Data Processing Addendum
This DPA governs how SIXTA processes data on behalf of customers and forms part of the agreement between SIXTA and each customer.
Effective Date: March 25, 2026
1. Definitions
In this Data Processing Addendum ("DPA"), the following terms apply in addition to those defined in the Agreement between SIXTA and Customer:
- "Customer Data" means any data that SIXTA processes on behalf of Customer through the SIXTA platform, including infrastructure telemetry, database metrics, query performance patterns, and system logs.
- "Personal Data" means any Customer Data that relates to an identified or identifiable natural person, as defined by applicable data protection law.
- "Controller" means the Customer, who determines the purposes and means of processing Personal Data.
- "Processor" means SIXTA, Inc., which processes Personal Data on behalf of the Controller.
- "Sub-processor" means any third party engaged by SIXTA to process Customer Data.
2. Scope and Roles
This DPA applies where SIXTA processes Customer Data that contains or may contain Personal Data. The Customer acts as the Controller and SIXTA acts as the Processor. SIXTA will process Customer Data only in accordance with the Customer's documented instructions as set out in the Agreement and this DPA.
SIXTA is an autonomous database reliability engineering platform. In the ordinary course of its operation, SIXTA processes infrastructure-level telemetry — database metrics, query performance patterns, system resource utilisation, and observability data — rather than personal data. However, where telemetry may incidentally contain personal data (for example, in log entries or query metadata), this DPA governs that processing.
3. Data Processing Details
Categories of data
Infrastructure telemetry including database performance metrics, query execution patterns and statistics, system resource utilisation data, alert and log data from connected observability platforms, and Slack or messaging content related to SIXTA investigations.
Purpose of processing
To provide the SIXTA autonomous database reliability engineering service, including monitoring database health, investigating anomalies, identifying root causes, and delivering recommendations through integrated messaging channels.
Duration of processing
For the term of the Agreement. Upon termination, SIXTA will cease processing and delete or return Customer Data in accordance with Section 10.
4. Customer Obligations
The Customer is responsible for ensuring that it has a lawful basis for providing Customer Data to SIXTA, including any Personal Data that may be present in infrastructure telemetry. The Customer is responsible for providing any required notices and obtaining any required consents from data subjects whose Personal Data may be included in Customer Data.
5. SIXTA Obligations
SIXTA will:
- Process Customer Data only on documented instructions from the Customer, unless required by applicable law
- Ensure that persons authorised to process Customer Data are bound by appropriate confidentiality obligations
- Implement and maintain appropriate technical and organisational security measures as described in Section 7
- Assist the Customer in responding to data subject access requests and exercising data subject rights under GDPR
- Assist the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
- At the Customer's election, delete or return all Customer Data upon termination of the Agreement
- Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits
6. Sub-processors
SIXTA uses the following sub-processors to deliver the service. Each sub-processor processes only the minimum data necessary for its function and is bound by data processing terms no less protective than those in this DPA.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic | Large language model inference for investigation analysis and reasoning | Infrastructure telemetry context, query patterns, and metrics included in analysis prompts | United States |
| Slack Technologies | Messaging platform for delivering investigation findings and recommendations to users | Investigation results, recommendations, and conversational messages | United States |
| Microsoft (Teams) | Messaging platform for delivering investigation findings and recommendations to users | Investigation results, recommendations, and conversational messages | United States / EU (per customer tenant) |
| Railway | Relay infrastructure for message routing between SIXTA components | Encrypted message payloads in transit | United States |
SIXTA will notify the Customer of any intended changes to the list of sub-processors, providing at least 30 days' notice before engaging a new sub-processor. If the Customer objects to a new sub-processor on reasonable data protection grounds, the parties will work together in good faith to find an alternative solution. If no resolution is reached, the Customer may terminate the affected service with no penalty.
7. Security Measures
SIXTA implements appropriate technical and organisational measures to protect Customer Data, including:
- In-VPC deployment: The SIXTA platform operates within the Customer's own Virtual Private Cloud. Customer Data is processed locally within the Customer's infrastructure.
- Read-only access: SIXTA connects to Customer databases and observability platforms using read-only credentials. SIXTA cannot modify, write to, or delete data in Customer systems.
- Encryption in transit: All data transmitted between SIXTA components and to sub-processors is encrypted using TLS 1.2 or higher.
- Short-term caching: Where SIXTA caches data for investigative context, cached data is retained within the Customer's VPC for a limited period (typically days) and is automatically purged.
- Access controls: Access to systems that process Customer Data is limited to authorised personnel and protected by multi-factor authentication.
- Audit trail: SIXTA maintains a complete audit log of every autonomous action taken during investigations.
8. Data Breach Notification
SIXTA will notify the Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data breach affecting Customer Data. The notification will include the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
9. International Transfers
SIXTA, Inc. is incorporated in the United States. Where Customer Data containing Personal Data of individuals in the European Economic Area or the United Kingdom is transferred to SIXTA's sub-processors in the United States, such transfers are subject to the European Commission's Standard Contractual Clauses (Module 3: Processor to Sub-processor), as supplemented by any additional safeguards required under applicable law.
The Customer's infrastructure telemetry is processed primarily within the Customer's own VPC. Data transmitted to sub-processors (Anthropic for LLM inference, Slack or Microsoft Teams for messaging delivery, Railway for message relay) is limited to the minimum necessary for each sub-processor's function.
10. Data Retention and Deletion
SIXTA retains Customer Data only for as long as necessary to provide the service. Cached telemetry data within the Customer's VPC is automatically purged after a short retention period. Upon termination of the Agreement, SIXTA will, at the Customer's choice, delete or return all Customer Data within 30 days, and certify the deletion in writing upon request.
11. Data Subject Rights
SIXTA will assist the Customer in fulfilling its obligations to respond to data subject requests under GDPR (including rights of access, rectification, erasure, restriction, portability, and objection). Given that SIXTA processes infrastructure telemetry rather than directly identifiable personal data, such requests are expected to be infrequent. SIXTA will promptly inform the Customer if it receives a request from a data subject directly.
12. Audit Rights
SIXTA will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA. Upon reasonable notice and no more than once per year, the Customer (or a mandated third-party auditor bound by confidentiality) may audit SIXTA's processing activities related to this DPA. SIXTA will cooperate with such audits and provide reasonable access to relevant facilities, systems, and personnel.
13. Governing Law
This DPA is governed by the same law that governs the Agreement between SIXTA and the Customer. Where the Customer is established in the EEA, disputes will be resolved by the courts of the Customer's jurisdiction. For matters relating to GDPR compliance, the competent supervisory authority shall be determined in accordance with GDPR Article 55.
Contact
For questions about this DPA or data processing practices:
Email: privacy@sixta.ai
Website: Security & Trust