Data Processing Agreement (DPA)

Controller: the Customer using the HOVIGuard service under the Terms of Service.

Processor:

Ing. Dipl.-Ing. (FH) Karl J. Pilz, sole proprietorship
Sagmüllerweg 8, 5081 Anif-Niederalm, Salzburg, Austria
VAT-ID: ATU 66845907
Data protection email: datenschutz@hoviguard.eu

HOVIGuard processes personal data exclusively on behalf of the Customer for the operation of the AI Security and Governance Gateway. Processing covers:

• Receiving, security-checking and forwarding user prompts to AI models
• Content inspection (PII detection, content safety using Qwen3Guard, NSFW filter)
• Management of user accounts, roles and access rights within the tenant
• Storage of conversations, uploaded files and configurations
• Token and usage metering for billing
• Audit logging for compliance evidence

Processing starts upon registration of the tenant and ends with deletion of the tenant account. After contract end, all personal data is deleted within 30 days, unless statutory retention obligations apply (§ 132 BAO, 7 years), in which case data is pseudonymised/blocked.

See the German master version (§3 — Art und Zweck der Verarbeitung) for the full table of processing activities.

• Master data: name, business email, language
• Access data: Argon2id password hash, session tokens, optional 2FA seeds
• Usage data: prompt content, AI responses, token consumption, model selection
• File content: documents and images uploaded by end users, plus metadata
• Communication data: IP address (pseudonymised after 7 days), user-agent, device ID
• Billing data: company/billing address, VAT-ID, Stripe customer ID, tokenised payment instruments (no card numbers)
• Audit data: action logs, security decisions, policy violations

• Employees and agents of the Customer registered as end users of the tenant
• Persons whose data may be contained in prompts or uploaded files (third parties)
• Billing and contract contacts of the Customer

Bound by documented instructions; written confidentiality of staff (Art. 28(3)(b), Art. 29 GDPR); TOMs per Annex A; sub-processor list per Annex B with 30 days' prior change notice; assistance with data subject rights, DPIAs and breach notifications; data export and deletion within 30 days after contract end; Art. 30(2) records.

Lawful basis vis-à-vis own end users; tenant configuration of security and content policies; observance of retention; Art. 13/14 information of own end users; ensure no Art. 9 special categories without legal basis; prompt notification of breaches involving HOVIGuard.

Self-service audit log access at any time; one free TOM report per calendar year; on-site or remote audit once per year with 30 days' notice (Customer cost unless triggered by a substantiated breach); third-party certificates accepted in lieu.

Primary processing within EU/EEA. Third-country transfers limited to the technical minimum and listed in Annex B (Stripe USA via SCCs Modules 1+2 + EU-US DPF; xAI USA via SCCs Module 2 with EU region enforcement and zero retention).

A Transfer Impact Assessment (EDPB Recommendations 01/2020) has been performed. Mitigations: tokenisation, TLS 1.3 + AES-256, no AI conversation content sent to Stripe, xAI processing forced to EU region (eu-west-1) with contractual zero retention, IP pseudonymisation after 7 days, complaint rights with the Austrian DPA and the US Data Protection Review Court (EO 14086).

AI inference and image generation run exclusively on EU-hosted endpoints. Non-EU models are blocked at catalogue level.

Prompts and responses are not used for training or fine-tuning by HOVIGuard or any sub-processor. Eden AI is contractually configured for zero retention. Direct routes (e.g. xAI Grok) only via enterprise/zero-retention endpoints.

Strict logical separation by tenant_id, separate MinIO buckets per tenant, application row-level filters, tenant-specific policies, alerting on cross-tenant attempts.

HOVIGuard notifies the Customer of any personal data breach without undue delay, in any case within 72 hours of becoming aware of it, in text form. Target: ≤ 24 hours on business-day detection; on weekend/holiday detections up to 48–72 hours. The notification contains all Art. 33(3) GDPR information available and is updated continuously. Process per legal/INCIDENT_RESPONSE_PLAYBOOK.md.

Per Art. 82 GDPR. Contractual liability limited as agreed in §10 of the Terms of Service. Statutory liability for intent, gross negligence and under the GDPR remains unaffected.

Standard tenants (self-service, Pro plan): acceptance of the Terms of Service constitutes acceptance of this DPA. Current version at hoviguard.eu/en/avv.

Enterprise tenants: separately signable PDF (handwritten or qualified electronic signature) on request via datenschutz@hoviguard.eu.

Order of precedence: in case of conflict between Terms of Service, Privacy Policy and this DPA, the DPA prevails on data processing matters.

Amendments with 30 days' prior notice; material amendments to the Customer's detriment trigger an extraordinary right of termination.

Form: text form (email) suffices for special instructions, audit requests, terminations and objections.

Final: Austrian law, Salzburg jurisdiction. Supervisory authority: Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna.

See German version §A — Anhang A. Full description in legal/TOMS.md.

See German version §C — Anhang C. Standard instructions deemed issued by the Customer upon DPA acceptance.

v1.0 (2026-03-23) initial; v1.1 (2026-05-04) Schrems II / TIA section, explicit acceptance clause, Annexes A–D; v1.2 (2026-05-04) removed Cloudflare again (not actually used in operations); v1.3 (2026-05-04) added xAI, Inc. as 3rd sub-processor (direct Grok API, EU region enforced, zero retention, SCCs Module 2); v1.4 (2026-05-04) counsel re-review findings: §12 breach-notification window relaxed from 24h to 72h target 24h; §14.1 acceptance clause reinforced with notice of separate Stripe-checkout checkbox in Q3 2026; Annex B footnote ¹ refined (personal-union Karl Pilz, economic-substance doctrine).