GDPR Compliance

The General Data Protection Regulation (GDPR) sets the standard for data privacy in the European Union. AgentAIShield is committed to full compliance with GDPR requirements. This page describes how we implement those requirements in practice — as both a data controller for our own customers and a data processor when handling data on behalf of our customers' end users.

1. Data Controller

For the purposes of GDPR, the data controller responsible for your personal data is:

• Company: AgentAIShield by You! Ventures LLC
• Address: Austin, TX, United States
• Email: [email protected]
• DPO: [email protected]

When you use AgentAIShield to monitor your own AI agents, you are the data controller for your end users' data, and AgentAIShield acts as your data processor. Our Data Processing Agreement governs that relationship.

2. Legal Basis for Processing

We process personal data only when we have a lawful basis under GDPR Article 6. The basis depends on the type of processing:

2.1 Contract Performance (Article 6(1)(b))

Processing necessary to deliver the Service you've signed up for, including:

• Account creation and authentication
• Proxying and analyzing your AI agent requests in real time
• Generating Trust Scores and compliance reports
• Billing and payment processing
• Customer support and service communications

2.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests, which don't override your rights, including:

• Security monitoring — detecting abuse, fraud, and unauthorized access to protect all customers
• Product improvement — aggregated, anonymized analytics to improve detection accuracy and platform performance
• Legal defense — maintaining records to defend against legal claims

2.3 Consent (Article 6(1)(a))

Processing based on your explicit, freely given consent, including:

• Marketing communications — product newsletters and announcements. Withdrawal of consent does not affect lawfulness of prior processing.
• Full request body logging — available as an opt-in feature on Business+ plans. Requires your explicit activation and is covered by the DPA.

3. Data We Process

We process the minimum data necessary to deliver the Service. Here is exactly what we collect and why:

3.1 Request Logs (Input/Output Metadata)

When your AI agents route requests through AgentAIShield, we log metadata only by default — not raw prompts or completions. Metadata includes: timestamp, model provider, model name, API key ID, latency, token counts (prompt/completion), HTTP status code, and request ID. Raw content is processed in-memory for inspection and immediately discarded unless you opt in to full logging.

3.2 PII Detection Results

Our PII detection engine identifies sensitive data in request/response content. We store the result of that detection — entity types found (e.g., "email address," "phone number"), confidence scores, and actions taken (allowed/redacted/blocked) — not the PII values themselves. Your users' actual PII never persists in our systems under the default configuration.

3.3 Trust Scores

Agent Trust Scores™ are computed from aggregated behavioral signals per API key: PII leak rates, injection attempt rates, response consistency, and data handling patterns. These scores are associated with your API keys and organization — not with any individual end user.

3.4 Usage Metrics

We may collect anonymized dashboard usage data (pages visited, features used, session duration) to improve the product. This data is not linked to your request traffic or monitoring data, and is processed under legitimate interests.

3.5 Account Information

Name, email address, hashed password, organization name, team member names and emails, billing contact information (Stripe customer ID; no full card numbers), and communication preferences.

4. Your Data Subject Rights

Under GDPR, you have the following rights regarding your personal data. We respond to all requests within 30 days (or 72 hours for breach notifications). Complex requests may be extended by up to 60 additional days with notification.

5. Data Processing Agreement

When you use AgentAIShield to process data on behalf of your own users or customers, you are the data controller and we are your data processor under GDPR Article 28. A Data Processing Agreement (DPA) is required for this relationship.

• Business and Enterprise customers — A DPA is available upon request. Contact [email protected] with subject "DPA Request."
• What the DPA covers — Processing subject matter and duration, nature and purpose of processing, types of personal data, categories of data subjects, your instructions to us, and our obligations as processor
• Sub-processor obligations — Our DPA includes a list of approved sub-processors and our commitment to notify you before adding new ones
• Starter customers — A standard DPA is available. We work to make compliance accessible at every plan level.

6. Sub-Processors

We keep our sub-processor list minimal to reduce data exposure risk. Current sub-processors who may access personal data:

• Amazon Web Services (AWS) — Cloud infrastructure and hosting. Data stored in US-East-1 region. AWS is certified under multiple compliance frameworks including ISO 27001, SOC 2, and is an approved transfer mechanism under SCCs.
• Railway — Ancillary service hosting. Used for non-customer-data workloads (build pipelines, preview environments). Personal data is not processed on Railway infrastructure.
• Stripe — Payment processing. Processes billing contact name, email, and card details (PCI-DSS Level 1 certified). Stripe is EU-US DPF certified.
• Resend / Postmark — Transactional email delivery. Processes email addresses for the purpose of delivering account and service notifications only.

We do not use advertising networks, data brokers, or analytics platforms that process personal data from your agent traffic. A complete and up-to-date sub-processor list is included in the DPA and available upon request.

7. International Data Transfers

AgentAIShield is based in the United States. When personal data is transferred from the EU/EEA to the US, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) — We rely on the European Commission's updated SCCs (2021) as the primary transfer mechanism for EU-US data transfers. SCCs are incorporated into our DPA.
• Sub-processor SCCs — All sub-processors handling EU personal data have SCCs in place or are certified under an approved adequacy framework (e.g., EU-US Data Privacy Framework)
• Transfer Impact Assessments — We have conducted TIAs for our primary data flows and maintain documentation available to Enterprise customers upon request
• UK transfers — Transfers from the UK are covered by the UK International Data Transfer Agreement (IDTA), which mirrors the SCC framework
• Swiss transfers — Covered under the Swiss Federal Act on Data Protection (FADP) supplementary clauses

8. Data Retention

We retain personal data for the minimum period necessary, consistent with our contractual and legal obligations:

• Request logs and monitoring data — Default 90 days on Business plan. Configurable within plan limits: 30 days (Free), 30 days (Starter), 90 days (Business), 1 year (Enterprise). Data is automatically purged after the configured period.
• Account data — Retained for the lifetime of the account. Upon account deletion, personal data is purged within 30 days. Backups containing personal data are purged within 90 days of deletion.
• Billing records — Retained for 7 years per tax and financial regulations (legal obligation basis)
• Support communications — 2 years from last interaction
• GDPR rights request records — 3 years (for compliance audit trail purposes)

9. Data Protection Officer

Given the nature of our business — processing data about AI agent behavior, including potential PII detection — we have designated a Data Protection Officer to ensure ongoing GDPR compliance.

• DPO Contact: [email protected]
• Scope: The DPO oversees all data protection activities, handles GDPR rights requests, responds to supervisory authority inquiries, and advises on data protection impact assessments (DPIAs)
• Response time: The DPO acknowledges all inquiries within 5 business days and provides a substantive response within 30 days
• Supervisory authority: If you are unsatisfied with our response, you have the right to lodge a complaint with your local EU/EEA data protection authority (DPA). A list of national DPAs is available at edpb.europa.eu.

10. Breach Notification

In the event of a personal data breach, we are committed to the following timeline and process:

• Supervisory authority notification — Per GDPR Article 33, we will notify the relevant lead supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms
• Customer notification — Affected customers (data controllers) are notified within 72 hours so they can fulfill their own Article 33 obligations to their supervisory authorities
• Data subject notification — If a breach is likely to result in a high risk to individuals (Article 34), we notify affected data subjects without undue delay, in plain language, with actionable guidance
• Notification content — Notifications include: nature of the breach, categories and approximate number of data subjects and records affected, name and contact of our DPO, likely consequences of the breach, and measures taken or proposed to address it
• Post-incident review — Every notifiable breach results in a written root cause analysis and remediation plan, shared with affected customers upon request