Data Processing Agreement

Last updated: June 23, 2026

1. Scope and Purpose

This Data Processing Agreement (DPA) governs the processing of personal data by Gearbox on behalf of its customers in connection with the Gearbox platform. It forms part of the Master Services Agreement between Gearbox and the customer.

2. Definitions

Capitalized terms used in this DPA have the meanings given in the Master Services Agreement or, if not defined there, the meanings given in applicable data protection laws including the GDPR and CCPA.

3. Data Processing Details

Gearbox processes device inventory data, telemetry data, and procurement data on behalf of the customer. This includes device identifiers, serial numbers, IP addresses, and operational status data. Gearbox does not process any special categories of personal data.

4. Data Anonymization

For the multi-operator data moat feature, Gearbox applies differential privacy (epsilon 0.5-1.0) to all aggregated data. Raw tenant data never leaves the customer's isolated environment. Federated learning ensures that only model gradients, not raw data, are shared across tenants.

5. Data Security

Gearbox maintains technical and organizational measures including TLS 1.3 for data in transit, AES-256 for data at rest, role-based access control, and quarterly penetration testing. SOC 2 Type II certification is in progress.

6. Breach Notification

Gearbox will notify the customer within 72 hours of becoming aware of a personal data breach affecting customer data. Notification will include the nature of the breach, categories of data affected, and remediation steps.

7. International Transfers

Gearbox processes data in the United States. For customers in the European Economic Area, the UK, or Switzerland, the transfer is governed by Standard Contractual Clauses (SCCs) approved by the European Commission. A copy of the SCCs is available upon request.

8. Sub-processors

Gearbox uses the following sub-processors: Railway (cloud infrastructure), Neo4j Aura (graph database), and TimescaleDB (time-series database). All sub-processors are bound by data processing agreements consistent with this DPA. Customers will be notified at least 30 days before any new sub-processor is engaged.

9. Audit Rights

Upon 30 days written notice, Gearbox will provide the customer with access to its SOC 2 Type II report or equivalent audit documentation. Additional audit rights may be exercised no more than once per 12-month period, subject to confidentiality obligations.

10. Data Subject Rights

Gearbox will assist the customer in responding to data subject requests under applicable data protection laws. The customer retains control over all personal data processed through the platform.

11. Data Retention and Deletion

Upon termination of the agreement, Gearbox will delete all customer data within 30 days unless retention is required by applicable law. Customers may request earlier deletion at any time.

12. Contact

For data protection inquiries, contact Gearbox at dpo@gearbox.ai or Gearbox, Inc., 123 Network Lane, San Francisco, CA 94105, United States.

13. Governing Law

This DPA is governed by the laws of the State of New York. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Master Services Agreement.