Data Processing Agreement
Scope of This Agreement
This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement or Terms of Service between Echelon Advising LLC (“Processor”) and the Client (“Controller”).
By executing an enterprise contract with Echelon, both parties agree to the strict handling protocols outlined in this addendum regarding any Personally Identifiable Information (PII) or Protected Health Information (PHI) transmitted through the Echelon infrastructure.
1. Roles & Responsibilities
Data Controller (You)
- Determines the purposes and means of processing
- Responsible for lawful basis of data collection
- Owns all data inputs and outputs
Data Processor (Echelon)
- Processes data only on documented instructions from the Controller
- Maintains technical and organizational security measures
- Assists with data subject requests and breach notification
2. Authorized Subprocessors
Echelon utilizes specific, highly-vetted cloud hyperscalers and AI providers to deliver its capabilities. You authorize the use of the following critical subprocessors:
Supabase Inc.
Primary PostgreSQL persistence layer and Row Level Security implementation.
Amazon Web Services (AWS)
Vector database storage, raw compute, and secure networking.
Anthropic PBC
Foundation model inference API. Covered under a strict Zero-Retention Enterprise Agreement.
3. Zero-Retention Inference
The hallmark of Echelon's architecture is absolute zero-retention on generation nodes. This means:
Volatile Memory (RAM)
All proprietary documents, queries, and inference states are purged immediately upon output generation.
Non-Volatile Memory (Disk)
No intermediate states are written outside of the Client's isolated Supabase partition.
Model Training
Zero client data is used to train, fine-tune, or evaluate foundation models under any circumstances.
Logging
Only metadata (timestamps, token counts, latency) is logged for billing and SLA monitoring purposes.
4. Security Controls
Echelon implements and maintains technical and organizational measures to ensure an appropriate level of security:
Encryption in Transit
TLS 1.2+ for all API communications and data transfers.
Encryption at Rest
AES-256 encryption for all stored data including vector embeddings.
Network Isolation
Isolated Virtual Private Cloud (VPC) architecture for Enterprise tier clients.
Continuous Monitoring
24/7 network monitoring with real-time anomaly detection and alerting.
Penetration Testing
Annual third-party black-box penetration testing with remediation SLAs.
Access Control
Strict logical access controls — Echelon engineers require explicit, time-boxed authorization to access any client data.
5. Data Subject Rights & Incident Management
Data Subject Requests
Echelon will assist the Client, insofar as possible, to fulfill obligations to respond to Data Subject requests including:
- Right to Erasure
- Data Portability
- Access Requests
- Rectification
Breach Notification
In the event of a confirmed Security Breach affecting Client Data, Echelon will notify the Client without undue delay and within 48 hours of discovery. The notification will include:
- Nature and scope of the breach
- Categories and approximate number of records affected
- Measures taken or proposed to mitigate the breach