Data Processing Addendum

Subject matter and nature of processing

The Processor provides an AI inference proxy that: (a) receives prompts from the Controller's systems, (b) detects and replaces personally identifiable information with synthetic tokens, (c) forwards anonymized prompts to designated AI providers, (d) reverses tokenization on responses, and (e) returns de-anonymized responses to the Controller.

Personal data is processed exclusively in memory during the request lifecycle. No prompt content is written to persistent storage.

Categories of data subjects and personal data

Data subjects

End users of the Controller's AI-enabled products and services whose prompts are routed through the Processor.

Categories of personal data

• Names, identifiers, and contact details (detected and tokenized)
• Health-related information (PHI), where applicable
• Financial identifiers (IBAN, card numbers), where applicable
• National identification numbers (SSN, DNI/NIF), where applicable
• Any other PII present in user-submitted prompts

The Processor processes audit metadata on a persistent basis: timestamp, pii_types detected (not values), routed_to, latency_ms. This metadata does not identify individuals.

Purposes and legal basis

Processing is carried out solely for the purpose of providing the Privedge anonymization service as described in Clause 1. The Processor acts only on documented instructions from the Controller. No processing for the Processor's own purposes occurs.

Sub-processors

The Processor engages the following sub-processors. The Controller hereby grants general authorization for these sub-processors:

• Cloudflare, Inc. — Edge compute runtime (Workers). Processing location: distributed globally, EU region for EU customers. Certifications: SOC 2 Type II, ISO 27001, HIPAA-eligible.
• Cloudflare, Inc. — Audit log storage (R2). Enterprise tier only. No prompt content stored.

The Processor shall notify the Controller of any intended addition or replacement of sub-processors with reasonable advance notice. The Controller may object within 14 days.

Data retention and deletion

• Prompt content: Zero retention. Processed in-memory, never written to storage.
• Token maps: Destroyed upon request completion (V8 isolate teardown).
• Audit metadata (Pro): 30 days from creation date.
• Audit metadata (Enterprise): As specified in the main service agreement.
• Deletion on termination: All retained data deleted within 30 days of contract end.

Technical and organisational security measures

• All data in transit encrypted with TLS 1.3
• Each request processed in an isolated V8 sandbox (Cloudflare Workers) — zero shared state between requests
• Audit logs encrypted at rest with AES-256 (Cloudflare R2)
• Access controls: principle of least privilege; no Privedge personnel access to prompt content
• Processor infrastructure certified: SOC 2 Type II, ISO 27001, HIPAA-eligible (via Cloudflare)
• Incident response: breach notification to Controller within 24 hours of discovery

Data subject rights

The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability) insofar as technically feasible. Given that prompt content is not stored, most erasure requests are satisfied by architecture. The Processor shall forward any requests received directly from data subjects to the Controller within 5 business days.

Breach notification

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach. Notification shall include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

Audit rights

The Controller may request reasonable information to verify compliance with this Addendum. The Processor shall make available all information necessary to demonstrate compliance and shall allow for and contribute to audits, including inspections, subject to reasonable advance notice and confidentiality obligations.

Termination and return of data

Upon termination of the main service agreement, the Processor shall delete all retained data within 30 days and provide written confirmation. Self-hosted deployments retain no data on the Processor's systems; this clause applies to cloud-mode customers only.