Version 1.0 — December 2, 2025
Data Processing Agreement
Standard Contractual Clauses for GDPR Compliance
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SafePipe EU GmbH ("Processor") and you ("Controller") for the use of SafePipe services.
1. Definitions
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data (you, the customer).
- "Processor" means SafePipe EU GmbH, which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament.
2. Roles and Responsibilities
2.1 Controller Responsibilities
As the Controller, you are responsible for:
- Ensuring you have a valid legal basis for processing Personal Data
- Obtaining all necessary consents from data subjects
- Providing clear privacy notices to data subjects
- Responding to data subject requests (with our assistance as needed)
- Ensuring the data you process through SafePipe complies with applicable laws
- Implementing appropriate security measures on your end
2.2 Processor Responsibilities
As the Processor, SafePipe is responsible for:
- Processing Personal Data only on documented instructions from the Controller
- Ensuring personnel are bound by confidentiality obligations
- Implementing appropriate technical and organizational security measures
- Assisting the Controller in responding to data subject requests
- Notifying the Controller of any Personal Data breach without undue delay
- Deleting or returning all Personal Data upon termination
3. Subject Matter and Duration
| Subject Matter | API proxy services for AI applications, including PII redaction and content filtering |
| Duration | For the duration of the Service Agreement, plus 30 days for data deletion |
| Nature of Processing | Transit processing (pass-through proxy), PII detection and redaction |
| Categories of Data Subjects | End-users of the Controller's applications |
| Types of Personal Data | As determined by the Controller; may include names, emails, phone numbers in prompts |
4. Processing Instructions
The Processor shall process Personal Data only in accordance with:
- This DPA
- The Terms of Service
- The Controller's documented instructions
- Applicable data protection laws
If the Processor believes that an instruction infringes GDPR or other data protection laws, it shall immediately inform the Controller.
5. Security Measures
The Processor implements the following technical and organizational measures:
Technical Measures
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Zero data persistence for request content (RAM-only processing)
- Firewall and intrusion detection systems
- Regular vulnerability scanning and patching
- Automated backups with encryption
Organizational Measures
- Access control and principle of least privilege
- Employee confidentiality agreements
- Regular security training for staff
- Incident response procedures
- Business continuity planning
6. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Frankfurt, Germany (EU) |
| Supabase | Database & authentication | EU region |
| Stripe | Payment processing | EU/US (SCCs in place) |
| Vercel | Application hosting | EU region |
The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.
7. Data Subject Rights
The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
8. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay and within 24 hours
- Provide details of the breach, including categories of data affected
- Describe likely consequences and measures taken
- Cooperate with the Controller in investigating and mitigating the breach
9. Data Transfers
The Processor shall not transfer Personal Data to countries outside the European Economic Area (EEA) unless:
- The country has an adequacy decision from the European Commission
- Standard Contractual Clauses (SCCs) are in place
- Other appropriate safeguards under GDPR Article 46 are implemented
10. Audits
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, subject to:
- 30 days' advance written notice
- Reasonable confidentiality obligations
- Not interfering with normal business operations
- Controller bearing the costs of the audit
11. Termination and Data Deletion
Upon termination of the Service Agreement:
- The Processor shall delete or return all Personal Data within 30 days
- The Controller may request a certificate of deletion
- The Processor may retain data required by law (e.g., billing records)
12. Governing Law
This DPA shall be governed by the laws of the Federal Republic of Germany. Any disputes shall be resolved by the courts of Frankfurt am Main, Germany.
13. Contact
For questions about this DPA:
SafePipe EU GmbH
Data Protection Officer
Email: dpo@safepipe.eu
By using SafePipe services, you agree to this Data Processing Agreement. No separate signature is required—acceptance of the Terms of Service incorporates this DPA by reference.