Data Processing Agreement

1. Parties

• Controller: the Customer entity that has entered into a subscription or trial agreement to use Context Guard.
• Processor: Burrell Digital LTD, a company registered in England & Wales.

2. Subject Matter & Duration

The Processor will process personal data on behalf of the Controller solely to provide the Service. This DPA remains in force for the duration of the underlying subscription and for any retention period required by law thereafter.

3. Nature & Purpose of Processing

The Processor processes personal data contained within AI traffic (prompts, completions, metadata) routed through the Context Guard proxy or SDK, for the purpose of security analysis: prompt injection detection, PII identification and redaction, jailbreak detection, and policy enforcement as configured by the Controller.

4. Categories of Data & Data Subjects

• Categories of data: any personal data the Controller chooses to send through the Service via prompts, completions, or attached metadata. This may include identifiers, content data, and contextual data.
• Data subjects: the Controller's end users, employees, or any individuals whose data the Controller processes through LLMs.

5. Processor Obligations

• Process personal data only on documented instructions from the Controller, including this DPA and the Service configuration.
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement the security measures described in Section 7.
• Assist the Controller in responding to data subject requests and in fulfilling DPIA / breach-notification obligations.
• At the Controller's choice, delete or return personal data at the end of provision of the Service, subject to legal retention obligations.

6. Sub-processors

The Controller authorises the Processor to engage the following sub-processors:

• Supabase — managed Postgres database and authentication.
• Stripe — payment processing for paid subscriptions.
• Vercel — application hosting and edge delivery.

Each sub-processor is bound by data-protection obligations equivalent to those in this DPA. The Processor will provide reasonable advance notice of any new or replacement sub-processor and the Controller may object on reasonable data-protection grounds.

7. Security Measures

The Processor implements appropriate technical and organisational measures including:

• Encryption in transit (TLS 1.2+) and at rest for stored data.
• Role-based access controls and the principle of least privilege.
• Multi-factor authentication for administrative access.
• Audit logging of administrative and data-access actions.
• Continuous monitoring and incident-response procedures.
• Regular review of access rights and security configuration.

8. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

9. Data Retention & Deletion

• Customer account data is retained for the duration of the active subscription plus 90 days following deletion.
• Security logs are retained for 12 months.
• On termination, the Controller may request return or deletion of personal data; deletion will be completed within 90 days save where retention is required by law.

10. International Transfers

Where personal data is transferred outside the UK or EEA, the Processor relies on UK adequacy decisions, the EU–UK adequacy decision, or Standard Contractual Clauses with the UK International Data Transfer Addendum, as applicable.

11. Audit Rights

The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA. The Controller may, on reasonable prior written notice and not more than once per year (except following a confirmed breach), audit the Processor's compliance, subject to reasonable confidentiality and security restrictions. Audits may be conducted via responses to a security questionnaire or reports from independent third-party auditors.

12. Liability

Each party's liability arising under or in connection with this DPA is subject to the limitations of liability set out in the underlying Terms of Service.

13. Governing Law

This DPA is governed by the laws of England & Wales. Disputes are subject to the exclusive jurisdiction of the courts of England & Wales.

14. Contact

To request a counter-signed DPA or for any data-protection enquiry, email dpo@ctx-guard.com.