Data Processing Addendum

Last updated: 1 July 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and EuroGuard AI ("Processor") for the provision of the EuroGuard AI service and reflects the parties' agreement on the processing of personal data in accordance with Article 28 of the GDPR.

1. Subject matter & duration

The Processor processes personal data on behalf of the Controller for the purpose of providing the Service, for the duration of the underlying agreement.

2. Nature and purpose of processing

Automated EU AI Act and DORA risk analysis, generation of compliance reports, account management, payment processing, and related support.

3. Categories of data subjects and data

  • Data subjects: Controller's authorised users.
  • Personal data: email address, authentication identifiers, content submitted for analysis, technical logs.
  • No special category (Art. 9) data is required or expected.

4. Processor obligations

  • Process personal data only on documented instructions from the Controller.
  • Ensure personnel are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures (see Section 7).
  • Assist the Controller with data-subject rights requests and DPIAs where reasonably required.
  • Notify the Controller without undue delay (and within 72 hours) on becoming aware of a personal-data breach.
  • Delete or return personal data at the end of the Service, at the Controller's choice.

5. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in our Privacy Policy. We will give at least 30 days' notice of new sub-processors and allow the Controller to object on reasonable data-protection grounds.

6. International transfers

Where personal data is transferred outside the EEA, the parties rely on the European Commission's Standard Contractual Clauses (Module 2, controller-to-processor) as supplementary measures. The Clauses are incorporated by reference.

7. Security measures

  • Encryption in transit (TLS 1.2+) and at rest.
  • Row-Level Security on every user-data table; access scoped to authenticated user ID.
  • Service-role keys stored server-side only; never shipped to browsers.
  • Signed webhook verification for payment events.
  • Regular dependency and vulnerability scanning.
  • Access to production systems restricted and audited.

8. Audit rights

The Controller may, once per year and on reasonable prior notice, request written information reasonably necessary to demonstrate compliance with this DPA. On-site audits may be arranged where required by law or a supervisory authority.

9. Liability

Each party's liability under this DPA is subject to the limitations of liability in the underlying agreement.

10. Signed copy

For a countersigned copy of this DPA, contact support@euroguard.ie.