Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") governs the processing of personal data by SovereignShield on behalf of the Customer.
1. Roles of the Parties
For the purposes of GDPR and similar data protection laws, the Customer is the Data Controller, and SovereignShield is the Data Processor.
2. Details of Processing
- Subject Matter: Security scanning of text payloads submitted by the Customer.
- Duration: Data is held for a maximum of 30 days before automated deletion.
- Nature and Purpose: To protect AI applications from malicious injections and to dynamically train the AdaptiveShield engine (only when explicitly submitted to the
/report endpoint).
- Categories of Data: Text strings, which may incidentally contain PII (e.g., Credit Card PANs, SSNs) which our filters attempt to redact or block.
3. Security Measures
SovereignShield employs industry-standard security measures including:
- TLS 1.3 encryption for data in transit.
- AES-256 encryption for data at rest.
- OS-backed memory protections preventing runtime modifications to the security logic.
4. Sub-processors
The Customer grants SovereignShield general authorization to engage the following sub-processors:
- Google Cloud Platform (us-central1): Infrastructure and data storage.
- LLM Providers: Only invoked if the Customer enables VetoShield API integrations.
5. Data Subject Rights
SovereignShield will provide reasonable assistance to the Customer to respond to Data Subject Access Requests (DSARs) regarding data processed by the API within the 30-day retention window.
(Note: This DPA should be reviewed by legal counsel before being executed by enterprise clients).