Anomity is otherwise required by law to which it is subject (and in such a case, Anomity shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Anomity shall promptly inform Customer if, in Anomity’s opinion, an instruction is in violation of Data Protection Law.
4. Anomity will make available to Customer and the Data Controller all information at its disposal necessary to demonstrate compliance with the obligations under Data Protection Law.
5. Upon written request of the Customer and within reasonable time, Anomity will make available to Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Customer upon request.
6. Anomity will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing, or deleting it, within the boundaries of the Service’s capabilities and features. Anomity will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Anomity. Any request from Data Subjects arising out of the processing of Personal Data by Anomity, including but not limited to rectification, erasure, blocking of Personal Data, portability requests, and objection, has to be asserted to Customer.
7. Customer authorizes Anomity to engage another sub-processor for carrying out specific processing activities, provided that Anomity informs Customer at least ten (10) business days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, Anomity may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and Anomity may either select another sub-processor in which case the above procedure shall repeat, or, if it so chooses, terminate the Agreement or the affected part of the Service.
8. Without limiting the foregoing, in any event where Anomity engages another sub-processor, Anomity will ensure that similar data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. Where the other sub-processor fails to fulfil its data protection obligations, Anomity shall remain fully liable to Customer for the performance of that other sub-processor’s obligations.
9. Anomity and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission (or, as applicable, the UK GDPR regulations) as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Standard Contractual Clauses).
10. Subject to prior coordination between the Customer and Anomity as to the timing and agenda of the audit, following Customer’s written request, Anomity shall allow within reasonable timeframe for and contribute to audits, including carrying out inspections conducted by Customer, the Controller, or another auditor mandated by Customer or the Controller, in order to establish Anomity’s compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Anomity processes on behalf of Customer. Such audits or inspections shall be carried out during Anomity’s ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandates more frequent audits or inspections), shall be conducted with minimal disruption to Anomity’s business activities, and be subject to confidentiality undertakings satisfactory to Anomity. In lieu of an on-site audit, Anomity may satisfy this obligation by providing Customer with its then-current SOC 2 Type II report and responses to a reasonable security questionnaire.
11. Anomity will assist, within a reasonable scope of assistance, Customer and the Controller with the preparation of data privacy impact assessments and prior consultation as appropriate (and if needed), in particular in respect of processing concerning monitoring of employees on Managed Devices.
Part 3 (State Privacy Laws in the U.S.)
1. Definitions
a. “Applicable State Privacy Laws” means the CPRA and other applicable state privacy laws in the United States, such as (but not limited to) the Virginia Consumer Data Protection Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, and the Colorado Privacy Act.
b. “Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Covered Information, during its Processing by Anomity.
c. “Consumer” means a natural person, including a natural person in their professional or work capacity.
d. “CPRA” means Cal. Civ. Code §1798.100 et seq. and the regulations at 11 C.C.R. §7000 et seq.
e. “Covered Information” means information that the Anomity Service stores, handles, or otherwise maintains for and on behalf of Customer.
f. “Process” (and its cognate terms) means any operation or set of operations that are performed on Covered Information or on sets of Covered Information, whether or not by automated means.
g. “Sell” (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Covered Information for monetary or other valuable consideration.
h. “Share” (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Covered Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged.
2. Anomity may only Process the Covered Information to perform the Agreement. The parties agree that the Customer is only disclosing the Covered Information to Anomity so that Anomity can provide the Services to the Customer and other purposes agreed upon in the Agreement. Anomity is prohibited from retaining, using, or disclosing the Covered Information for any commercial purpose other than the foregoing business purposes. Additionally, subject to the Agreement, Anomity is prohibited from retaining, using, or disclosing the Covered Information pursuant to this Addendum outside the direct business relationship between Anomity and Customer.
3. Subject to the Agreement, Anomity must not Sell or Share any Covered Information it Processes.
4. Anomity shall comply with all applicable sections of the Applicable State Privacy Laws and shall provide, with respect to Covered Information, the same level of privacy protection as required by Applicable State Privacy Laws.
5. Commensurate with the nature of Anomity’s Services to Customer and in accordance with Customer’s specified instructions to Anomity, Anomity shall help Customer in reasonable timeframe to comply with Consumer written requests made pursuant to Applicable State Privacy Laws of which Anomity is informed by Customer.
6. Anomity grants Customer the right to take reasonable and appropriate steps to ensure that Anomity uses the Covered Information in a manner consistent with Customer’s obligations under this Addendum and Applicable State Privacy Laws. Anomity grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate Anomity’s unauthorized use of Covered Information.
7. Anomity must promptly notify Customer when it makes a determination that it can no longer meet its obligations under this Addendum or Applicable State Privacy Laws.
Part 4 (Israeli Privacy Protection Regulations (Information Security))
1. Definitions. In this Part, the following terms shall be interpreted as follows:
1.1 “Applicable Laws” means the Israeli Privacy Protection Law, 5741-1981 (hereinafter – the “Privacy Law”) and the regulations promulgated thereunder (and in particular the Privacy Protection Regulations (Information Security), 5777-2017), as well as any legislative or administrative provision or directive that will apply to the Processor in connection with the provision of the Services under the Agreement.
1.2 “Controller” means the Customer.
1.3 “Database” means a collection of personal data held by physical, magnetic or optical means.
1.4 “Personal Data” means information, data, and data sets that relate to an individual and which identify such individual, or which may be reasonably used in order to identify such individual, regardless of the medium in which such data is being presented, and which the Processor Processes for and on behalf of the Controller within the scope of the Services.
1.5 “Personal Data Breach” means an actual or reasonably suspected incident: (a) of unauthorized access to or use of Personal Data, or such access or use exceeding authorization; or (b) impacting the integrity of the Personal Data in a manner that is not authorized or exceeds authorization.
1.6 “Processing” (and its derivatives, including, but not limited to, “Process”) means the collection, access, retention, modification, use, disclosure, and transfer of Personal Data.
1.7 “Processor” means Anomity.
2. Processor’s obligations regarding the Processing of Personal Data
2.1 The Processor shall process Personal Data for Customer solely to provide the Services under the Agreement, and only in the manner based on the Agreement and in this Part 4, and for no other purpose, unless expressly instructed by Customer to do so.
2.2 Processor undertakes to manage access rights to Personal Data, including by way of providing its users with “Least Privileges” based on their “Need to Know”, for the purpose of carrying out their tasks, and shall take measures in order to prevent access by unauthorized individuals to Personal Data. In addition, Processor will maintain an up-to-date listing of all individuals authorized to access or use the Database and will use measures designed to prevent access to any individual who does not have a need to be exposed to the Personal Data.
2.3 Processor shall not grant access to the Personal Data to its employees, consultants, or anyone else acting on its behalf, before reviewing and confirming, within the boundaries of applicable law, that their background, integrity, and reliability are suitable for a position granting them access to Personal Data.
2.4 Processor shall grant its employees access to the Database, subject to conducting training activities regarding privacy protection and information security obligations applicable to the Processor by virtue of the Applicable Laws and this Part 4.
2.5 Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, as set forth in this Part 4.
2.6 Processor shall develop, implement, and enforce an information security policy that covers at least the following topics (“Information Security Policy”):
2.6.1 Guidelines regarding the physical protection of the Database systems and the sites in which they are located;
2.6.2 Guidelines regarding the management and monitoring of access authorizations and actions taken in the Database;
2.6.3 Mapping of all the security measures taken by Processor regarding the Database;
2.6.4 Guidelines for individuals authorized to access Personal Data and Database;
2.6.5 A review of the risks to which the Personal Data is exposed as part of Processor’s ongoing activities, including instructions regarding the means of recording, monitoring, and identifying threats to which the Database systems are exposed;
2.6.6 Instructions and procedures regarding the mitigation and management of a Personal Data Breach;
2.6.7 Instructions and procedures regarding the use of removable devices.
2.7 Processor shall map the operational environment of the Database. In this regard, Processor shall prepare an inventory list that includes all the systems, software, interfaces, infrastructures of hardware components and communications components that Processor operates in the Database environment for the ongoing operation of the Database (the “Database Systems”). Processor shall update the list of inventories specified in this section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. However, Processor shall update the foregoing list in any case in which substantial changes to the operating environment are implemented in the Database or in the manner in which Personal Data is Processed.
3. Disclosure and transfer of Personal Data
3.1 Processor shall not disclose Personal Data in the scope of Processing Personal Data on behalf of Customer to any entity, unless Customer has provided its prior written consent, except as follows:
3.1.1 As strictly necessary for the provision of Services;
3.1.2 Where such disclosure is required by Applicable Law or during legal proceedings, in which case Processor shall notify Customer in writing promptly upon receipt of the request and before fulfilling the disclosure request, and will cooperate and disclose the minimum Personal Data necessary to comply with Applicable Law or legal proceedings;
3.1.3 Processor shall use conventional encryption mechanisms for any transfer of Personal Data to a third party and for any remote connection to the Database Systems.
4. Storing, Deletion and Return of Personal Data
4.1 Processor undertakes to implement appropriate security measures designed to ensure the integrity of the Personal Data, its availability, confidentiality, and reliability.
4.2 To the extent reasonable given the nature of the system involved, Processor shall maintain logical separation between the Database Systems and the computer systems used by Processor that are not directly related to the Processing of Personal Data for Customer. In the event the Database Systems are connected to the Internet or to another public network, Processor shall install appropriate means of protection against information security incidents, such as firewalls and anti-virus tools.
4.3 Processor shall retain the Personal Data only as strictly necessary to provide the Services to Customer, or as mandatory under Applicable Laws.
4.4 Processor shall regularly update the Database Systems, including the software installed in the Database Systems, with information security updates. When operating the Database Systems, Processor will not use software and/or hardware components that the manufacturer does not support in terms of their security aspects.
4.5 To the extent reasonable given business needs, Processor will implement measures to prevent the connection of removable devices to the Database Systems or devices Processing Personal Data (to the extent those Database Systems or devices are located on the Processor’s premises or assigned to its employees, consultants, and anyone on its behalf). Notwithstanding the foregoing, portable devices such as laptops and smartphones Processing Personal Data may be used so long as they are encrypted with appropriate, industry-customary encryption.
4.6 In accordance with the Agreement and without prejudice to its generality, Processor shall return, delete, or destroy all Personal Data to which this Part 4 applies, including but not limited to all original and copies of that Personal Data, in any medium, including but not limited to hard drives, backup media, and any other magnetic or optical media, and all materials derived from or including the Personal Data, upon Customer’s written request for return, deletion, or destruction for any reason.
5. Cross-Border Data Transfers
5.1 Processor shall comply with the law applicable to the transfer of Personal Data to foreign jurisdictions, including but not limited to the Protection of Privacy Regulations (Transfer of Information to Databases Outside of Israel), 5761-2001.
5.2 In addition, other than as described under this Addendum, Processor shall not transfer Personal Data to a foreign jurisdiction outside the EEA, the UK, or outside countries that offer an adequate level of data protection, without prior advance notice to Customer, and Customer shall be entitled to object to such transfer, on reasonable grounds, within ten (10) business days from receipt of notice.
5.3 If no objection is provided by Customer, Processor shall keep Customer updated on material compliance developments in its transfers of Personal Data to foreign jurisdictions, considering the aforementioned regulations.
6. Breach of information security
6.1 Processor will notify Customer without undue delay and no later than twenty-four (24) hours (during business days) after becoming aware of a Personal Data Breach, and provide Customer with sufficient information to allow Customer to meet any obligations to report or inform affected individuals or a supervisory authority of the Personal Data Breach.
Such notice shall include, at the time of initial notification or without undue delay after the initial notification, details of the nature of the Personal Data Breach, the number of records affected, the category and approximate number of affected individuals, anticipated consequences of the Personal Data Breach, and any actual or proposed remedies for mitigating the possible adverse effects of the Personal Data Breach.
6.2 In any case of a Personal Data Breach affecting Customer Personal Data, Processor also:
6.2.1 Will cooperate with Customer and/or anyone on its behalf to investigate the Personal Data Breach as aforesaid and will not release any public statement relating to that Personal Data Breach, except as required by law;
6.2.2 Will take all necessary and appropriate corrective measures to repair the Personal Data Breach.
6.3 In the event of a Personal Data Breach, the parties will discuss the matter and reach an agreement regarding the measures required to repair the Personal Data Breach and the schedule for their implementation.
7. Audit & Documentation
7.1 Processor shall provide Customer, upon its request, written approval according to which it performs and fulfils its obligations pursuant to this Part 4 and the provisions of the Applicable Law.
7.2 Processor shall fully cooperate with Customer in providing in reasonable timeframe all information and assistance reasonably requested by Customer in connection with data security issues and practices and supplementary documents, so as to allow Customer to properly address information security, privacy, and regulatory matters relating to the Database.
7.3 Processor undertakes to allow the representatives of Customer and/or any person or entity acting on Customer’s behalf to carry out, through advance written notice and within a reasonable timeframe, surveys and audits regarding the performance of Processor’s obligations under this Part 4. It is hereby clarified that as a pre-condition for the performance of such surveys and audits, the surveyor and auditor on behalf of Customer shall be required to sign an undertaking in order to maintain confidentiality of Processor’s data to which such surveyor or auditors will be exposed in the course of the survey or audit.
Appendix A - DATA PROCESSING
Categories of data subjects whose personal data is processed
Customer’s personnel and other individuals whose endpoints are Managed Devices on which the Endpoint Daemon is installed (such as Customer’s employees, agents, contractors, and other authorized device users).
Customer’s Authorized Users of the Dashboard and APIs (such as Customer’s security analysts, security administrators, IT administrators, and owners).
Categories of personal data Processed
Authorized Users’ data:
Contact Details such as full name, email address, and authentication details such as username and (where the Customer’s identity provider is not used) password. If the engagement is made through a third-party identity provider account (such as a Google, Microsoft, or other SSO account), the Authorized User’s language preferences and profile picture may be collected. Inquiry information, such as a User’s company name, requirements, and the content of its message.
Service usage information, such as which Findings the Authorized User reviewed, which policies the Authorized User edited, and other Dashboard activity, captured in the cloud audit trail with the actor’s identity and timestamp.
Monitored personnel data (collected through the Endpoint Daemon from Managed Devices):
Device identifiers such as hostname, OS, OS version, architecture, machine UUID, and the username under which the AI tool is configured on the device.
Configuration metadata about AI tools, MCP servers, IDE extensions, plugins, skills, hooks, CLIs, permission grants, and related artifacts found on the device.
Redacted secret fingerprints (one-way hashes) and metadata about secrets found in AI-tool configuration files. Plaintext secret values are NOT collected and never leave the Managed Device.
Change events recording when an AI tool, configuration file, MCP server, permission, plugin, skill, hook, or CLI was added, modified, or removed on the device, with before/after state.
Findings derived from the foregoing, including capability inferences and policy evaluation outputs, attached to the device and (where relevant) the username under which the AI tool is configured.
Source code, prompts, model outputs, browsing history, and the contents of files other than AI-tool configuration files are NOT collected.
The frequency of the Processing
Continuous during the Subscription Term: the Endpoint Daemon transmits an initial snapshot upon installation, then transmits change events as they occur (with debounced reparses on file changes) and a heartbeat approximately every 60 seconds; full re-scans are performed on a recurring schedule (typically every 5 minutes) and registry sync occurs on a recurring schedule (typically every 15 minutes). Dashboards refresh in real time as new data arrives. Frequencies may change as the Service evolves.
Nature of the processing
Anomity processes Personal Data to provide the Services as specified under the Agreement, including ingesting Telemetry Data, classifying MCP servers and extensions, inferring capabilities, evaluating Customer policies, generating Findings and audit-trail entries, displaying these in the Dashboard, and routing alerts to Customer-configured destinations.
Purpose(s) of the data Processing and further processing
To provide the Services described in the Agreement, including: enabling Customer to inventory, classify, govern, and audit AI tooling on its Managed Devices; supporting Customer in complying with its own information security and regulatory obligations; providing technical and customer support; and detecting, preventing, and addressing technical, security, or fraud issues. Anomity does not Sell or Share Customer Personal Data, nor use it for advertising or to train any third-party model. Anomity may compile Aggregated Data (de-identified statistical, usage, and threat-intelligence information) as further described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
During the Subscription Term, Anomity retains live Telemetry Data and the derived Findings as long as needed to operate the Service. The audit trail of configuration changes is retained for ninety (90) days by default; longer retention may be specified in the Order Form. Cloud admin actions (including login, policy CRUD, approvals, role changes) are retained per the audit-trail retention period. On termination of the Agreement, Customer Personal Data is deleted in accordance with Sections 8.3–8.4 of the Agreement, save for backups retained in accordance with our standard retention practices and any record-keeping required by law.
For transfers to (sub-) processors, also specify location, subject matter, nature and duration of the processing
Anomity uses a limited set of trusted subprocessors to deliver the Services. As of the date of this Addendum, the principal subprocessors include:
Cloud infrastructure: Amazon Web Services, Inc. and/or Microsoft Azure (hosting of the Anomity Cloud and storage of Customer Personal Data).
Database: MongoDB Atlas (managed database service).
Identity & access: Auth0 (Okta) for authentication of Authorized Users.
Real-time messaging: Pusher Ltd. for real-time Dashboard updates.
CDN, DNS & WAF: Cloudflare, Inc. for content delivery, DNS, and edge security.
Payment processing: Stripe, Inc. (where applicable, for invoicing and payment of Subscription Fees).
Customer support: a customer support and ticketing platform.
AI inference (where used): one or more LLM providers used to generate AI-assisted remediation suggestions and to power the in-product AI assistant. Such providers do not retain prompts or outputs for training, and do not receive plaintext secret values.
Subprocessors’ services are used as long as Anomity’s Services are provided to Customer. The current list, including the locations of processing and the relevant data protection agreements, is maintained in the Anomity Trust Center at https://trust.anomity.ai.