Skip to main content
Legal · DPA

Your data, your cloud.

Last updated: June 21, 2026

This is what makes us different. Because we design, build, and operate agentic AI inside your own cloud on Google Cloud, Amazon Web Services, or Microsoft Azure, you stay the controller of your data and Segment360 acts only as a limited processor. The data the agents touch stays in your account, in your region. We do not copy it out to Segment360, we do not store it on our systems, and we do not sell or share it. We reach it only through least-privilege roles you grant and can revoke at any time. This page summarizes that arrangement. The full Data Processing Agreement (DPA) governs in detail and is available on request.

1. Roles of the parties

For personal data processed by the agents we operate on your behalf, you are the controller, or a processor acting for another controller, and you determine the purposes and means of the processing. Segment360 acts as your processor and, under United States privacy laws such as the California Consumer Privacy Act, as a service provider. We process that personal data only on your documented instructions, including with regard to transfers, unless law requires otherwise, in which case we tell you first where permitted.

Because our agents run inside your own cloud, most deployments involve no transfer of personal data to Segment360 at all. The data never leaves your control. In those deployments our role is limited to building, configuring, and operating software that runs against data you already hold. We do not act as a controller of your operational or end-user data, and we will not process it for our own purposes.

2. Subject matter and duration

The subject matter of the processing is the operation of the agentic systems we build for you. The duration is the term of your engagement, plus any short wind-down period needed to remove our access and confirm closure. The nature and purpose are to deliver the functions you have asked the agents to perform, for example customer service, analytics, and workflow automation.

  • Categories of data subjects: as determined by you, typically your customers, prospects, patients, or end users.
  • Categories of personal data: as determined by you and the systems the agents are connected to.
  • Special categories of data: only where you direct it and the appropriate safeguards are in place.
  • Processing operations: access, computation, and generation performed by the agents within your environment, as configured by you.

3. Where your data lives

The agents run inside your own cloud account. The personal data they process stays in your account and your chosen region. We do not copy that data out to Segment360 systems, we do not replicate it to infrastructure we own, and we do not retain a separate copy. Your data stays in your cloud. This is the foundation that the rest of this DPA rests on.

4. Our access: least privilege, audit trail, kill-switch

We access your environment only through identity and access management roles that you grant, scoped to the least privilege our operators and agents need to do the work. Access is auditable and revocable by you, without involving us.

  • Least-privilege roles, scoped to specific resources and actions rather than broad administrative rights.
  • A full audit trail of our access, recorded in your own cloud logging so you can review it independently and in real time.
  • A kill-switch: you can revoke our roles at any moment and cut off our access immediately. There is no Segment360-held copy that survives that revocation.
  • No standing keys to your data outside the roles you control. When the engagement ends, the roles end.

5. Confidentiality of personnel

Everyone at Segment360 who can access your environment is bound by written confidentiality obligations that survive the end of their engagement with us. We limit access to those who need it for your project, we provision it through your roles, and we remove it promptly when it is no longer needed.

6. Security measures (technical and organizational)

Our approach is architecture-first. By keeping your data inside your cloud and reaching it only through scoped, revocable roles, we remove the largest category of risk that a traditional vendor introduces, which is copying your data into a third party's systems. On top of that posture we apply technical and organizational measures (TOMs) appropriate to the processing.

  • Encryption of data in transit and at rest, using your cloud provider's native controls.
  • Strong authentication and least-privilege access for our operators.
  • Logging and monitoring of agent and operator activity in your own environment.
  • Secure development, code review, and change-management practices for the agents we build.
  • Segregation of duties and prompt deprovisioning of access when roles change or end.

Segment360 is not yet SOC 2, HIPAA, or ISO 27001 certified. These programs are in progress. We do not claim to be certified, attested, or compliant under any of them until they are formally completed. We will tell you accurately where each program stands on request.

7. Subprocessors

The most important point about subprocessors is that your cloud provider is your own, contracted directly by you under your own agreement. It is not a subprocessor we impose, and your data stays within infrastructure you control. For Segment360's own operations we may engage a small number of subprocessors in supporting categories, for example development tooling and business systems, and only in connection with running our company, never to hold your operational or end-user data.

  • We engage subprocessors only under written terms with data-protection obligations no less protective than this DPA.
  • We maintain a current list of our subprocessors at our subprocessors page and provide it on request.
  • We give you advance notice of intended additions or changes so you have the opportunity to object.
  • We remain responsible to you for the performance of any subprocessor we engage.

8. International transfers

Because the agents run inside your cloud, your data stays in the region you choose. We do not move personal data to another country as part of operating the agents. Where any limited transfer is ever required in connection with our own support activities, we put an appropriate transfer mechanism, such as Standard Contractual Clauses, in place before doing so, and only to the extent necessary.

9. Assistance with data-subject requests

Taking account of the nature of the processing, we assist you with appropriate technical and organizational measures, so far as possible, in responding to requests from data subjects to exercise their rights, such as access, correction, deletion, restriction, and portability. Because the data sits in your environment, you retain direct control to act on these requests, and we support you in locating and acting on the relevant data. If a data subject contacts us directly, we promptly refer them to you.

10. Personal data breach notification

If we become aware of a personal data breach affecting personal data we process on your behalf, we notify you without undue delay after becoming aware. Our notice describes, to the extent known, the nature of the incident, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. We cooperate with you so that you can meet your own notification obligations to regulators and individuals.

11. Healthcare and HIPAA

For healthcare clients, Segment360 will sign a Business Associate Agreement (BAA) governing protected health information. The same architecture applies: the agents run inside your cloud and the protected health information stays in your environment. The BAA sets out the specific safeguards, permitted uses, and obligations required under United States health-privacy law, and it controls over this DPA for protected health information.

12. Return and deletion of data

At the end of the engagement you decide, within your own environment, what happens to the data, because it has been in your control the whole time. On your request we help you confirm that our access has been removed and that any agent artifacts, configuration, or models we placed in your environment are returned or deleted, except where you ask us to retain them or law requires retention. We hold no separate copy of your operational or end-user data to return or delete.

13. Audits and information

We make available to you the information reasonably necessary to demonstrate compliance with this DPA, and we contribute to audits, including inspections, conducted by you or an auditor you appoint, on reasonable notice and subject to confidentiality. Much of what you need is already visible to you directly: our access and the agents' activity are recorded in your own cloud logs, which you can review at any time.

14. How to request the full DPA and BAA

This page is a summary. The full DPA contains the complete terms, definitions, and annexes, including the processing details, the technical and organizational measures, and the subprocessor list, and it governs in the event of any conflict with this summary. To receive the full DPA, and a BAA where applicable, email legal@segment360.com.

Questions?

Email legal@segment360.com for the full DPA, a BAA, or help understanding how this applies to your deployment. Segment360, LLC is a B2B company headquartered in San Ramon, California, USA, and this agreement is governed by the laws of the State of California, USA.