Data Processing
Addendum (DPA)

Last Update: February 3rd, 2026

Introduction

This Data Processing Addendum (“DPA”) forms part of the agreement between ANON AI Labs, Inc., a Delaware corporation (United States) (“Serus,” “ANON,” “we,” “us,” “our,” or “Processor”) and the customer that enters into the Terms of Service or another written agreement governing access to the Services (“Customer,” “you,” or “Controller”). This DPA applies to the extent Serus processes Customer Data that includes Personal Data on behalf of Customer in connection with the Services and such processing is subject to applicable Data Protection Laws.


This DPA applies from the date Customer first accepts the Terms of Service (or the effective date of the applicable order form or written agreement) and remains in effect for as long as Serus processes Customer Data on Customer’s behalf under the Agreement.

Related documents (incorporated by reference)

GDPR Compliance policy (https://www.serus.ai/gdpr)

Subprocessors list (https://www.serus.ai/subprocessors)

Privacy Policy (https://www.serus.ai/privacy)

Cookie Policy (https://www.serus.ai/cookies)

Acceptable Use Policy (https://www.serus.ai/acceptable-use)

If there is a conflict between this DPA and the Terms of Service regarding data processing obligations, this DPA controls to the extent of the conflict. If the Standard Contractual Clauses apply, they control for cross-border transfer issues.

1. Definitions

Capitalized terms not defined in this DPA have the meanings set out in the Terms of Service.

“Data Protection Laws” means all applicable privacy and data protection laws and regulations, including where applicable: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”), (b) the UK GDPR and the UK Data Protection Act 2018, (c) the Swiss Federal Act on Data Protection (as applicable), and (d) U.S. state privacy laws (including the California Consumer Privacy Act as amended by the CPRA, where applicable).


“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Serus on behalf of Customer in connection with the Services.


“Customer Data” means any data submitted to, stored in, sent through, or otherwise processed via the Services by or on behalf of Customer, including Personal Data.


“Processing” has the meaning given under Data Protection Laws (and includes “process,” “processes,” and “processed”).


“Subprocessor” means a third party authorized by Serus to process Personal Data on behalf of Customer for purposes of providing the Services.


“Sensitive Information” means unredacted high-risk data that may be displayed by the Services (for example, exposed passwords, authentication tokens, financial identifiers, or similar data) as described in the Terms of Service and Acceptable Use Policy.


“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Personal Data Breach” under GDPR).

2. Roles and Scope

2.1 Customer as Controller

Customer is the Controller (or equivalent under Data Protection Laws) of Customer Data and is responsible for: (a) determining the purposes and means of processing Customer Data, and (b) ensuring that Customer has an appropriate legal basis and provides any notices required to process and submit Customer Data to the Services (including any third-party data).

2.2 Serus as Processor

Serus acts as a Processor (or equivalent) when it processes Customer Data on Customer’s behalf to provide the Services.

2.3 Serus as Independent Controller (Excluded)

Serus may process certain information as an independent controller (for example, account administration, billing, fraud prevention, and compliance) as described in the Privacy Policy. Such processing is not governed by this DPA.

3. Processing Instructions

3.1 Documented Instructions

Serus will process Customer Data only on Customer’s documented instructions, which include: (a) this DPA, (b) the Terms of Service and any applicable order form or written agreement, and (c) Customer’s use and configuration of the Services (including via platform settings, APIs, or white-label configurations).

3.2 Removal Requests and Authorized Agency

If Customer uses removal request features, Customer instructs Serus to process and transmit the relevant Customer Data to third-party websites, platforms, or services as necessary to submit removal requests on Customer’s behalf, including where Customer configures automated submission. Customer is responsible for ensuring it has the authority and lawful basis to submit such requests, including where Customer acts as an authorized agent for a third party.

3.3 Unlawful Instructions

If Serus reasonably believes that Customer’s instructions violate Data Protection Laws, Serus will notify Customer (to the extent permitted by law) and may suspend the relevant processing until the issue is resolved.

3.4 Processor obligations

Serus will: (a) process Customer Data only in accordance with Customer’s documented instructions; (b) ensure persons authorized to process Customer Data are subject to confidentiality obligations; (c) implement appropriate technical and organizational measures to protect Customer Data; (d) assist Customer as required under Data Protection Laws with Security Incidents, data subject requests, DPIAs, and consultations; (e) make available information necessary to demonstrate compliance with this DPA; and (f) allow for and contribute to audits in accordance with Section 14.

4. Customer Obligations

Customer will:

  1. ensure it has a lawful basis to process and provide Customer Data to the Services, including any third-party data;

  2. provide any required notices and obtain any required consents;

  3. ensure its authorized users comply with the Terms and Acceptable Use Policy, including restrictions relating to Sensitive Information;

  4. implement appropriate access controls and secure all credentials (including API keys);

  5. ensure removal requests are accurate and lawful and submitted only where Customer has authority.

5. Authority and Verification

Customer represents and warrants that it has the legal right and authority to submit Customer Data to the Services and to request removals on its own behalf or on behalf of a third party (including where Customer acts as an authorized agent). Serus may request reasonable verification (including identity or authorization documentation) to process a removal request, comply with applicable law, or prevent abuse. Serus may refuse, restrict, or suspend processing of any request that it reasonably believes is unauthorized, inaccurate, fraudulent, abusive, or unlawful.

6. Confidentiality

6.1 Personnel confidentiality

Serus will ensure that personnel authorized to process Customer Data are subject to confidentiality obligations appropriate to their role and receive appropriate privacy/security training.

6.2 Disclosure restrictions

Serus will not disclose Customer Data to any third party except (a) as instructed by Customer through use of the Services (including removal requests), (b) to Subprocessors in accordance with Section 8, or (c) as required by applicable law, in which case Serus will provide notice to Customer unless legally prohibited.

7. Security Measures

Serus will implement reasonable technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of processing and the risks presented.


Such measures may include, as appropriate:

  • encryption in transit (e.g., TLS) and, where appropriate, encryption at rest;

  • access controls (least-privilege), authentication controls, and administrative safeguards;

  • logging and monitoring to detect suspicious activity;

  • vulnerability management and secure development practices;

  • incident response procedures and backup/recovery practices appropriate to the Services.


Serus does not represent that it maintains any specific certification (e.g., SOC 2 or ISO 27001) unless expressly stated in writing.

8. Subprocessing

8.1 Authorization to Use Subprocessors

Customer authorizes Serus to engage Subprocessors to process Customer Data for purposes of providing the Services.

8.2 Subprocessor Obligations

Serus will enter into written agreements with Subprocessors requiring them to protect Customer Data to standards that are no less protective than those in this DPA, as applicable to the services they provide.

8.3 Subprocessor list, updates, and objections

Serus maintains a list of Subprocessors at: https://www.serus.ai/subprocessors. Serus may update this list from time to time. Serus will provide notice of updates by updating the Subprocessors page and, where required by law or contract, by providing additional notice.


If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer may notify Serus at support@serus.ai within thirty (30) days of the update. The parties will work in good faith to address the objection, which may include Serus providing an alternative, a workaround, or discontinuing use of the Subprocessor for Customer where commercially reasonable. If the parties cannot resolve the objection, Customer may terminate the affected Services by providing written notice, and Serus will refund any prepaid, unused Fees for the terminated portion, to the extent permitted under the Agreement.

9. International Data Transfers

9.1 Global Processing

The Services may be provided from, and Customer Data may be processed in, multiple jurisdictions, including the United States and other locations where Serus or its Subprocessors operate. Details are available in the Subprocessors list and relevant documentation.


Customer acknowledges and agrees that Serus may process Customer Data globally as described in the Subprocessors list and this DPA.

9.2 Transfer Mechanisms

To the extent Customer Data is transferred from the European Economic Area (“EEA”), the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the parties agree that such transfers will be governed by an applicable transfer mechanism, including:

  • the EU Standard Contractual Clauses (“EU SCCs”) (Commission Implementing Decision (EU) 2021/914); and/or

  • the UK Addendum to the EU SCCs (as issued by the UK ICO); and/or

  • other valid transfer mechanisms recognized under Data Protection Laws.

9.3 EU SCCs (Controller to Processor) — Incorporation and Completion

Where the EU SCCs apply, they are incorporated by reference and completed as follows:

  • Module: Module Two (Controller → Processor)

  • Clause 7 (Docking clause): Optional (included)

  • Clause 9 (Use of Subprocessors): Option 2 (general written authorization)

  • Clause 11 (Redress): Optional (not selected)

  • Clause 17 (Governing law): Ireland

  • Clause 18 (Forum): Ireland

The Annexes to the EU SCCs are set out in Schedule 1 (Annex I–III) at the bottom of this document.


For clarity, the governing law and forum selections in the EU SCCs apply only to the EU SCCs and do not replace the governing law provisions in the Agreement for other matters.

9.4 UK Addendum

Where UK GDPR applies, the EU SCCs are amended by the UK Addendum, which is incorporated by reference and completed in a manner consistent with this DPA and Schedule 1.

10. Data Subject Requests

If Serus receives a request from a data subject relating to Customer Data, Serus will, to the extent legally permitted:

  • notify Customer, and

  • provide reasonable assistance (taking into account the nature of the processing and information available) for Customer to respond.

Customer is responsible for responding to data subject requests.

11. Assistance (DPIAs and Compliance)

Serus will provide reasonable assistance to Customer, as required by Data Protection Laws and taking into account the nature of processing and information available to Serus, with:

  • Customer’s security and breach notification obligations;

  • data protection impact assessments (DPIAs) and prior consultations with regulators, where required.

  • Customer’s record-keeping and compliance documentation obligations, to the extent required by Data Protection Laws and reasonably available to Serus.

12. Security Incidents (Personal Data Breaches)

Serus will notify Customer without undue delay after becoming aware of a Security Incident involving Customer Data and will provide information reasonably necessary for Customer to comply with breach notification obligations. Serus will take reasonable steps to investigate, mitigate, and remediate the incident.

13. Deletion and Return of Customer Data

Upon termination or expiration of the Services, Serus will delete or return Customer Data in accordance with the Agreement, Customer’s configuration and documented instructions, and applicable law. Customer acknowledges that certain Customer Data may remain in backups for a limited period consistent with Serus’ backup and recovery practices, and that Serus may retain limited Customer Data where required by law or for legitimate security, fraud prevention, and dispute resolution purposes.

14. Audits and Compliance Information

Upon reasonable written request, Serus will provide information reasonably necessary to demonstrate compliance with this DPA. Any audit rights must be:


  • limited to processing of Customer Data under this DPA,

  • subject to confidentiality and security restrictions,

  • conducted during normal business hours with reasonable advance notice, and

  • not unreasonably interfere with Serus’ operations.


Any audit must be scoped to Customer Data and must not include access to Serus’ systems, source code, or information relating to other customers.


Customer will bear its own costs and, unless otherwise required by law, any audit may be conducted no more than once per 12-month period. Any audit findings and materials will be treated as Serus’ Confidential Information.


Serus may satisfy audit requests by providing third-party reports or security documentation where available. Serus does not represent that it provides SOC 2 / ISO audit reports unless expressly stated in writing.

15. U.S. State Privacy Terms (CPRA and Similar Laws)

To the extent applicable and to the extent Customer Data includes “personal information” regulated by U.S. state privacy laws where Serus acts as a “service provider” or “processor”:

  • Serus will process Customer Data only to provide the Services and for permitted business purposes under applicable law;

  • Serus will not “sell” or “share” Customer Data (as those terms are defined under CPRA) on Customer’s behalf;

  • Serus will not retain, use, or disclose Customer Data outside the direct relationship with Customer except as permitted by law.

16. Liability

Liability under this DPA is subject to the limitations and exclusions in the Terms of Service, unless prohibited by applicable law. Nothing in this DPA limits any liability that cannot be limited under applicable law.

17. Order of Precedence

In case of conflict:

  1. the EU SCCs and/or UK Addendum (if applicable to transfers),

  2. this DPA,

  3. the Terms of Service and any applicable order form or written agreement.

18. Contact

For questions about this DPA or privacy requests relating to Customer Data processed under this DPA, contact:

Support: support@serus.ai

Privacy / DPO: dpo@serus.ai

Schedule 1 — SCC Annexes

Annex I — List of Parties

Data exporter (Controller): Customer (as identified in the order form or account registration)
Data importer (Processor): ANON AI Labs, Inc., Delaware, United States

Annex I.B — Description of the Transfer

Categories of data subjects

  • Customer’s authorized users (e.g., admins and end users under Customer’s account)

  • Individuals whose data is submitted by Customer into the Services (including where Customer acts as an authorized agent)

Categories of Personal Data

Depending on Customer’s use of the Services, Customer Data may include:

  • account data (name, email, account identifiers)

  • Customer-provided search inputs and monitoring targets (e.g., emails, usernames, phone numbers)

  • removal request details and supporting information provided by Customer

  • output data generated for Customer based on Customer inputs and third-party sources, to the extent it constitutes Personal Data

  • security and usage logs linked to Customer accounts (e.g., event logs, timestamps, IP address where applicable for security)

Special categories of data / sensitive data

The Services are not designed for Customer to upload special categories of personal data (as defined in GDPR Article 9) unless Customer has a lawful basis and appropriate safeguards. Customer may submit or access Sensitive Information (as defined in this DPA) where supported by the Services and subject to access gating and Acceptable Use restrictions. Customer controls what it submits and who can access it.

Frequency of transfer

Continuous / as initiated by Customer through the Services.

Nature of processing

Collection, storage, structuring, retrieval, analysis, transmission (including to third parties for removal requests), and deletion.

Purpose(s) of processing

Provision of the Services (including OSINT searches, monitoring, alerts, risk insights, removal requests, and platform/API/white-label functionality), security and abuse prevention, customer support, and service improvement consistent with Customer’s instructions.

Duration of processing

For the term of Customer’s use of the Services, plus limited retention as described in the Terms/Privacy Policy for security, legal compliance, and dispute resolution.

Annex II — Technical and Organizational Measures

Serus implements reasonable technical and organizational measures designed to protect Customer Data. Measures may include:

  • encryption in transit (TLS) and, where appropriate, encryption at rest;

  • access controls and least-privilege permissions;

  • administrative safeguards for production access;

  • logging and monitoring;

  • incident response procedures;

  • backup and recovery practices appropriate to the Services.

Annex III — Subprocessors

Subprocessors are listed at: https://www.serus.ai/subprocessors