Data Processing Agreement (DPA)
Last updated: 19 April 2026
This Data Processing Agreement ("DPA") supplements the Terms of Service between Florian Wessels — flossels.ch ("Processor", operating the Gardeo platform) and the Customer ("Controller") and applies to all processing of personal data through the Gardeo platform.
1. Scope
This DPA applies to all personal data processed through the Gardeo platform, including data contained in AI prompts, responses, uploaded documents, and user account information. It governs the relationship between the Controller (Customer) and the Processor (Gardeo) in accordance with Article 28 of the GDPR and Article 9 of the Swiss nDSG.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including pseudonymization, transmission to AI providers, storage, and deletion.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
- Pseudonymization: The processing of personal data in such a manner that it can no longer be attributed to a specific data subject without the use of additional information (mapping keys).
3. Processing Details
3.1 Purpose of Processing
Personal data is processed to provide AI-assisted text generation, document analysis, and related services. All personal data in prompts is automatically pseudonymized before transmission to AI providers. The PII Engine recognizes 42+ entity types across 4 languages, including names, addresses, social security numbers, health conditions, financial data, and sensitive categories defined under nDSG Art. 5 lit. c. Organizations can additionally define custom entity types (e.g., employee IDs, project codes) with configurable detection rules and sensitivity thresholds.
3.2 Categories of Personal Data
- Names, email addresses, contact details (user accounts)
- Any personal data contained in user prompts and uploaded documents
- Usage data (timestamps, model selections, token counts)
- Billing information (company name, address, VAT ID)
3.3 Categories of Data Subjects
- Employees and authorized users of the Customer
- Third parties whose personal data appears in prompts or documents
4. Obligations of the Processor
Gardeo shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that persons authorized to process personal data have committed to confidentiality.
- Implement appropriate technical and organizational measures (TOM) to ensure security of processing, including encryption at transit (TLS 1.3), pseudonymization by default, and access controls.
- Assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability).
- Delete or return all personal data upon termination of the agreement, at the Controller's choice.
- Make available all information necessary to demonstrate compliance and allow for audits.
5. Sub-processors
The Controller grants general authorization for the use of the sub-processors listed below. Gardeo will inform the Controller of any intended changes to this list at least 30 days in advance. The Controller may object to changes within 14 days.
5.1 Infrastructure Sub-processors
| Sub-processor | Purpose | Data Location | Transfer Mechanism |
|---|---|---|---|
| Vercel Inc. | Web application hosting, CDN, serverless functions | Frankfurt, EU | SCCs |
| Amazon Web Services EMEA SARL — European Sovereign Cloud | Database (RDS), file storage (S3), PII engine hosting (ECS Fargate) | Brandenburg, DE (eusc-de-east-1) | EU entity, operated under EU jurisdiction, no international transfer |
| Upstash Inc. | Managed Redis (rate limiting, background job queue, session cache, pub/sub) | Frankfurt, EU (eu-central-1) | SCCs |
| Brevo (Sendinblue) | Transactional emails, newsletter | Paris / Berlin, EU | EU entity |
| Sentry (Functional Software Inc.) | Error monitoring and performance tracking | EU (eu.sentry.io) | SCCs |
| Stripe Inc. | Payment processing, subscription management | US | SCCs |
| Mixpanel Inc. | Pseudonymized usage analytics (server-side only, user-ID only, no cookies) | EU (api-eu.mixpanel.com) | SCCs |
| SearXNG (self-hosted) | Privacy-first metasearch engine for web search and deep research features | Brandenburg, DE (eusc-de-east-1) | Self-hosted, no third-party transfer |
| BoxyHQ SAML Jackson (embedded library) | SAML 2.0 SSO protocol handling for enterprise single sign-on | In-process within Gardeo webapp (Vercel Frankfurt) and database (eusc-de-east-1) | Open-source library, no external processing |
5.2 AI Model Providers
AI model providers receive only pseudonymized data. Personal data (names, addresses, phone numbers, identification numbers, etc.) is automatically replaced with placeholders before any data leaves Gardeo infrastructure. The mapping between placeholders and original data is stored exclusively within Gardeo's EU infrastructure and is never shared with AI providers.
| Sub-processor | Purpose | Data Location | Transfer Mechanism |
|---|---|---|---|
| Anthropic PBC | AI language model (Claude) | US | SCCs |
| OpenAI Inc. | AI language model (GPT), image generation (DALL-E) | US | SCCs |
| Google LLC | AI language model (Gemini), image generation | US | SCCs |
| Mistral AI SAS | AI language model (Mistral) | EU (France) | EU entity |
| xAI Corp. | AI language model (Grok) | US | SCCs |
| Perplexity AI Inc. | AI language model with web search (Sonar) | US | SCCs |
| DeepSeek AI* | AI language model (DeepSeek) | China | Art. 49 GDPR |
* Available only after explicit user consent. Data is automatically pseudonymized before transmission. China does not have an adequacy decision from the European Commission. Transfer is based on explicit consent of the data subject pursuant to Art. 49(1)(a) GDPR, after being informed of the possible risks.
5.3 Enterprise Integration Providers
When the Controller connects third-party data sources for Enterprise Search, Gardeo accesses data from these services via OAuth or API keys on behalf of the Controller. Data is indexed and stored within Gardeo's EU infrastructure. These integrations are optional and only activated by the Controller.
| Provider | Purpose | Data Accessed |
|---|---|---|
| Google LLC (Google Drive) | Document indexing for Enterprise Search | Files, folders, metadata |
| Google LLC (Gmail) | Email indexing for Enterprise Search, workflow email triggers | Email messages, metadata |
| Microsoft Corp. (Microsoft 365) | Document and email indexing for Enterprise Search | SharePoint files, Outlook messages, OneDrive files |
| Slack Technologies (Salesforce) | Channel message indexing for Enterprise Search | Channel messages, threads |
| Notion Labs Inc. | Page and database indexing for Enterprise Search | Pages, databases, metadata |
| Atlassian (Confluence) | Page indexing for Enterprise Search | Pages, blog posts, metadata |
| Salesforce Inc. | Knowledge article indexing for Enterprise Search | Knowledge articles, contacts, cases |
| HubSpot Inc. | Document and contact indexing for Enterprise Search | Contacts, files, deals |
6. Data Subject Rights
Gardeo assists the Controller in responding to data subject requests including: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and objection (Art. 21). Users can export their data and request account deletion through the platform settings.
7. Data Breach Notification
Gardeo shall notify the Controller without undue delay, and no later than 48 hours, after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
8. Data Deletion and Return
Upon termination of the agreement, Gardeo shall, at the Controller's choice, delete or return all personal data within 30 days. PII mapping data is automatically deleted after 24 hours. Conversation data can be exported by users at any time. Backups are purged within 90 days of deletion.
9. Audit Rights
The Controller has the right to conduct audits, including inspections, to verify compliance with this DPA. Gardeo shall contribute to such audits and make available all necessary information. Audits shall be conducted with reasonable prior notice and during normal business hours.
10. Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service. Obligations regarding data protection shall survive termination of this DPA.
11. Contact
For DPA inquiries, data subject requests, or to report a data breach:
Email: support@gardeo.ai
Florian Wessels — flossels.ch
Lorzenparkstrasse 23, 6330 Cham, Switzerland