Data Processing Agreement
Last updated: April 16, 2026
1. Parties
This Data Processing Agreement ("DPA") is entered into between the Customer ("Data Controller") and ShieldPi ("Data Processor"), operated by ShieldPi Inc.
2. Scope of Processing
ShieldPi processes data solely for the purpose of performing automated security assessments of the Customer's LLM systems. Data processed includes: LLM API endpoints, model responses to security test prompts, and scan configuration metadata.
3. Data Controller Obligations (GDPR Article 28)
- Ensure lawful basis for processing under GDPR Articles 6 and 9
- Provide clear instructions for data processing activities
- Notify ShieldPi of any data subject access requests
4. Data Processor Obligations
- Process data only on documented instructions from the Controller
- Ensure persons authorized to process data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller with data subject rights requests
- Delete or return all personal data at the end of the service
- Make available all information necessary to demonstrate compliance
5. Sub-Processors
ShieldPi uses the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner | Backend infrastructure hosting | Germany (EU) |
| Vercel | Frontend hosting | United States |
| Stripe | Payment processing | United States |
| Resend | Transactional email | United States |
| NVIDIA | LLM Judge API | United States |
6. Data Retention
- Free plan: 7 days
- Pro plan: 90 days
- Team plan: 365 days
- Enterprise plan: Custom retention period
7. Breach Notification
ShieldPi will notify the Data Controller within 72 hours of becoming aware of a personal data breach, in accordance with GDPR Article 33.
8. Contact
For DPA-related inquiries: support@shieldpi.io