Standard terms

Data Processing Addendum

Effective July 13, 2026. Procurement or signature requests: hello@passportmcp.com.

1. Parties and scope

This Data Processing Addendum (DPA) forms part of the agreement between the customer identified by the Passport workspace or an Enterprise order (Customer) and Ramish Syed, carrying on business as Passport, Alberta, Canada (Passport). It applies whenever Passport processes personal data on Customer's behalf in providing the hosted service.

Customer is the controller and Passport is the processor unless Customer acts as a processor for another controller, in which case Customer is a processor and Passport is its subprocessor. Each party will comply with the data-protection laws that apply to it.

2. Instructions and purpose

Passport will process personal data only to provide, secure, support, and maintain the service; to follow Customer's documented configuration and requests; and as otherwise required by law. The agreement, workspace settings, connected integrations, support requests, and this DPA are Customer's documented instructions.

If Passport believes an instruction violates applicable data-protection law, it will inform Customer unless prohibited by law and may suspend the affected processing while the parties resolve it. Passport does not sell Customer personal data or use it for targeted advertising.

3. Confidentiality and security

Passport limits access to people who need it to operate or support the service, binds them to confidentiality, and remains responsible for their compliance. Passport maintains appropriate technical and organizational measures, including encryption in transit, AES-256-GCM encryption for stored upstream and identity-provider credentials, one-way hashing of Passport-issued long-lived credentials, least-privilege production access, tenant isolation, SSRF controls, audit logging, tested backup restoration, and privacy-filtered observability.

The current security measures and evidence boundaries are described on the Security and Trust pages. Passport may improve those measures so long as it does not materially reduce the overall protection of Customer personal data.

4. Subprocessors

Customer gives Passport general authorization to use the subprocessors on the published Subprocessors page. Passport remains responsible for each subprocessor's performance of its data-protection obligations and requires protections appropriate to the processing.

Passport will give at least 15 days' notice of a new subprocessor by updating the published list and notifying Enterprise customers that requested notices. Customer may object on reasonable data-protection grounds during that period. The parties will work in good faith on a commercially reasonable alternative; if none is available, Customer may stop the affected processing and terminate that affected service without penalty.

5. Rights requests and regulatory assistance

Taking into account the nature of the processing, Passport will provide reasonable assistance for Customer to answer requests to access, correct, export, restrict, object to, or delete personal data. Passport will promptly forward a request it receives directly when it can identify the relevant Customer and will not answer on Customer's behalf unless authorized or legally required.

Passport will reasonably assist with Customer's security, breach-notification, impact-assessment, and regulator-consultation obligations, taking into account the information available to Passport.

6. Security incidents

Passport will notify Customer without undue delay after confirming a personal-data breach affecting Customer data. Notice will be sent to workspace admins or the Enterprise contact and will describe the known nature, likely consequences, affected data categories, and mitigation as information becomes available. Security reports go to security@passportmcp.com.

Notification is not an admission of fault or liability. Customer is responsible for keeping its admin and security contacts current.

7. Return, deletion, and backups

Admins can export workspace configuration and audit data during the subscription. On Customer's instruction or termination, Passport will delete the active workspace document and event log, unless law requires retention. Earlier immutable recovery snapshots age out within no more than 30 days and are isolated from ordinary use. If a snapshot is restored before expiry, deletion records newer than the snapshot are reapplied before it may serve traffic.

Stripe retains billing records under its own legal obligations, and privacy-filtered operational diagnostics follow the separate retention described in the Privacy Policy.

8. Audits and information

Passport will make available information reasonably necessary to demonstrate compliance, beginning with its Security, Trust, Subprocessors, Privacy, and status materials. Once per year, an Enterprise customer may request additional written evidence. If that is insufficient, Customer may request a reasonable audit by an independent, confidentiality-bound auditor, during business hours, on reasonable notice, without accessing another customer's data or disrupting the service. Customer bears its audit costs unless the audit identifies a material breach by Passport.

Passport will inform Customer if it cannot comply with this DPA and will take reasonable steps to remediate.

9. International transfers and SCCs

For a transfer from the EEA that is not covered by an adequacy decision, the parties incorporate the European Commission Standard Contractual Clauses in Implementing Decision (EU) 2021/914. Module Two applies when Customer is a controller and Passport is a processor; Module Three applies when Customer is a processor and Passport is a subprocessor. The optional docking clause applies; Option 2 applies to Clause 9 with the notice period above; the optional language in Clause 11 does not apply; Ireland is the governing Member State under Clause 17 and Irish courts have jurisdiction under Clause 18. The official unmodified clauses control over this summary: EUR-Lex 2021/914.

For Annex I, Customer is the exporter at the address and contact in its workspace or order, and Passport is the importer identified in section 1; the competent authority is determined under Clause 13. Annex II is the security program summarized in section 3 and on the Security page. Annex III is the published Subprocessors list. The parties will complete a transfer-impact assessment and add legally required supplementary measures where appropriate.

10. Processing details

Subject matter and duration: operating the governed Passport gateway for the term of the agreement plus the deletion and backup-expiry period. Nature and purpose: authentication, authorization, policy enforcement, credential brokering, tool-call routing, audit, support, security, and billing administration.

Data subjects: Customer's admins, members, governed agent identities, invited users, support contacts, and people whose limited personal data Customer routes through configured tools. Data categories: account and workspace identity, roles and teams, configuration and policy, connected-account identifiers and encrypted credentials, bounded tool-call metadata, audit events, support correspondence, and subscription metadata. Customer must not intentionally submit special-category or highly sensitive personal data unless the parties expressly agree appropriate safeguards in an Enterprise order.

Frequency: continuous while Customer uses the service. Retention: ephemeral health signals for 2 days, audit-class events for 90 days, account/configuration/credentials for the workspace lifetime, active-data deletion on workspace erasure, and restricted backup expiry within 30 days, as further described in the Privacy Policy.

11. Precedence and signature

The SCCs prevail for matters they govern. Otherwise this DPA prevails over conflicting data-processing terms in the agreement, and the agreement's liability limits apply to this DPA to the extent permitted by applicable law. This DPA is effective automatically when it applies; an Enterprise customer may request a countersigned copy using the contact below.