# Data Processing Addendum (DPA) **Last Updated:** June 2026 This Data Processing Addendum ("DPA") forms part of the Terms of Service between PrivacyGuard AI Ltd ("Data Processor" or "Platform") and the enterprise client ("Data Controller" or "Client"). This DPA formalizes the legal relationship concerning the processing of personal data on behalf of the Client under the UK GDPR. ## 1. Roles and Scope of Processing The Client acts as the Data Controller for all data inputted into the Platform for processing. The Platform acts as the Data Processor. The Platform shall only process Client Data based on the documented, specific workflow instructions initiated by the Client via the Platform interfaces. ## 2. Strict Prohibition on Data Extraction and Training > **CRITICAL COMPLIANCE NOTICE:** The Platform is explicitly restricted from using Client Data for any purpose other than executing the specific workflow instructions initiated by the Client. The Platform strictly prohibits the extraction, harvesting, or exploitation of Client Data for training, fine-tuning, or optimizing the Platform’s internal machine learning models, or any downstream foundation models, without explicit, separate written authorization from the Data Controller. ## 3. Sub-processor Transparency The Data Controller authorizes the use of downstream infrastructure dependencies (sub-processors) to deliver the service. A current list of approved sub-processors (e.g., third-party cloud hosts, database providers) is maintained by the Platform. The Platform binds itself to notify the Data Controller at least 30 days prior to onboarding any new sub-processors that handle personal data. The Data Controller retains the legal right to object to such changes on data-protection grounds within this notice period. ## 4. Security Measures & Encryption The Platform implements state-of-the-art administrative, physical, and technical security measures to protect Client Data against unauthorized access, alteration, or destruction. This includes, but is not limited to, AES-256 encryption-at-rest and TLS 1.3 in-transit for all data communications within our localized UK infrastructure. ## 5. Breach Notification In the event of a confirmed personal data breach affecting Client Data, the Platform shall notify the Data Controller without undue delay, and in any event within a mandatory **72-hour breach notification window** from the moment the incident is confirmed, providing sufficient information to allow the Data Controller to meet any obligations to report to the ICO. ## 6. Assistance & Audits The Platform shall provide reasonable assistance to the Data Controller, taking into account the nature of processing, in fulfilling the Data Controller's obligations to respond to data subject requests under the UK GDPR. The Platform shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.