Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the entity using the Service ("Controller") and Appvergence LLC ("Processor").

This DPA applies where the Processor processes Personal Data on behalf of the Controller in connection with providing the Service, and such processing is subject to the European Union General Data Protection Regulation ("GDPR"), the UK GDPR, or the Swiss Federal Act on Data Protection ("FADP").

The purpose of this DPA is to ensure that the processing of Personal Data is carried out in accordance with applicable data protection laws and respects the fundamental rights and freedoms of data subjects.

Personal Data: Any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

Controller: The entity that determines the purposes and means of processing Personal Data (you, the customer).

Processor: The entity that processes Personal Data on behalf of the Controller (PrivaiShield Inc.).

Sub-processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.

Subject Matter: Provision of the PrivaiShield privacy-layer service for AI interactions.

Duration: For the term of the Controller's subscription to the Service.

Nature & Purpose: Processing of account information and usage metadata to provide, maintain, and improve the Service. Content data (text, prompts) may be processed transiently through the Processor's servers for enhanced PII detection but is not permanently stored or logged for detection purposes. If the Controller enables server-side chat storage, chat messages and session titles are stored encrypted (AES-256-GCM with AWS KMS customer-managed keys) on the Processor's servers for the purpose of providing cross-device access and persistent chat history.

Categories of Data Subjects: Users of the Controller's account.

Types of Personal Data: Name, email address, profile picture, IP address, usage metrics, billing information. If server-side chat storage is enabled: chat messages, session titles, and associated session metadata (all stored encrypted).

The Processor shall implement and maintain the following technical and organizational measures:

• Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256-GCM with AWS KMS customer-managed keys).
• Field-level envelope encryption for sensitive stored fields (chat messages, session titles, organization names, member emails) using KMS-generated data keys.
• Privacy-first architecture with browser-based and transient server-side detection processing. Chat storage is user-controlled: local-only (default) or encrypted server storage (opt-in).
• Regular testing, assessing, and evaluating the effectiveness of security measures.
• Role-based access controls with least-privilege principle.
• Incident response and business continuity procedures.
• Employee security awareness training.

The Controller hereby grants the Processor general written authorization to engage sub-processors. A current list of sub-processors is maintained at /legal/subprocessors.

The Processor shall notify the Controller of any intended changes to sub-processors at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects, the parties shall discuss a reasonable resolution.

The Processor shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under the GDPR, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The Processor shall promptly forward any data subject requests received directly to the Controller. The Processor shall not respond to data subject requests directly without the Controller's authorization.

The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach.

The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
• The name and contact details of the Processor's data protection contact.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country that does not provide an adequate level of data protection, the parties agree that such transfers shall be subject to the Standard Contractual Clauses ("SCCs") as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).

The applicable SCCs are incorporated into this DPA by reference. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU SCCs shall apply.

The Processor shall implement supplementary measures as necessary to ensure that Personal Data transferred internationally receives a level of protection essentially equivalent to that guaranteed within the EEA.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits and inspections.

The Controller may conduct an audit of the Processor's processing activities no more than once per year, with at least 30 days' prior written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.

The Processor shall make its compliance documentation available to the Controller upon request as an alternative to on-site audits where appropriate.

Upon termination of the Service or upon the Controller's request, the Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller, and delete existing copies unless applicable law requires retention.

Deletion of account data will be completed within 30 days of the request. Billing records may be retained as required by tax regulations (up to 7 years).

Content submitted for PII detection is processed transiently and discarded after detection is complete. If the Controller has enabled server-side chat storage, encrypted chat data (messages and session titles) is stored on the Processor's servers and will be deleted within 30 days of termination or upon the Controller's request. The Controller may also delete server-stored chat data at any time by switching to local storage in Account Settings or by deleting individual sessions. Chat data stored locally in the user's browser is not accessible to the Processor.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except where such limitations are not permitted by applicable data protection law.

Each party shall be liable for damages caused by processing that infringes the GDPR in accordance with Article 82 of the GDPR.

This DPA is effective from the date the Controller begins using the Service and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

This DPA shall automatically terminate upon termination of the Terms of Service. Provisions of this DPA that by their nature should survive termination (including data deletion obligations and liability provisions) shall survive.