Data Processing Agreement (DPA)

Introduction

This Data Processing Agreement ("DPA") forms part of the SafePipe Terms of Service and applies to the processing of Personal Data by SafePipe ("Processor") on behalf of the Customer ("Controller") in compliance with the General Data Protection Regulation (GDPR).

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by SafePipe on behalf of the Customer.
• "Controller" means the Customer (you) who determines the purposes and means of processing Personal Data.
• "Processor" means SafePipe, who processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by SafePipe to process Personal Data (e.g., Supabase, Stripe).
• "Data Subject" means an individual whose Personal Data is processed.

2. Scope and Purpose

SafePipe processes Personal Data solely to provide AI middleware and content moderation services as described in the Terms of Service. The types of Personal Data processed may include:

• User account information (email, name)
• API request metadata (timestamps, IP addresses)
• Detected PII in API requests (emails, phone numbers, credit cards)
• Moderation results and usage analytics

Important: SafePipe does NOT process the actual content of AI prompts or responses. We only process metadata and detection results.

3. Processor Obligations

SafePipe agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure that persons authorized to process Personal Data are bound by confidentiality
• Implement appropriate technical and organizational measures to protect Personal Data
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure)
• Delete or return Personal Data upon termination of services
• Notify the Controller of any Personal Data breaches without undue delay
• Make available information necessary to demonstrate compliance with this DPA

4. Sub-processors

SafePipe uses the following Sub-processors to deliver our service:

SafePipe ensures that all Sub-processors are bound by data protection obligations equivalent to those in this DPA. The Controller consents to the use of these Sub-processors.

SafePipe will notify the Controller of any changes to Sub-processors at least 30 days in advance. The Controller may object to the appointment of a new Sub-processor.

5. Data Security

SafePipe implements the following technical and organizational measures:

• AES-256 Encryption at Rest: Third-party provider API keys are encrypted with military-grade AES-256 encryption before storage
• SHA-256 Key Hashing: SafePipe API keys are hashed using SHA-256 and stored as non-reversible hashes
• RAM-Only Processing: AI requests (prompts, completions) are processed exclusively in RAM with immediate memory wiping after each request — never written to disk
• TLS 1.3: All data in transit is encrypted with TLS 1.3
• Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA)
• Database Security: Row-level security (RLS) in Supabase ensures data isolation per account
• Logging and Monitoring: Real-time security monitoring and anomaly detection
• Data Retention: Automatic deletion of logs after 7-30 days (depending on plan)
• Incident Response: Documented breach notification procedures (72-hour notification)
• Regular Audits: Quarterly security audits and penetration testing
• EU Data Residency: All infrastructure runs exclusively in Frankfurt, Germany (AWS eu-central-1)

6. Data Subject Rights

SafePipe will assist the Controller in fulfilling Data Subject rights under GDPR:

• Right to Access: Provide copies of Personal Data within 30 days
• Right to Rectification: Correct inaccurate Personal Data
• Right to Erasure: Delete Personal Data upon request
• Right to Data Portability: Export Personal Data in machine-readable format (JSON)
• Right to Object: Stop processing Personal Data for specific purposes

To exercise these rights, contact us at: support@safepipe.eu

7. Data Breach Notification

In the event of a Personal Data breach, SafePipe will:

• Notify the Controller without undue delay (within 72 hours of discovery)
• Provide details of the breach, affected Data Subjects, and remediation steps
• Cooperate with the Controller in notifying supervisory authorities and Data Subjects as required by GDPR

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). SafePipe ensures adequate safeguards through:

• Standard Contractual Clauses (SCCs): Approved by the European Commission
• Adequate Data Protection: All Sub-processors comply with GDPR-equivalent standards

9. Data Retention

SafePipe retains Personal Data only as long as necessary to provide the Service:

• Account Data: Retained until account deletion
• API Logs (Free Plan): Deleted after 7 days
• API Logs (Pro Plan): Deleted after 30 days
• Billing Records: Retained for 7 years (legal requirement)

10. Audit Rights

The Controller may audit SafePipe's compliance with this DPA upon reasonable notice. SafePipe will provide necessary documentation and cooperate with audits.

11. Termination

Upon termination of the Terms of Service, SafePipe will:

• Delete or return all Personal Data within 30 days
• Provide written confirmation of deletion
• Retain Personal Data only if required by law (e.g., billing records)

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

13. Governing Law

This DPA is governed by the same jurisdiction as the Terms of Service and is subject to GDPR requirements.

14. Contact

For questions about this DPA or data protection, contact:

• Data Protection Officer: legal@safepipe.eu
• Privacy Team: support@safepipe.eu