1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Guardia AI Ltd, a company registered in England and Wales (company number 17326182) with its registered office at 20 Wenlock Road, London, N1 7GU, United Kingdom ("Guardia-AI", "Processor", "we", "us"), and the entity agreeing to these terms ("Controller", "you", "Customer").
This DPA applies where and only to the extent that Guardia-AI processes Personal Data on behalf of the Customer in the course of providing the Services, and such Personal Data is subject to European Data Protection Laws.
2. Definitions
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "Personal Data" has the meaning given in the GDPR.
- "Processing" has the meaning given in the GDPR.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by Guardia-AI to process Personal Data.
3. Scope of Processing
3.1 Subject Matter
The subject matter of the processing is the provision of the Guardia-AI compliance platform, including risk classification, bias assessment, documentation generation, and audit logging services.
3.2 Nature and Purpose
Personal Data is processed for the purpose of providing the Services as described in the Terms of Service, specifically:
- Processing AI system metadata and configurations
- Analyzing datasets for bias assessment
- Generating compliance documentation
- Maintaining audit logs
- Providing customer support
3.3 Types of Personal Data
The following types of Personal Data may be processed:
- Account information (email, name, company)
- Usage data and analytics
- Data uploaded for bias assessment (which may include demographic data)
- Audit log entries
3.4 Categories of Data Subjects
- Customer employees and authorized users
- Individuals whose data is included in uploaded datasets
4. Processor Obligations
Guardia-AI shall:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Assist the Controller in ensuring compliance with GDPR Articles 32-36
- Delete or return all Personal Data upon termination of services
- Make available all information necessary to demonstrate compliance
5. Security Measures
Guardia-AI implements the following technical and organizational measures:
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- EU data residency (Frankfurt)
- Role-based access control
- Immutable audit logging
- Regular security assessments and penetration testing
- Incident response procedures
- Employee security training
6. Sub-processors
6.1 Authorization
The Customer authorizes Guardia-AI to engage Sub-processors to assist in providing the Services, subject to the conditions in this Section.
6.2 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database & Authentication | EU (Frankfurt) |
| Stripe | Payment Processing | EU/US (with SCCs) |
| OpenAI | AI Documentation Assistance | US (with DPA) |
| Resend | Email Delivery | EU |
6.3 Notification of Changes
Guardia-AI will notify the Customer of any intended changes to Sub-processors at least 30 days in advance. The Customer may object to such changes.
7. International Transfers
Personal Data is primarily stored in the EU. Where transfers to third countries are necessary, appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Assessment of third country legal framework
- Supplementary measures where required
8. Data Subject Rights
Guardia-AI will assist the Controller in responding to Data Subject requests, including:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
9. Data Breach Notification
In the event of a Personal Data breach, Guardia-AI will:
- Notify the Controller without undue delay (within 24 hours of becoming aware)
- Provide information about the nature of the breach, categories and numbers of records affected
- Describe likely consequences and measures taken to address the breach
- Cooperate with the Controller's investigation and notification obligations
10. Audit Rights
Upon reasonable notice, and subject to confidentiality obligations, Guardia-AI will make available to the Controller information necessary to demonstrate compliance with this DPA, and allow for audits conducted by the Controller or an auditor mandated by the Controller.
11. Term and Termination
This DPA remains in effect for the duration of the Services. Upon termination:
- Guardia-AI will delete or return all Personal Data within 30 days
- Audit logs may be retained for regulatory compliance (up to 7 years)
- Upon request, Guardia-AI will certify deletion in writing
12. Contact
For questions about this DPA or to exercise your rights:
- Email: dpo@guardia-ai.com
- Data Protection Officer: Available for Enterprise customers