Data Processing Agreement

1. Parties

This Data Processing Agreement (“DPA”) is entered into between Senthex SAS (“Processor”), a company incorporated in France, and the Customer (“Controller”) accessing Senthex services under the Terms of Service.

2. Subject matter and duration

The Processor provides an AI security proxy service that intercepts, analyzes, and forwards API requests on behalf of the Controller. Processing takes place for the duration of the service agreement and ceases upon termination.

3. Nature and purpose of processing

The Processor processes data for the purpose of detecting security threats (prompt injection, PII leaks, data exfiltration) in real-time API traffic. Processing is carried out as a stateless reverse proxy. By default, the Processor does not store request or response content — only metadata (timestamps, shield scores, threat classifications) is retained.

4. Types of personal data and categories of data subjects

The types of personal data processed depend on the content of API requests routed through the service. This may include names, email addresses, and other identifiers present in prompts or responses. Data subjects may include end users of the Controller's applications.

5. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process data are bound by confidentiality
• Implement appropriate technical and organizational security measures (Article 32 GDPR)
• Not engage sub-processors without prior written authorization from the Controller
• Assist the Controller in responding to data subject rights requests
• Delete or return all personal data upon termination of services
• Make available all information necessary to demonstrate compliance with this Article

6. Security measures

The Processor implements the following technical and organizational measures: encryption in transit (TLS 1.3), encryption at rest for metadata logs, access controls limited to authorized personnel, infrastructure hosted in Germany (Hetzner), no data retention of request/response content by default, and regular security assessments.

7. International transfers

All processing takes place within the European Economic Area. No transfers to third countries occur without prior notification and appropriate safeguards.

8. Sub-processors

The Processor currently uses the following sub-processors: Hetzner Online GmbH (infrastructure, Germany). The Controller authorizes the use of these sub-processors. The Processor shall notify the Controller of intended changes at least 30 days in advance.

9. Data breach notification

The Processor shall notify the Controller of any personal data breach without undue delay and at most within 72 hours of becoming aware, to the extent this is feasible.

10. Contact

For DPA-related queries: legal@senthex.com