Data Processing Agreement
Last updated: February 2026
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service ("Main Agreement") between Privengy ("Processor") and the Customer ("Controller"). This DPA reflects the parties' agreement regarding the terms governing the processing of Personal Data under the Main Agreement, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD).
1. Definitions
The terms "Personal Data", "Data Subject", "Processing", "Controller" and "Processor" shall have the meanings given in the GDPR.
- "Customer Data": Any personal data provided by the Controller to the Processor, or collected by the Processor on behalf of the Controller, through the use of the Services (including employee data and AI usage metadata).
- "Subprocessor": A third party engaged by Privengy to process Customer Data on behalf of the Controller.
- "Personal Data Breach": A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
2. Scope and Duration
2.1 The Processor shall process Personal Data on behalf of the Controller solely to provide the AI Governance services described in the Main Agreement. The details of the processing (nature, purpose, categories of data subjects, and types of personal data) are specified in Annex 1.
2.2 The duration of this DPA shall be equal to the term of the Main Agreement. The Processor's obligations under this DPA shall continue for as long as the Processor processes Customer Data on behalf of the Controller.
3. Processor Obligations
The Processor undertakes to:
- 3.1 Documented Instructions: Process Personal Data only following the Controller's documented instructions (which include this DPA and the use of the Service's configuration), unless required otherwise by EU or Member State law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification.
- 3.2 Confidentiality: Ensure that all persons authorized to process the data (employees, contractors) have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- 3.3 Security (Art. 32 GDPR): Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Annex 2.
- 3.4 Subprocessors: Not engage another subprocessor without the Controller's prior general written authorization. The Controller accepts the current list of subprocessors detailed in Annex 3. Privengy shall notify the Controller of any intended changes at least 30 days in advance, giving the Controller the opportunity to object (see Section 7).
- 3.5 Data Subject Rights: Assist the Controller, through appropriate technical and organizational measures and insofar as possible, in fulfilling the Controller's obligation to respond to data subject requests (see Section 5).
- 3.6 Compliance Assistance: Assist the Controller in ensuring compliance with obligations regarding security, breach notification, and Data Protection Impact Assessments (DPIAs), taking into account the nature of the processing and the information available to the Processor.
- 3.7 Breach Notification: Notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data Breach (see Section 6).
- 3.8 Data Deletion: At the Controller's choice, delete or return all Personal Data upon termination of services, and delete existing copies unless EU or Member State law requires retention (see Section 10).
4. Controller Obligations
The Controller warrants that:
- 4.1 There is a valid legal basis under the GDPR and applicable employment law for the processing of personal data of its employees and end users through Privengy.
- 4.2 It has duly informed its employees about the nature of the monitoring and the use of AI governance tools, in accordance with applicable data protection and employment laws.
- 4.3 Its instructions to Privengy are lawful and comply with applicable data protection laws.
- 4.4 It shall conduct a Data Protection Impact Assessment (DPIA) where required by applicable law prior to deploying the AI Radar browser extension.
5. Data Subject Rights
Privengy shall assist the Controller in responding to data subject requests to exercise their rights under the GDPR, including:
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
If Privengy receives a request directly from a data subject, it shall promptly notify the Controller and shall not respond to the request without the Controller's instructions, unless required by law.
6. Data Breach Notification
In the event of a Personal Data Breach affecting Customer Data, Privengy shall notify the Controller without undue delay (and in any event within 48 hours) and provide sufficient information to allow the Controller to meet its obligations under Articles 33 and 34 of the GDPR, including:
- The nature of the breach, including categories and approximate number of data subjects and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its adverse effects
- Contact details of Privengy's point of contact for further information
Privengy shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
7. Subprocessors
The Controller provides general authorization for Privengy to engage the subprocessors listed in Annex 3. Privengy shall inform the Controller of any intended changes to the subprocessor list at least 30 days in advance, giving the Controller the opportunity to object.
If the Controller objects to a new subprocessor on reasonable data protection grounds, the Controller may terminate the affected Services by providing written notice within 30 days of being notified of the change. Privengy shall refund any prepaid fees covering the remainder of the subscription term after termination.
Each subprocessor is bound by a data processing agreement that imposes data protection obligations no less protective than those in this DPA.
8. International Data Transfers
If Personal Data is transferred outside the European Economic Area (EEA) to a country that does not have an adequacy decision from the European Commission, Privengy shall ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision 2021/914)
- EU-US Data Privacy Framework certification where applicable
- Transfer Impact Assessments (TIAs) conducted for each transfer
- Additional technical measures including encryption in transit and at rest
9. Audits
Privengy shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR. Privengy shall allow and contribute to audits, including inspections, carried out by the Controller or another auditor mandated by the Controller, subject to the following conditions:
- Audits shall be limited to once per year, with at least 30 days' prior written notice
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt Privengy's operations
- The Controller shall bear its own costs for any audit, unless the audit reveals a material breach by Privengy
- Privengy may satisfy audit requests by providing relevant certifications or third-party audit reports (e.g., SOC 2 Type II)
10. Data Return and Deletion
Upon termination of the Services or upon the Controller's written request:
- Privengy shall, at the Controller's choice, return all Customer Data in a structured, commonly used, machine-readable format (JSON export), or delete all Customer Data
- Deletion shall be completed within 30 days of the request
- Customer Data in backups shall be deleted upon the next scheduled backup rotation cycle
- Privengy shall provide written confirmation of deletion upon request
Privengy may retain Customer Data to the extent required by applicable law, in which case Privengy shall continue to protect such data in accordance with this DPA.
11. Precedence
In the event of any conflict between this DPA and the Main Agreement (Terms of Service), the terms of this DPA shall prevail with respect to the processing of Customer Data.
12. Contact
For questions about this DPA or to exercise any rights related to data processing:
- Privacy & DPA inquiries: privacy@privengy.com
- General support: support@privengy.com
Annex 1: Processing Details
A. Nature and Purpose of Processing
The processing consists of the provision of AI Governance services, Data Loss Prevention (DLP), and AI tool usage analytics ("Shadow AI"). The nature involves automated collection, storage, analysis, and reporting of AI usage metadata.
B. Categories of Data Subjects
- Employees, consultants, and contractors of the Controller (End Users)
- Administrators of the Controller's account
C. Types of Personal Data
- Identification Data: Name, email address, corporate user ID.
- Technical Data: IP address, browser type, operating system, device identifiers.
- Behavioral/Usage Data:
- Names and domains of AI applications visited
- Access timestamps
- Session duration
- Prompt Metadata: Word count, character count, risk classification, code detection, PII detection flags, sensitivity indicators.
- DLP Violation Metadata: Pattern type matched, action taken (warned/blocked/redacted), match count.
Privacy by Design: Privengy does NOT store the content of prompts or AI responses by default. The "AI Radar" technology processes prompt content locally in the end user's browser. Only metadata and security alerts are transmitted to Privengy's servers. Prompt content may only be retained when the Controller explicitly configures DLP forensic incident logging.
Annex 2: Technical and Organizational Security Measures (TOMs)
Privengy implements the following measures to protect Customer Data:
Encryption
- All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Encrypted backups with access controls
Data Minimization (Privacy-First)
- AI Radar processes prompt content locally in the browser; only metadata is transmitted to servers
- DLP pattern matches record only pattern metadata, not the sensitive data itself
- Browser information is simplified to browser/OS family to reduce fingerprinting
- Timestamps are rounded to reduce temporal fingerprinting in analytics
- Sensitive fields are automatically redacted in audit logs
Access Controls
- Production data access restricted based on least-privilege principle
- Multi-factor authentication (MFA) mandatory for administrative personnel
- Role-based access controls (RBAC) for all system components
- Comprehensive audit logging of all administrative actions
Infrastructure & Resilience
- SOC 2 Type II compliant hosting infrastructure
- DDoS protection via Cloudflare
- Automated daily backups with disaster recovery plans
- Incident response procedures documented and tested
Secure Development
- Regular code reviews and vulnerability scanning
- Regular security audits and penetration testing
Annex 3: Authorized Subprocessors
The Controller authorizes the use of the following subprocessors for the provision of the Service:
| Subprocessor | Purpose | Location | Data Processed |
|---|---|---|---|
| MongoDB Atlas | Database hosting and storage | EU (Ireland) | All Customer Data |
| Hetzner | Cloud infrastructure and application hosting | EU (Germany) | All Customer Data (in transit/processing) |
| Cloudflare | CDN, DDoS protection, DNS | Global (EU compliant) | Network traffic metadata |
| Stripe | Payment processing and billing | EU (Ireland) | Billing data (admin email, payment info) |
| Resend | Transactional email delivery | USA (SOC 2) | Email addresses, alert content |