# Data Processing Agreement (DPA)

**pursuant to Art. 28(3) GDPR**

| | |
|---|---|
| **Version** | 1.4 |
| **As of** | 2026-05-04 |
| **Scope** | All HOVIGuard B2B customers |
| **Acceptance** | see §13 (Conclusion of Contract) |
| **Authoritative language** | German (`legal/DPA_AVV_DE.md`). This English version is informative. |

---

## Contracting Parties

**Controller**
The customer using the HOVIGuard service under the Terms of Service
(hereinafter "Customer" or "Controller")

**Processor**
Ing. Dipl.-Ing. (FH) Karl J. Pilz, sole proprietorship
Sagmüllerweg 8, 5081 Anif-Niederalm, Salzburg, Austria
VAT-ID: ATU 66845907
Data protection email: datenschutz@hoviguard.eu
(hereinafter "HOVIGuard" or "Processor")

---

## 1. Subject Matter and Duration of Processing

### 1.1 Subject Matter
HOVIGuard processes personal data exclusively on behalf of the Customer in the context of providing the AI Security and Governance Gateway. Processing covers:

- Receiving, security-checking and forwarding user prompts to AI models
- Content inspection (PII detection, content safety using Qwen3Guard categories, NSFW filter)
- Management of user accounts, roles and access rights within the tenant
- Storage of conversations, uploaded files and configurations
- Token and usage metering for billing
- Audit logging for compliance evidence

### 1.2 Duration
Processing starts upon registration of the tenant and ends with deletion of the tenant account or termination of the service contract. After contract end, all personal data is deleted within **30 days**, unless statutory retention obligations apply (e.g. Austrian Federal Tax Code § 132 BAO — 7-year invoice retention), in which case data is pseudonymised/blocked accordingly.

---

## 2. Nature and Purpose of Processing

| Processing Activity | Purpose |
|---|---|
| User Management | Authentication, authorisation, session management |
| Prompt Processing | Security checks and forwarding to EU-hosted AI providers |
| Content Safety | PII detection, NSFW filter, Qwen3Guard classification |
| File Upload | Storage in tenant-isolated object storage (MinIO) |
| Audit Logging | Compliance evidence, security monitoring, forensics |
| Billing | Token/usage metering, invoicing, Stripe handling |
| Transactional Email | Verification, password reset, security notifications |

---

## 3. Types of Personal Data

- **Master data:** name, business email, language
- **Access data:** Argon2id password hash, session tokens, optional 2FA seeds
- **Usage data:** prompt content, AI responses, token consumption, model selection
- **File content:** documents, images and metadata uploaded by end users
- **Communication data:** IP address (pseudonymised after 7 days), user-agent, device ID
- **Billing data:** company/billing address, VAT-ID, Stripe customer ID, tokenised payment instruments (no card numbers)
- **Audit data:** action logs, security decisions, policy violations

---

## 4. Categories of Data Subjects

- Employees and agents of the Customer registered as end users of the tenant
- Persons whose data may be contained in prompts or uploaded files (third parties)
- Billing and contract contacts of the Customer

---

## 5. Obligations of the Processor (HOVIGuard)

### 5.1 Bound by Instructions
HOVIGuard processes personal data exclusively on the Customer's documented instructions. Use of the service in accordance with the Terms of Service together with tenant configuration by the Company Admin (security policies, model whitelist, retention) constitutes documented instruction. Special instructions must be issued in text form to datenschutz@hoviguard.eu.

### 5.2 Confidentiality
HOVIGuard binds in writing every person granted access to personal data to confidentiality (Art. 28(3)(b) and Art. 29 GDPR). HOVIGuard currently operates as a sole proprietorship without further employees; if external contractors are engaged, the corresponding confidentiality obligation is established before data access.

### 5.3 Technical and Organisational Measures (TOMs)
HOVIGuard ensures the measures listed in **Annex A** and in [`legal/TOMS.md`](./TOMS.md) under Art. 32 GDPR. The TOMs are reviewed at least annually and updated in case of material change.

### 5.4 Sub-processors
The current list of sub-processors is published in **Annex B** and in [`legal/SUBPROCESSORS.md`](./SUBPROCESSORS.md). By entering into the contract, the Customer consents to the engagement of the listed sub-processors.

Intended addition or replacement of a sub-processor is announced to the Customer in text form (email to the registered admin address; additionally posted on hoviguard.eu/avv) **at least 30 calendar days** in advance. The Customer may object within this period. In case of objection, the Customer may extraordinarily terminate the contract with effect from the planned switch date.

### 5.5 Assistance Obligations
HOVIGuard supports the Customer within technically feasible means in:

- Fulfilling data subject rights (Art. 15–22 GDPR) — self-service via tenant admin UI plus API endpoints for access and deletion
- Data Protection Impact Assessments (Art. 35/36 GDPR) — provision of relevant architectural and TOM information on request
- Notifications to supervisory authorities and data subjects (Art. 33/34 GDPR) — see `legal/INCIDENT_RESPONSE_PLAYBOOK.md`

### 5.6 Deletion and Return after Contract End
Upon termination of the contract:

- Data export in JSON/ZIP on request within 30 days (Art. 20 GDPR)
- Deletion of all tenant data in database, object storage and backups within 30 days
- Maintenance of statutorily required records (invoices, tax records) in pseudonymised form
- Written confirmation of deletion on request

### 5.7 Records of Processing (Art. 30(2) GDPR)
HOVIGuard maintains an internal record of all processing activities and provides it to the competent supervisory authority and to the Customer on request.

---

## 6. Obligations of the Controller (Customer)

The Customer is responsible for:

- Lawfulness of processing vis-à-vis its own end users (legal basis, Art. 13/14 information)
- Configuration of security and content policies (model whitelist, PII sensitivity, NSFW filter, upload types) within the tenant
- Compliance with retention periods for conversations and files
- Informing its end users about the use of HOVIGuard and the AI providers per **Annex B**
- Ensuring that no special categories of personal data (Art. 9 GDPR) are processed without an appropriate legal basis
- Informing HOVIGuard without undue delay of any data breach or data subject request that involves HOVIGuard

---

## 7. Audit Rights

The Customer has the right to:

- **Self-service audit:** access at any time to all audit logs concerning the tenant via the admin dashboard (`/admin/audit-logs`)
- **TOM report:** request the current TOM document free of charge once per calendar year
- **On-site or remote audit:** once per calendar year with at least 30 days' prior notice. The audit is performed during normal business hours, without disruption to other customers, and is limited to data-protection-relevant aspects of the tenant. Costs are borne by the Customer unless the audit is triggered by a substantiated data breach.
- **Third-party audit reports:** HOVIGuard may discharge its audit obligations by providing current certificates or independent reports (e.g. future ISO-27001/SOC-2 reports as well as sub-processor certifications).

---

## 8. Third-Country Transfers (Schrems II)

### 8.1 Principle
Primary processing takes place exclusively within the EU/EEA (Hetzner Falkenstein, Eden AI Lyon, All-Inkl Friedersdorf). Transfers to third countries are limited to the technical minimum that cannot be avoided.

### 8.2 Third-Country Sub-processors in Use

| Sub-processor | Location | Transfer mechanism | Scope |
|---|---|---|---|
| **Stripe Payments Europe Ltd.** (EU contracting party) | Dublin, IE | Intra-group forwarding to Stripe Inc. (USA) under SCCs Modules 1+2 (EU 2021/914) and the EU-US Data Privacy Framework | Payment processing — name, billing address, tokenised payment instruments |
| **xAI, Inc.** | USA (processing in EU region eu-west-1) | DPA via Enterprise Customer Agreement (https://x.ai/legal/data-processing-addendum) with embedded SCCs Module 2 (EU 2021/914), jurisdiction Republic of Ireland | Direct API access to Grok models (image, video, text generation) — prompts and responses, zero retention (deletion within 30 days) |

### 8.3 Transfer Impact Assessment (TIA)
HOVIGuard has performed and documented a TIA in line with EDPB Recommendations 01/2020 for the listed transfers. The assessed risks (in particular FISA 702, EO 12333, Cloud Act) are mitigated by:

- Tokenisation of payment data (Stripe — no card numbers stored at HOVIGuard)
- TLS 1.3 in transit, AES-256 at rest
- No transmission of AI conversation content to Stripe
- xAI processing forced to EU region (`eu-west-1`) via `provider_params.region`, contractually zero retention
- Pseudonymisation of IP addresses after 7 days
- Right of complaint to the Austrian Data Protection Authority and to the US Data Protection Review Court (Executive Order 14086)

The TIA is provided to the Customer on request.

### 8.4 Strictly EU-only AI Inference
AI inference and image generation are executed exclusively on EU-hosted endpoints (`provider_params.region = "eu-west-1"` is enforced for Eden AI; direct routes such as xAI Grok are only used on a documented EU region; non-EU models are blocked at catalogue level).

---

## 9. No Training on Customer Data

HOVIGuard guarantees:

- Prompts and responses are **not** used to train or fine-tune AI models — neither by HOVIGuard nor by any sub-processor
- Eden AI is contractually configured for zero retention ("No Data Retention" provider setting)
- For directly addressed inference providers (e.g. xAI Grok), only their enterprise/zero-retention endpoints are used
- No disclosure of content to third parties outside the listed sub-processors
- Telemetry and quality metrics are collected only in aggregated form without content reference

---

## 10. Tenant Isolation

- Strict logical separation by `tenant_id` in all database queries
- Separate MinIO buckets per tenant
- Application-side row-level filters; PostgreSQL row-level security in preparation (Phase 2)
- Tenant-specific security policies
- No cross-tenant access — violations are flagged and alerted in the audit log

---

## 11. Personal Data Breaches (Art. 33/34 GDPR)

HOVIGuard notifies the Customer of any personal data breach **without undue delay, and in any case within 72 hours** of becoming aware of it, in text form to the admin address registered for the tenant. **Target:** ≤ 24 hours on business-day detection; on weekend/holiday detections the window may extend to 48–72 hours. The notification contains the information required by Art. 33(3) GDPR insofar as available, and is updated continuously.

For the detailed process see [`legal/INCIDENT_RESPONSE_PLAYBOOK.md`](./INCIDENT_RESPONSE_PLAYBOOK.md).

---

## 12. Liability and Damages

Liability is governed by Art. 82 GDPR. The contractual liability of HOVIGuard is limited as agreed in §11 of the Terms of Service. Statutory liability for intent, gross negligence and under the GDPR remains unaffected.

---

## 13. Conclusion of Contract, Validity, Form

### 13.1 Acceptance
This DPA becomes effective in the following cases:

- **Standard tenants (self-service, Pro plan):** by accepting the Terms of Service in the registration and checkout flow, the Customer accepts this DPA as part of the service contract. The Terms of Service §7 (DE: §7) explicitly reference this DPA. Current version online at [hoviguard.eu/en/avv](https://hoviguard.eu/en/avv).
  - **Planned reinforcement (Q3 2026):** additional separate DPA-acceptance checkbox in the Stripe checkout flow with timestamp persistence in the database, fulfilling the documented-instruction obligation per Art. 5(2) GDPR. Until rollout, ToS acceptance with explicit DPA reference constitutes sufficient documented instruction.
- **Enterprise tenants:** on request a separately signable version (PDF with handwritten or qualified electronic signature) is provided. Request via datenschutz@hoviguard.eu.

### 13.2 Order of Precedence
In the event of a conflict between the Terms of Service, the Privacy Policy and this DPA, the provisions of this DPA prevail with respect to data processing.

### 13.3 Amendments
Amendments to this DPA are notified to the Customer with 30 days' prior notice via the admin address registered for the tenant. Material amendments to the detriment of the Customer trigger an extraordinary right of termination.

### 13.4 Form
Special instructions, audit requests, terminations and objections require text form (email to datenschutz@hoviguard.eu suffices).

### 13.5 Final Provisions
- Austrian law applies, excluding the UN Convention on Contracts for the International Sale of Goods
- Place of jurisdiction: Salzburg, Austria
- Supervisory authority for HOVIGuard: Austrian Data Protection Authority (DSB), Barichgasse 40-42, 1030 Vienna
- Severability clause: should any provision of this DPA be invalid, the remaining provisions remain effective

---

## Annex A — Technical and Organisational Measures (Overview)

Full description in [`legal/TOMS.md`](./TOMS.md). Brief overview:

| Area | Measure |
|---|---|
| Physical access | Hetzner DC Falkenstein (ISO 27001), multi-factor visitor control |
| Logical access | Argon2id password hashing, Better-Auth, optional 2FA, tenant-isolated sessions |
| Authorisation | RBAC (owner/admin/member), row-level filters, least privilege |
| Transmission | TLS 1.3, Caddy reverse proxy with HSTS, enforced EU routing for Eden AI |
| Input control | Audit logs of all data-modifying actions, retention 7 years |
| Order control | DPAs with all sub-processors, Art. 30 records |
| Availability | PITR backups (PostgreSQL WAL), MinIO replication (Phase 2), monitoring |
| Separation | `tenant_id` filter on every query, separate MinIO buckets, cross-tenant alerting |
| Pseudonymisation | IP pseudonymisation after 7 days, aggregation in telemetry |
| Encryption | TLS 1.3 in transit; operator backups encrypted |

---

## Annex B — Sub-processors

Current and complete list in [`legal/SUBPROCESSORS.md`](./SUBPROCESSORS.md) and at [hoviguard.eu/avv#subprozessoren](https://hoviguard.eu/avv#subprozessoren).

| # | Sub-processor | Location | Purpose | Third-country safeguard |
|---|---|---|---|---|
| 1 | Hetzner Online GmbH ¹ | Falkenstein, DE | Server hosting (GEX44) | EU — no third country |
| 2 | Eden AI SAS | Lyon, FR | AI model gateway (EU routing enforced) | EU — no third country |
| 3 | xAI, Inc. | USA (EU region eu-west-1) | Direct Grok API (image/video/text) | SCCs Module 2, zero retention |
| 4 | Neue Medien Münnich GmbH (All-Inkl) | Friedersdorf, DE | Transactional email (SMTP) | EU — no third country |
| 5 | Stripe Payments Europe Ltd. | Dublin, IE (parent USA) | Payment processing | SCCs Modules 1+2 + EU-US DPF |

¹ **Hetzner contracting-party construct:** the Hetzner Online GmbH DPA (https://accounts.hetzner.com/account/dpa) formally runs in the name of the sole proprietorship *Karl Pilz Webagentur Web2null* (VAT-ID ATU 66845907 — same natural person as HOVIGuard owner Ing. Dipl.-Ing. (FH) Karl J. Pilz), which operates the GEX44 infrastructure and provides it to HOVIGuard internally. Both businesses are sole proprietorships of the same natural person under Austrian law — economic and data-protection identity. A separate written DPA between HOVIGuard and Web2null is therefore not required under economic-substance doctrine (no data flow between distinct legal persons); for compliance transparency the construct is documented here. A formal DPA will be added if external employees are hired or the entities are separated.

---

## Annex C — Standard Instructions

The following instructions are deemed issued by the Customer upon acceptance of this DPA:

1. Processing of the data categories listed in §3 for the purposes listed in §2
2. Storage in EU data centres as listed in Annex B
3. Forwarding of prompts to the AI models activated for the tenant (model whitelist configurable in the admin UI)
4. Application of security policies configured by the Company Admin (PII filter, NSFW, content safety)
5. Creation of audit logs for compliance purposes (retention 7 years, Art. 32 GDPR)
6. Forwarding of billing data to Stripe per §8.2
7. Transmission of transactional emails via All-Inkl per §8.2
8. Deletion/anonymisation per §1.2 and §5.6 after contract end

Deviating or additional instructions must be issued in text form to datenschutz@hoviguard.eu.

---

## Annex D — Change History

| Version | Date | Change |
|---|---|---|
| 1.0 | 2026-03-23 | Initial version |
| 1.1 | 2026-05-04 | Added Schrems II / TIA section (§8.3); explicit acceptance clause (§13.1); added Annexes A/B/C/D; clarified 30-day sub-processor change window; refined audit rights (§7); 24-hour breach notification (§11); EU-only routing documented (§8.4); harmonised VAT-ID/address |
| 1.2 | 2026-05-04 | Removed Cloudflare again — not actually used in operations (DNS via DD24, reverse proxy is Caddy directly on Hetzner). Annex B reduced from 5 to 4 sub-processors; §8.2 lists Stripe only as third-country transfer |
| 1.3 | 2026-05-04 | Added xAI, Inc. as 3rd sub-processor in Annex B (direct Grok API, EU region enforced, zero retention, SCCs Module 2). §8.2 Schrems II table: second third-country transfer (xAI USA). Hetzner footnote ¹: DPA runs via Karl Pilz Webagentur Web2null as internal infrastructure provider (same owner). Annex B now 5 sub-processors. |
| 1.4 | 2026-05-04 | Counsel re-review findings implemented: §11 breach-notification window relaxed from 24h to "within 72h, target 24h" (technically realistic); §13.1 acceptance clause reinforced with notice of separate Stripe-checkout checkbox in Q3 2026; Annex B footnote ¹ refined (personal-union Karl Pilz, economic-substance doctrine under AT sole-proprietorship law); consistency with Privacy retention periods. |

---

*Authoritative language: German. This English translation in `legal/DPA_AVV_EN.md` is informative only.*