Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between SecureAIFlow ("Processor") and the customer ("Controller").

This DPA reflects the parties' agreement with respect to the processing of personal data in accordance with the General Data Protection Regulation (GDPR), Article 28.

By using SecureAIFlow services, the Controller agrees to the terms of this DPA.

Scope of Processing

Subject Matter

SecureAIFlow provides an AI security and governance platform that processes data submitted by the Controller through its VS Code extension, browser plugin, and API gateway.

Nature and Purpose

• Detection and redaction of sensitive data (PII, credentials, secrets)
• Prompt sanitization before transmission to third-party AI providers
• Pseudonymization of detected sensitive values
• Logging and monitoring for security, compliance, and usage analytics

Duration

Processing continues for the duration of the Agreement between the Controller and SecureAIFlow.

Categories of Data

Types of Personal Data

• User-generated prompts and code snippets
• Personal identifiable information (PII) — names, emails, phone numbers
• Credentials, API keys, or sensitive tokens (if included in prompts)
• Usage metadata (token counts, timestamps, provider routing)

Categories of Data Subjects

• Employees of the Controller
• Customers of the Controller
• End-users interacting through AI-powered tools

Processor Obligations

SecureAIFlow shall:

• Process personal data only on documented instructions from the Controller
• Ensure that all personnel with access to personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in fulfilling obligations under GDPR, including data subject rights and breach notification
• Delete or return all personal data upon termination of services, unless retention is required by applicable law
• Make available all information necessary to demonstrate compliance with GDPR Article 28

Security Measures

SecureAIFlow implements industry-standard security measures, including but not limited to:

• Data minimization — prompts are processed in transit; original values are not stored
• Cryptographic pseudonymization — sensitive values are irreversibly replaced
• Encryption in transit (TLS 1.2+) and at rest
• Role-based access control (RBAC) across all platform surfaces
• Audit logging and monitoring of all AI interactions
• Infrastructure-level isolation for on-premises deployments

Additional details on security measures are available upon request.

Subprocessors

The Controller authorizes SecureAIFlow to engage subprocessors for the delivery of its services.

SecureAIFlow shall notify the Controller of any intended changes to its subprocessors, providing reasonable opportunity to object. All subprocessors are bound by data protection obligations consistent with this DPA.

International Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), SecureAIFlow ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) as approved by the European Commission
• Additional technical safeguards — prompt sanitization and pseudonymization applied before data leaves the Controller's environment
• Data residency options (EU, US, or on-premises) where applicable

Data Subject Rights

SecureAIFlow shall assist the Controller in responding to data subject requests exercising their rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability

Audit Rights

The Controller may request reasonable information to verify SecureAIFlow's compliance with this DPA. Audits shall be:

• Limited to once per calendar year
• Subject to reasonable advance notice (minimum 30 days)
• Conducted during business hours without disrupting operations
• Subject to appropriate confidentiality obligations

Data Breach Notification

SecureAIFlow shall notify the Controller without undue delay — and in any event within 72 hours — upon becoming aware of a personal data breach affecting the Controller's data.

The notification shall include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

Return and Deletion of Data

Upon termination of the Agreement, SecureAIFlow shall, at the Controller's election:

• Delete all personal data processed under this DPA, or
• Return all personal data to the Controller in a standard, machine-readable format

Unless retention is required by applicable EU or Member State law.

Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service, unless otherwise required by applicable data protection law.

Contact

For questions, requests, or notifications regarding this DPA: