AegisTrust
Legal — GDPR Article 28

Data Processing Agreement

Effective: January 1, 2026  |  Updated: April 19, 2026

1. Scope & Definitions

This Data Processing Agreement ("DPA") supplements the Terms of Service between you ("Controller") and AegisTrust AI, Inc. ("Processor"). It governs the processing of personal data provided to AegisTrust through the Pre-Clearance audit pipeline. "Personal Data," "Processing," and "Data Subject" have the meanings ascribed in the EU General Data Protection Regulation (GDPR).

2. Nature & Purpose of Processing

Subject MatterSecurity architecture compliance assessment
DurationDuration of the service engagement + 30-day retention
Data CategoriesCorporate email addresses, technical architecture documentation
Data SubjectsClient employees, authorized representatives

3. Processor Obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure all personnel with access are bound by confidentiality obligations.
  • Implement appropriate technical and organizational security measures (AES-256, TLS 1.3, SOC2 Type II).
  • Engage sub-processors only with prior written consent of the Controller.
  • Assist the Controller in responding to data subject requests within applicable timeframes.
  • Delete or return all personal data upon termination of the engagement, subject to legal retention requirements.
  • Make available all information necessary to demonstrate compliance and allow for audits.

4. Security Measures

  • Encryption: AES-256 at rest, TLS 1.3 in transit.
  • Access Control: Role-based access with MFA enforcement for all analysts.
  • Isolation: Geographically isolated, SOC2-certified storage infrastructure.
  • Monitoring: Real-time intrusion detection and audit logging.
  • Data Minimization: Zero Data Retention policy with automatic 30-day purge.

5. Sub-Processors

The Controller authorizes the engagement of the following sub-processors:

ProcessorFunctionLocation
Cloudflare, Inc.Object storage (R2)US / EU
Resend, Inc.Email deliveryUS
Vercel, Inc.Application hostingUS / Global

6. International Transfers

Where personal data is transferred outside the EEA, AegisTrust relies on Standard Contractual Clauses (SCCs) as approved by the European Commission, supplemented by transfer impact assessments where required.

7. Breach Notification

In the event of a personal data breach, AegisTrust shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. Notification shall include the nature of the breach, categories of data affected, and recommended mitigation measures.

8. Governing Law

This DPA is governed by the laws of the State of Delaware, US, except that GDPR provisions shall be interpreted in accordance with EU law where applicable.

AegisTrust AI, Inc. · Delaware, US · dpa@aegistrust.ai

For a countersigned copy of this DPA, contact dpa@aegistrust.ai.

Secure Drop — AES-256 Encrypted

Initiate Architecture Pre-Clearance

Upload your system architecture diagram or technical whitepaper. Our Chief Security Architect will issue a JPMorgan-grade risk blind-spot brief within 24 hours.

Click to upload or drag and drop

PDF, PNG, JPG, or Visio (Max 50MB)

Zero Data Retention Policy Enforced. SOC2 Compliant.