AEGIS
Sign in Start free

Legal

Data Processing Addendum

Effective June 10, 2026 · Applies when AEGIS processes Customer Personal Data under GDPR, UK GDPR, or EEA equivalents.

TL;DR for legal review

  • AEGIS acts as processor; Customer is controller.
  • EU Standard Contractual Clauses (2021/914) are incorporated by reference for transfers out of the EEA.
  • Sub-processors are listed publicly at /privacy §6; 30 days notice for additions on Enterprise tier.
  • Breach notification within 72 hours of confirmed incident.
  • Data deletion within 30 days of termination; on-request export in JSON or CSV.

1. Roles + scope

Customer is the controller of all Customer Personal Data submitted via the AEGIS hosted gateway. AEGIS is a processor acting strictly on Customer's documented instructions, which are the contents of this DPA and Customer's normal use of the service.

2. Permitted purposes

AEGIS processes Customer Personal Data solely to:

  • Provide the AEGIS service (intercept, classify, audit, retain tool-call traces).
  • Maintain security (detect abuse, block attacks).
  • Bill the Customer.
  • Respond to Customer instructions and legal requests.

AEGIS will not use Customer Personal Data to train models or for any commercial purpose beyond providing the service.

3. Sub-processors

AEGIS engages the sub-processors listed at /privacy §6. Enterprise customers are notified at least 30 days before a new sub-processor is added; you can object in writing and we will work in good faith to resolve.

4. International transfers

Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a third country without an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) — Module Two (Controller → Processor) — are incorporated into this DPA by reference. The UK Addendum to the SCCs applies for UK GDPR transfers.

5. Security

AEGIS maintains technical and organisational measures including:

  • TLS 1.2+ in transit; AES-256 at rest.
  • RBAC + SCIM + SAML + OIDC for identity.
  • Immutable audit log on RFC 6962 Merkle tree.
  • Quarterly access reviews.
  • Penetration test annually (first one scheduled 2026 Q4).

Full technical posture at /security.

6. Personal Data breach notification

AEGIS will notify Customer of any confirmed Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 72 hours of confirmation. The notification will include the nature of the breach, affected data categories, estimated number of data subjects, and mitigation steps.

7. Data subject rights

Customer is the contact point for data subject requests. AEGIS will assist Customer in responding to requests under Articles 15-22 GDPR within 14 days of a written request, at no additional cost.

8. Audits

Customer may audit AEGIS's compliance with this DPA up to once per calendar year, on 30 days written notice. AEGIS may meet audit obligations by providing third-party audit reports (SOC 2 Type II, ISO 27001) when available.

9. Deletion + return

On termination, AEGIS will delete Customer Personal Data within 30 days unless Customer requests export first. Free-tier data is deleted on account deletion; paid-tier data on the contract end date.

10. Liability + governing law

Liability under this DPA is subject to the cap in the main Terms of Service. Governing law: California (US), or as agreed in a separate signed MSA.

11. Signature

This DPA forms part of the AEGIS Terms of Service. Acceptance of the Terms (online click-through or signed MSA) constitutes acceptance of this DPA for any Customer Personal Data subject to GDPR / UK GDPR / EEA equivalents.

Customers requiring a counter-signed PDF version with their own legal entity details: email legal@aegis.dev.

This DPA is the v1 self-drafted version. A professionally-reviewed revision is planned for 2026 Q3 alongside SOC 2 Type II. Enterprise customers signing the v2 will be notified.