CyberWardion shield
G.A.I.N.CyberWardion
← CyberWardion

Data Processing Agreement

Last updated: June 13, 2026

This Data Processing Agreement ("DPA") forms part of, and is subject to, the Terms of Service between CyberWardion ("Processor", "we", "us"), a company registered in Sofia, Bulgaria, and the customer organisation that uses G.A.I.N. ("Controller", "you"). It governs the processing of personal data by CyberWardion on your behalf in connection with the G.A.I.N. service. Where this DPA conflicts with the Terms of Service in relation to data protection, this DPA prevails.

1. Definitions

"GDPR" means Regulation (EU) 2016/679. "Personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in the GDPR. "Service" means the G.A.I.N. browser extension and web dashboard. "Sub-processor" means a third party engaged by us to process personal data on your behalf.

2. Roles of the Parties

You are the Controller of the personal data processed through the Service. We are the Processor, acting only on your documented instructions. You are responsible for the lawfulness of your collection and use of personal data, including informing your employees of the deployment of the Service in accordance with applicable law.

3. Subject Matter, Nature and Purpose

We process personal data solely to provide the Service: detecting browser-based AI tool usage locally in the user's browser, transmitting event metadata only, displaying that metadata in the dashboard, and generating Trust Reports. We do not process personal data for any other purpose, and we do not sell personal data.

4. Duration

We process personal data for the duration of the Terms of Service and until deletion or return in accordance with Section 10.

5. Categories of Data Subjects and Personal Data

Data subjects: your administrators and the employees/users on whose devices the extension is deployed.

Personal data processed (metadata only): account and admin contact details; employee email (where your organisation provides it); device identifier and label; department; AI tool name/domain/category; event type and action taken (redacted / blocked / warned / logged / allowed); risk severity and confidence; the types of sensitive patterns detected (e.g. "api_key", "email") and their counts; content length (a number); file extension and file size; the name of the policy that triggered; detection engine version; event timestamp.

Never processed: prompt or message content; the actual sensitive values themselves (only the pattern type and count); keystrokes; screenshots; file contents; and browsing activity outside supported AI tools. Detection is performed locally; raw content is discarded in the browser and never transmitted or stored.

6. Processor Obligations

We will: (a) process personal data only on your documented instructions; (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement the technical and organisational measures in Annex II; (d) assist you, taking into account the nature of processing, with data subject requests and your obligations under GDPR Articles 32–36; (e) make available information necessary to demonstrate compliance with Article 28; and (f) inform you if, in our opinion, an instruction infringes data protection law.

7. Sub-processors

You provide general authorisation for us to engage the sub-processors listed in Annex III. We impose data protection obligations on each sub-processor no less protective than those in this DPA and remain liable for their performance. We will give you reasonable prior notice of any new sub-processor and an opportunity to object on reasonable data-protection grounds.

8. International Transfers

Event metadata is hosted within the European Union. We will not transfer personal data outside the EU/EEA except under a valid transfer mechanism under GDPR Chapter V.

9. Personal Data Breach

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting your personal data, and will provide information reasonably available to us to assist your own notification obligations.

10. Deletion and Return

On termination or expiry of the Service, or on your written request, we will delete or return all personal data and delete existing copies, unless retention is required by law. Because the Service stores metadata only, no prompt content or raw sensitive values exist to be returned.

11. Audit

We will make available, on reasonable request and no more than once per year (unless required by a supervisory authority), the information necessary to demonstrate compliance with this DPA, and will contribute to audits conducted by you or an auditor you mandate, subject to reasonable confidentiality and security conditions.

12. Liability and Governing Law

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. This DPA is governed by the laws of the Republic of Bulgaria, and disputes are subject to the competent courts of Sofia, Bulgaria.

Annex I — Details of Processing

  • Controller: the customer organisation using G.A.I.N.
  • Processor: CyberWardion, George Washington St 24, 1000 Sofia, Bulgaria.
  • Subject matter: provision of AI usage governance (visibility, on-device redaction/blocking, Trust Reports).
  • Duration: the term of the Terms of Service.
  • Nature, purpose, data types & subjects: see Sections 3 and 5.

Annex II — Technical and Organisational Measures

  • Detection and redaction run locally in the browser; raw prompt content and raw sensitive values are never transmitted.
  • Server stores event metadata only; prompt/content fields are stripped before persistence.
  • Data hosted in the EU.
  • Production database access is restricted; the dashboard enforces organisation-scoped access controls (row-level security).
  • Authentication to the ingestion API uses per-organisation keys; keys can be rotated and revoked.
  • Encryption in transit (TLS) for all data transmitted to the Service.

Annex III — Sub-processors

Sub-processorPurposeLocation
Supabase (database, Edge Functions, hosting)Storage of event metadata and serving the dashboard/APIEU

Contact

CyberWardion · George Washington St 24, 1000 Sofia, Bulgaria · +359 87 661 1400 · support@cyberwardion.com · cyberwardion.com