Skip to content
AI-Guardian
Book a demo
Legal

Data Processing Agreement

When a Customer uses AI-Guardian to process personal data of its end users or employees, AI-Guardian acts as Processor. This DPA sets out our obligations under GDPR Art. 28 and related laws.

Version 1.0 — Effective: April 18, 2026

1. Parties and roles

This DPA is entered into between the Customer (“Controller”) and AI-Guardian (“Processor”) and supplements the Terms of Service. The Customer determines the purposes and means of processing; AI-Guardian processes personal data on the Controller's documented instructions.

2. Subject matter and duration

The subject matter is the provision of detection, redaction, and audit services for generative-AI prompts. This DPA remains in force for the duration of the Order Form and any period thereafter during which AI-Guardian continues to process personal data on behalf of the Controller.

3. Nature and purpose of processing

  • Local (in-browser) scanning of user-submitted prompts for sensitive data patterns.
  • Anonymised telemetry of detection events (category, severity, platform) for audit and analytics.
  • Account, referral, and billing administration.

4. Categories of data

AI-Guardian does not receive prompt content. The categories of personal data processed on the Controller's behalf are limited to:

  • Identifiers: user IDs, email, workspace ID.
  • Event metadata: detection category (e.g. “email”, “credit_card”), severity, framework tag (GDPR / HIPAA / SOC2), platform, timestamp.
  • Technical data: IP address, user-agent, session tokens.

Special categories of data under GDPR Art. 9 are never intentionally processed; if detected in-browser, the content is blocked locally and does not reach AI-Guardian systems.

5. Categories of data subjects

  • The Controller's employees, contractors, and authorised users.
  • Any third parties whose personal data may appear inside the Controller's prompts — noting that such content is redacted or blocked locally before transmission.

6. Processor obligations

AI-Guardian shall:

  • Process personal data only on the Controller's documented instructions, including with regard to transfers.
  • Ensure that persons authorised to process the data are bound by confidentiality.
  • Implement the technical and organisational measures set out in Schedule A (summarised below).
  • Assist the Controller with data-subject requests, DPIAs, and consultations with supervisory authorities.
  • Delete or return all personal data at the end of the service, unless Union or Member-State law requires storage.
  • Make available all information necessary to demonstrate compliance, and allow for audits.

7. Sub-processors

The Controller grants general authorisation for the use of sub-processors. AI-Guardian maintains an up-to-date list on the Privacy Policy. We will notify the Controller of intended changes at least 30 days in advance and enter into a written agreement with each sub-processor imposing the same data protection obligations.

8. International transfers

Where personal data is transferred outside the EEA, AI-Guardian relies on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) and implements supplementary measures (encryption in transit and at rest, strict access controls).

9. Security (Schedule A — summary)

  • TLS 1.2+ for all network traffic.
  • AES-256 encryption at rest.
  • Role-based access with two-factor authentication for all staff.
  • Detailed audit logs with tamper-evident storage and minimum 30-day retention.
  • Documented incident response plan, reviewed annually.
  • Annual penetration test by an independent third party.

10. Personal data breaches

AI-Guardian will notify the Controller without undue delay and, in any event, within 72 hours of becoming aware of a personal data breach, providing the information needed for the Controller to meet its own notification obligations.

11. Audits

The Controller may audit AI-Guardian's compliance with this DPA no more than once per year (or more often where required by a supervisory authority), upon 30 days' written notice and during normal business hours. Independent third-party reports (such as SOC 2 Type II, once available) satisfy this requirement.

12. Return or deletion

On termination of the service, AI-Guardian will, at the Controller's choice, delete or return all personal data and certify deletion within 90 days, subject to any legal retention requirements.

13. Signing

Enterprise customers receive a countersigned copy of this DPA during onboarding. For an editable version, email legal@ai-guardian.app.