Legal · DPA
Data Processing Addendum
Our standard DPA, sub-processor list, and the safeguards we use for international transfers. A signed PDF is available on request from legal@aiwarden.com.
Scope
This DPA applies where AI Warden AG processes personal data on behalf of an enterprise customer (the “Controller”) under a Master Subscription Agreement. It implements processor obligations under the Swiss Federal Act on Data Protection (FADP) and, where applicable, Article 28 GDPR.
Parties and roles
- Controller — the customer, deciding purposes and means of processing.
- Processor — AI Warden AG, processing personal data only on documented instructions.
- Sub-processor — approved third parties engaged to provide defined service components.
Subject-matter, duration, nature, purpose
- Subject-matter: Personal data routed through AI Warden by the Controller.
- Duration: For the term of the agreement plus retention periods set in the Order Form.
- Nature: Storage, routing, policy evaluation, redaction, logging, and access control for LLM and MCP traffic.
- Purpose: Delivery, security, governance, and compliance features of the AI Warden service.
Data subjects and data categories
Determined by the Controller. Typical data subjects include customer employees, contractors, and end users represented in prompts or tool-call payloads. Typical data categories include identifiers, business contact data, operational metadata, and any content the Controller submits.
Deployment and data residency
AI Warden AG provides hosted software deployments configured in customer-selected regions according to contract terms and data residency requirements.
Security measures
Security controls are defined in our Security Policy and Annex II of the DPA, including encryption in transit and at rest, identity-rooted access controls, signed audit evidence, segregation of duties, secure SDLC, and regular external testing.
Sub-processors
The current sub-processor list is shown below. Customers are notified at least 30 days before material changes. Objections are handled under the DPA change-control process.
For self-hosted deployments, customer production traffic remains in the customer environment and does not rely on AI Warden-managed production sub-processors.
International transfers
Where personal data leaves Switzerland or the EEA, AI Warden AG applies the EU Standard Contractual Clauses (2021/914, Module 2 and/or Module 3 as applicable), with Swiss law adaptation where required, plus supplementary technical and organisational measures. Transfer impact assessments are available on request.
Data subject requests
AI Warden AG assists Controllers in responding to data subject requests under GDPR and FADP, including access, rectification, deletion, restriction, portability, and objection, within the limits of processor role and applicable law.
Audit rights
Controllers may audit AI Warden AG’s compliance with this DPA in line with GDPR Article 28(3)(h) and equivalent FADP processor obligations. Audit evidence is provided primarily via documented assurance (security policy, penetration-test summary, and compliance artefacts), with on-site audit available on reasonable notice.
Personal data breach
AI Warden AG notifies affected Controllers without undue delay after becoming aware of a personal data breach affecting Controller data. Notifications include known facts, likely impact, and mitigation status so Controllers can meet their own legal notification duties.
Return and deletion
At termination, personal data is returned or deleted according to customer instruction and contractual retention settings, subject to mandatory legal retention. Evidence and audit records are retained only as contractually required or legally mandated.
Contact
For signed DPA copies, transfer annexes, or sub-processor notices, contact legal@aiwarden.com.