Sema

Legal

Data Processing Addendum

Last updated June 22, 2026.

This Data Processing Addendum ("DPA") forms part of the agreement between Sema, Inc. and customers ("Controller") who use Sema to process personal data.

Roles

  • For personal data processed on the Controller's behalf, the Controller is the data controller and Sema is the data processor.
  • Sema processes personal data only on documented instructions from the Controller, including with regard to international transfers.

Processing scope

  • Subject matter: provision of the Sema semantic-layer service. Duration: the term of the agreement.
  • Nature and purpose: hosting, querying, glossary generation, and governance over Controller data sources.
  • Categories of data subjects and data are determined by the Controller's connected sources.

Security

  • Sema implements appropriate technical and organizational measures, including encryption, access control, and audit logging, as described in our Trust page.

Subprocessors

  • The Controller authorizes Sema to engage the subprocessors listed on our Subprocessors page. Sema imposes data-protection obligations on each and remains responsible for their performance.

Data subject rights & breach

  • Sema assists the Controller in responding to data-subject requests and notifies the Controller without undue delay upon becoming aware of a personal-data breach.

Return & deletion

  • On termination, Sema deletes or returns personal data in accordance with the agreement, except where retention is required by law.

Contact

  • To execute a signed DPA, email privacy@semalayer.com.