HOVIGuard

Data Processing Agreement (DPA)

As of: 2 June 2026 — Version 1.5 · per Art. 28 GDPR

This English text is informative. The German version at hoviguard.eu/avv is the legally binding original.

1. Contracting Parties

Controller: the Customer using the HOVIGuard service under the Terms of Service.

Processor:

Ing. Dipl.-Ing. (FH) Karl J. Pilz, sole proprietorship
Sagmüllerweg 8, 5081 Anif-Niederalm, Salzburg, Austria
VAT-ID: ATU 66845907
Data protection email: datenschutz@hoviguard.eu

2. Subject Matter and Duration of Processing

HOVIGuard processes personal data exclusively on behalf of the Customer for the operation of the AI Security and Governance Gateway. Processing covers:

  • Receiving, security-checking and forwarding user prompts to AI models
  • Content inspection (PII detection, content safety using Qwen3Guard, NSFW filter)
  • Management of user accounts, roles and access rights within the tenant
  • Storage of conversations, uploaded files and configurations
  • Token and usage metering for billing
  • Audit logging for compliance evidence

Processing starts upon registration of the tenant and ends with deletion of the tenant account. After contract end, all personal data is deleted within 30 days, unless statutory retention obligations apply (§ 132 BAO, 7 years), in which case data is pseudonymised/blocked.

3. Nature and Purpose of Processing

See the German master version (§3 — Art und Zweck der Verarbeitung) for the full table of processing activities.

4. Types of Personal Data

  • Master data: name, business email, language
  • Access data: Argon2id password hash, session tokens, optional 2FA seeds
  • Usage data: prompt content, AI responses, token consumption, model selection
  • File content: documents and images uploaded by end users, plus metadata
  • Communication data: IP address (pseudonymised after 7 days), user-agent, device ID
  • Billing data: company/billing address, VAT-ID, Stripe customer ID, tokenised payment instruments (no card numbers)
  • Audit data: action logs, security decisions, policy violations

5. Categories of Data Subjects

  • Employees and agents of the Customer registered as end users of the tenant
  • Persons whose data may be contained in prompts or uploaded files (third parties)
  • Billing and contract contacts of the Customer

6. Obligations of HOVIGuard (Processor)

Bound by documented instructions; written confidentiality of staff (Art. 28(3)(b), Art. 29 GDPR); TOMs per Annex A; sub-processor list per Annex B with 30 days' prior change notice; assistance with data subject rights, DPIAs and breach notifications; data export and deletion within 30 days after contract end; Art. 30(2) records.

7. Obligations of the Customer (Controller)

Lawful basis vis-à-vis own end users; tenant configuration of security and content policies; observance of retention; Art. 13/14 information of own end users; ensure no Art. 9 special categories without legal basis; prompt notification of breaches involving HOVIGuard.

8. Audit Rights

Self-service audit log access at any time; one free TOM report per calendar year; on-site or remote audit once per year with 30 days' notice (Customer cost unless triggered by a substantiated breach); third-party certificates accepted in lieu.

9. Third-Country Transfers (Schrems II)

Primary processing within EU/EEA. Third-country transfers limited to the technical minimum and listed in Annex B: Requesty Ltd. (UK adequacy decision per Art. 45 GDPR + SCCs Modules 2/3 + UK International Transfer Addendum, processing in AWS Frankfurt), OpenAI Ireland (EU endpoint, SCCs Module 2, zero data retention), Google Cloud EMEA (Vertex AI EU multi-region, SCCs Module 2), xAI USA (SCCs Module 2, EU region eu-west-1, zero retention), Amazon Web Services EMEA SARL (Bedrock Frankfurt, SCCs Module 2) and Stripe USA (SCCs Modules 1+2 + EU-US DPF). The AI model sub-processors mostly have US parent companies; Requesty Ltd. is UK-based (adequacy decision). Data never technically leaves the EU processing region.

A Transfer Impact Assessment (EDPB Recommendations 01/2020) has been performed. Mitigations: tokenisation, TLS 1.3 + AES-256, no AI conversation content sent to Stripe, OpenAI processing forced to the EU endpoint (eu.api.openai.com) and Vertex AI to EU multi-region, xAI processing forced to EU region (eu-west-1) with contractual zero retention, IP pseudonymisation after 7 days, complaint rights with the Austrian DPA and the US Data Protection Review Court (EO 14086).

AI inference and image generation run exclusively on EU-hosted endpoints. Non-EU models are blocked at catalogue level.

10. No Training on Customer Data

Prompts and responses are not used for training or fine-tuning by HOVIGuard or any sub-processor. Primary aggregator Requesty does not train ML models on your data (Logging = Disabled = zero data retention); OpenAI (EU endpoint) and Google Vertex AI contractually exclude customer data from training. Direct routes (e.g. xAI Grok, AWS Bedrock per Service Terms §50.3) only via enterprise/zero-retention endpoints; Eden AI (image generation only) is contractually configured for zero retention.

11. Tenant Isolation

Strict logical separation by tenant_id, separate MinIO buckets per tenant, application row-level filters, tenant-specific policies, alerting on cross-tenant attempts.

12. Personal Data Breaches (Art. 33/34 GDPR)

HOVIGuard notifies the Customer of any personal data breach without undue delay, in any case within 72 hours of becoming aware of it, in text form. Target: ≤ 24 hours on business-day detection; on weekend/holiday detections up to 48–72 hours. The notification contains all Art. 33(3) GDPR information available and is updated continuously. Process per legal/INCIDENT_RESPONSE_PLAYBOOK.md.

13. Liability

Per Art. 82 GDPR. Contractual liability limited as agreed in §10 of the Terms of Service. Statutory liability for intent, gross negligence and under the GDPR remains unaffected.

14. Conclusion of Contract, Validity, Form

Standard tenants (self-service, Pro plan): acceptance of the Terms of Service constitutes acceptance of this DPA. Current version at hoviguard.eu/en/avv.

Enterprise tenants: separately signable PDF (handwritten or qualified electronic signature) on request via datenschutz@hoviguard.eu.

Order of precedence: in case of conflict between Terms of Service, Privacy Policy and this DPA, the DPA prevails on data processing matters.

Amendments with 30 days' prior notice; material amendments to the Customer's detriment trigger an extraordinary right of termination.

Form: text form (email) suffices for special instructions, audit requests, terminations and objections.

Final: Austrian law, Salzburg jurisdiction. Supervisory authority: Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna.

A. Annex A — TOMs (overview)

See German version §A — Anhang A. Full description in legal/TOMS.md.

B. Annex B — Sub-processors

#Sub-processorLocationPurposeThird-country safeguard
1Hetzner Online GmbH ¹Falkenstein, DE 🇩🇪Server hosting (GEX44)EU — no third country
2Requesty Ltd. ⁴ (primary aggregator)London, UK 🇬🇧 (processing: AWS Frankfurt eu-central-1)AI model gateway for GPT-5.x, Claude 4.x, Gemini, Mistral — EU-only endpoint, zero data retentionUK adequacy decision (Art. 45 GDPR) + Requesty DPA v2.2 + SCCs Modules 2/3
3OpenAI Ireland Ltd.Dublin, IE 🇮🇪Direct API access GPT-5.x / o3 / o4 (fallback, EU endpoint)EU endpoint, SCCs Module 2, zero data retention
4Google Cloud EMEA Ltd. ²Dublin, IE 🇮🇪 (EU multi-region)Vertex AI: Gemini 3.x + Claude 4.x (Anthropic-on-Vertex)EU multi-region, SCCs Module 2
5xAI, Inc.USA 🇺🇸 (EU region eu-west-1)Direct Grok API (image/video/text)SCCs Module 2, zero retention
6Amazon Web Services EMEA SARLLuxembourg 🇱🇺 (Bedrock Frankfurt eu-central-1)AWS Bedrock: Anthropic Claude 4.xEU (Frankfurt), SCCs Module 2
7Eden AI SAS ³Lyon, FR 🇫🇷AI gateway — image generation only (DALL-E)EU — no third country
8Stripe Payments Europe Ltd.Dublin, IE 🇮🇪 (parent USA)Payment processingSCCs Modules 1+2 + EU-US DPF
9Neue Medien Münnich GmbH (All-Inkl)Friedersdorf, DE 🇩🇪Transactional email (SMTP)EU — no third country

¹ The Hetzner DPA is held by the sole proprietorship Karl Pilz Webagentur Web2null (same natural person as the HOVIGuard owner), which operates the GEX44 infrastructure and provides it to HOVIGuard internally — economic and data-protection personal union under Austrian law.

² Google Cloud EMEA Ltd. is the processor for Vertex AI in the EU. Anthropic Claude 4.x runs as a managed service inside the Google EU region (Anthropic-on-Vertex) — Anthropic is not a separate sub-processor and data never leaves the EU region.

³ Eden AI SAS has been phased down since May 2026 and is used for image generation only (DALL-E via EU proxy) until an equivalent EU direct route is available.

⁴ Requesty Ltd. has been the primary aggregator since 29 May 2026, replacing Eden AI for text LLMs. London-based; the UK benefits from an EU adequacy decision (Art. 45 GDPR), so the EU↔UK transfer is permissible without additional safeguards (with SCCs + UK International Transfer Addendum per Requesty DPA v2.2 in addition). All processing takes place exclusively in AWS Frankfurt (eu-central-1) via the EU-only endpoint eu.router.requesty.ai with Logging = Disabled (zero data retention) and EU-only models. Requesty is an aggregator with its own (nested) sub-processor chain; the current list is public at requesty.ai/privacy/subprocessors. If a company admin enables non-EU models for their tenant, US/third-country sub-processors are added and that responsibility lies with the enabling customer.

C. Annex C — Standard Instructions

See German version §C — Anhang C. Standard instructions deemed issued by the Customer upon DPA acceptance.

D. Annex D — Change History

v1.0 (2026-03-23) initial; v1.1 (2026-05-04) Schrems II / TIA section, explicit acceptance clause, Annexes A–D; v1.2 (2026-05-04) removed Cloudflare again (not actually used in operations); v1.3 (2026-05-04) added xAI, Inc. as 3rd sub-processor (direct Grok API, EU region enforced, zero retention, SCCs Module 2); v1.4 (2026-05-04) counsel re-review findings: §12 breach-notification window relaxed from 24h to 72h target 24h; §14.1 acceptance clause reinforced with notice of separate Stripe-checkout checkbox in Q3 2026; Annex B footnote ¹ refined (personal-union Karl Pilz, economic-substance doctrine); v1.5 (2026-06-02) provider stack updated: Requesty Ltd. (London/UK, processing in AWS Frankfurt) added as primary aggregator for text LLMs; OpenAI Ireland, Google Cloud EMEA (Vertex AI EU multi-region) and AWS EMEA SARL (Bedrock Frankfurt) added as direct EU routes in Annex B + §9 Schrems II table; Eden AI downgraded from primary gateway to image generation only; Annex B from 5 to 9 sub-processors; per-provider training guarantees in §10; Requesty aggregator chain (footnote ⁴, UK adequacy decision, EU-only endpoint, Logging=Disabled) documented.

Frequently asked questions about the DPA

What is a DPA?+

A Data Processing Agreement (DPA) regulates per Art. 28 GDPR the obligations between the controller (customer) and the processor (HOVIGuard) — including bindingness to instructions, sub-processors, technical and organisational measures (TOMs), audit rights and third-country safeguards.

When is the DPA concluded?+

For standard tenants, the DPA is deemed accepted upon acceptance of the Terms of Service during registration/checkout (see §14.1). The current version is available online at hoviguard.eu/en/avv. Enterprise customers may request a separately signable PDF version.

How do I receive a signable version?+

By email to datenschutz@hoviguard.eu with subject DPA PDF Request. We typically provide a PDF version with original or qualified electronic signature.

Who are the current sub-processors?+

Hetzner Online GmbH (hosting, DE), Requesty Ltd. (AI model gateway, primary — London/UK with EU adequacy decision, processing in AWS Frankfurt), OpenAI Ireland (GPT, IE) and Google Cloud EMEA (Vertex AI, IE) as direct EU routes, xAI Inc. (Grok, US region eu-west-1 with zero retention), Amazon Web Services EMEA SARL (Bedrock Frankfurt, LU), Eden AI SAS (image generation only, FR), Stripe Payments Europe Ltd. (payments, IE) and Neue Medien Münnich GmbH (SMTP, DE). Details including third-country safeguards are in Annex B of the DPA.

How are changes to the sub-processor list communicated?+

Addition or replacement of a sub-processor is notified with 30 days' prior notice in text form to the admin address registered in the tenant. Within this period you have a right to object and an extraordinary right of termination.

What audit rights do I have?+

Self-service audit logs in the admin dashboard at any time; one TOM report per calendar year free of charge on request; one on-site or remote audit per year with 30 days' notice (during business hours). Details in §8 of the DPA.