Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between:

Controller: The entity identified in Section 2 below ("Controller," "you," or "Customer")

Processor: Haamu.ai, operated by Ville Murtonen, sole trader (toiminimi), Helsinki, Finland ("Processor," "we," "us," or "Haamu.ai")

Together referred to as the "Parties" and each a "Party."

This DPA supplements and forms part of any agreement between the Parties under which Haamu.ai processes personal data on behalf of the Controller (the "Principal Agreement"), including use of the Haamu.ai service under the Terms of Service published at haamu.ai/terms.

This DPA is drafted in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR") and takes into account the European Commission's standard contractual clauses for processors pursuant to Commission Implementing Decision (EU) 2021/914.

1. Definitions

In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given to them in the GDPR or the Principal Agreement.

• "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, as identified in Section 2.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed under this DPA.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
• "Personal Data" means any information relating to a Data Subject that is processed by the Processor on behalf of the Controller in connection with the Service.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
• "Processing" means any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Processor" means Haamu.ai, which processes personal data on behalf of the Controller.
• "Service" means the Haamu.ai text anonymization service, including PII Ghost, Style Ghost, and Full Ghost modes, as described at haamu.ai and in the Principal Agreement.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914.
• "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller in connection with the Service.
• "Supervisory Authority" means an independent public authority established by an EU Member State pursuant to Article 51 of the GDPR. The lead supervisory authority for Haamu.ai is the Finnish Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).

2. Scope, Roles, and Processing Details

2.1 Controller identification

2.2 Roles

The Controller determines the purposes and means of the processing of personal data. The Controller decides what text to submit to the Service, which processing modes to use, and which AI provider to select (where applicable).

The Processor (Haamu.ai) processes personal data solely on behalf of the Controller and in accordance with the Controller's documented instructions as set out in this DPA and the Principal Agreement. The Processor does not determine the purposes or means of processing.

2.3 Processing details

The details of the processing are set out in Annex I to this DPA. In summary:

• Subject matter: Text anonymization and stylometric transformation
• Duration: For the duration of the Principal Agreement, plus any mandatory retention period required by applicable law
• Nature and purpose: The Processor receives text submitted by the Controller, detects and removes personal data (PII Ghost), rewrites text to alter stylometric fingerprint (Style Ghost), or performs both operations sequentially (Full Ghost), and returns the processed text to the Controller
• Types of personal data: Any personal data contained in text submitted by the Controller, which may include names, email addresses, phone numbers, physical addresses, identification numbers, dates of birth, financial identifiers, and any other personal data present in the submitted text
• Categories of data subjects: Determined by the Controller; may include any individuals whose personal data appears in the submitted text

2.4 Special categories of data

The Controller acknowledges that special categories of personal data (Article 9 GDPR) or data relating to criminal convictions and offences (Article 10 GDPR) may be present in text submitted to the Service. The Controller is solely responsible for ensuring that a lawful basis exists for the processing of any such data, and that appropriate safeguards are in place. The Processor processes all submitted text uniformly and does not distinguish between categories of personal data.

3. Controller's Instructions

3.1 Instruction framework

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In that case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.

3.2 Documented instructions

The Controller's instructions to the Processor are documented in and limited to:

• This DPA and its Annexes
• The Principal Agreement (including the Terms of Service)
• The Controller's selection of processing mode (PII Ghost, Style Ghost, or Full Ghost) and AI provider (Anthropic Claude or OpenAI GPT-4.1) through the Service interface at the time of each request
• Any additional written instructions agreed by the Parties and documented in writing

3.3 Conflicting instructions

If the Processor considers that an instruction from the Controller infringes the GDPR or other Union or Member State data protection provisions, the Processor shall immediately inform the Controller. The Processor may suspend performance of the relevant instruction until the Controller confirms or modifies the instruction.

4. Confidentiality

4.1 Confidentiality obligation

The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.2 Scope of obligation

The confidentiality obligation applies to all personal data processed under this DPA and continues after the termination of this DPA and the Principal Agreement.

4.3 Architectural confidentiality measures

The Processor has implemented the following measures to protect confidentiality by design:

• No text submitted by the Controller is stored, logged, or persisted to disk on the Processor's infrastructure. All processing occurs in memory and is discarded immediately after the response is returned.
• In Full Ghost mode, PII is stripped from the text on the Processor's server in Helsinki before any text is transmitted to a Sub-processor (AI provider). The AI provider never receives raw personal data.
• Access to production infrastructure is restricted to authorized personnel of the Processor on a need-to-know basis.

5. Security Measures (Article 32 GDPR)

5.1 Obligation

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

5.2 Measures

The specific technical and organizational measures implemented by the Processor are described in Annex II to this DPA. These measures include, at a minimum:

• Zero data retention: No submitted text is stored on the Processor's infrastructure. Processing is performed entirely in memory.
• Encryption in transit: All data transmitted between the Controller and the Processor is encrypted using TLS 1.2 or higher, with HSTS headers enforced.
• EU-based infrastructure: The Processor's server is hosted by Hetzner Online GmbH in Helsinki, Finland (EU). PII Ghost processing occurs entirely within EU infrastructure.
• PII stripping before external transmission: In Full Ghost mode, personal data is detected and removed by Microsoft Presidio (running locally on the Processor's server) before any text is transmitted to AI providers.
• Access control: Production server access is restricted via SSH key-based authentication. No password-based access is permitted.
• Security headers: The Service enforces strict Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers.
• Rate limiting: Per-IP rate limiting is enforced to prevent abuse and denial-of-service attacks.
• Minimal data collection: No cookies, no analytics, no tracking. IP addresses are processed in memory for rate limiting only and are not persisted.
• Input validation and sanitization: All API inputs are validated and sanitized. Error responses do not echo back user input to prevent PII leakage.

5.3 Review and updates

The Processor shall regularly review and, where necessary, update the security measures. The Processor shall not reduce the overall level of security below the level in place at the time this DPA is entered into, unless agreed in writing by the Controller.

6. Sub-processor Management

6.1 General authorization

The Controller provides the Processor with general written authorization to engage Sub-processors for the purpose of providing the Service. The current list of authorized Sub-processors is set out in Annex III to this DPA.

6.2 Conditions for engaging Sub-processors

When engaging a Sub-processor, the Processor shall:

• Impose on the Sub-processor, by way of a contract or other legal act under Union or Member State law, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures
• Remain fully liable to the Controller for the performance of the Sub-processor's obligations
• Ensure that the Sub-processor provides sufficient guarantees regarding the implementation of appropriate technical and organizational measures

6.3 Notification of changes

The Processor shall notify the Controller of any intended addition or replacement of a Sub-processor at least 30 calendar days before the engagement of the new or replacement Sub-processor. The notification shall include the identity of the Sub-processor, the processing it will perform, and the location of processing.

6.4 Right to object

The Controller may object to the appointment or replacement of a Sub-processor within 14 calendar days of receiving the notification under Section 6.3. The objection must be in writing and based on reasonable grounds relating to data protection. If the Controller objects:

• The Processor shall make reasonable efforts to provide the Controller with an alternative solution that avoids the use of the objected-to Sub-processor
• If no alternative is reasonably available, either Party may terminate the Principal Agreement and this DPA with 30 days' written notice, without penalty to either Party

6.5 Controller's choice of Sub-processor

The Controller acknowledges that the selection of AI provider (Anthropic Claude or OpenAI GPT-4.1) for Style Ghost and Full Ghost modes is made by the Controller at the time of each request through the Service interface. By selecting a specific AI provider, the Controller instructs the Processor to transmit the relevant data to that Sub-processor for processing.

6.6 Current Sub-processors

The complete list of current Sub-processors, including their roles and processing locations, is set out in Annex III. A summary is provided below:

7. Data Subject Rights Assistance

7.1 Obligation to assist

The Processor shall assist the Controller, by appropriate technical and organizational measures and insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the Data Subject's rights under Chapter III of the GDPR (Articles 15-22), including rights of access, rectification, erasure, restriction of processing, data portability, and the right to object.

7.2 Nature of assistance

Given that the Processor does not store any submitted text or personal data on its infrastructure, the Processor's assistance in relation to data subject requests is limited to:

• Confirming to the Controller that no personal data submitted through the Service is retained on the Processor's servers
• Forwarding erasure or access requests to relevant Sub-processors (AI providers) under the Processor's data processing agreements with those Sub-processors, where the Controller has used Style Ghost or Full Ghost modes
• Providing the Controller with information about the Processor's data processing practices to the extent necessary for the Controller to respond to data subject requests

7.3 Notification of direct requests

If the Processor receives a request directly from a Data Subject regarding the processing of their personal data, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless otherwise instructed by the Controller.

8. Data Breach Notification

8.1 Notification obligation

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting personal data processed on behalf of the Controller.

8.2 Content of notification

The notification shall include, at a minimum:

• A description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of personal data records concerned
• The name and contact details of the Processor's contact point from whom more information can be obtained
• A description of the likely consequences of the Personal Data Breach
• A description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects

8.3 Phased notification

Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay. Each subsequent communication shall reference the original notification.

8.4 Cooperation

The Processor shall cooperate with the Controller and take all reasonable steps to assist in the investigation, mitigation, and remediation of the Personal Data Breach. The Processor shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

8.5 Risk context

The Parties acknowledge that because the Processor does not store submitted text on its infrastructure, the risk profile for data breaches on the Processor's primary infrastructure is materially limited. However, this does not absolve the Processor of its notification obligations in respect of any breach that may occur, including breaches at Sub-processor level that the Processor becomes aware of.

9. Data Protection Impact Assessment and Prior Consultation Assistance

9.1 DPIA assistance

The Processor shall assist the Controller in carrying out a data protection impact assessment (DPIA) pursuant to Article 35 GDPR, where the Controller determines that such an assessment is necessary. The Processor shall provide the Controller with all information reasonably necessary to carry out the assessment, including information about the Processor's processing activities, technical and organizational measures, and Sub-processors.

9.2 Prior consultation assistance

The Processor shall assist the Controller in any prior consultation with the Supervisory Authority pursuant to Article 36 GDPR, to the extent reasonably required and upon the Controller's written request.

10. Data Deletion and Return

10.1 No retention by design

The Processor does not retain any personal data submitted through the Service. All text processing occurs in memory and is discarded immediately after the response is returned to the Controller. There is no stored personal data to delete or return upon termination.

10.2 Upon termination

Upon termination of this DPA or the Principal Agreement, and at the Controller's written request, the Processor shall:

• Confirm in writing that no personal data is retained on the Processor's infrastructure
• Forward deletion requests to relevant Sub-processors where applicable, particularly to AI providers (Anthropic and/or OpenAI) in respect of any data that may be retained by those providers within their safety monitoring retention periods (up to 30 days)
• Provide certification of deletion or non-retention upon the Controller's reasonable request

10.3 Sub-processor retention

The Controller acknowledges that AI providers engaged as Sub-processors (Anthropic and OpenAI) may retain API request data for up to 30 days for the purpose of safety monitoring and abuse prevention, in accordance with their respective data processing terms. The Processor shall use reasonable efforts to ensure that Sub-processors delete personal data in accordance with the Controller's instructions and applicable law.

11. Audit Rights

11.1 Right to audit

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

11.2 Audit procedure

Audits shall be subject to the following conditions:

• The Controller shall provide at least 30 calendar days' written notice prior to any audit
• Audits may be conducted no more than once per calendar year, unless required by a Supervisory Authority or in the event of a Personal Data Breach
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
• The Controller (or its mandated auditor) shall comply with the Processor's reasonable security and confidentiality requirements
• The Controller shall bear its own costs in connection with the audit

11.3 Alternative evidence

The Processor may satisfy audit requests by providing:

• Certifications or audit reports from independent third-party auditors (such as SOC 2 or ISO 27001 reports) that cover the Processor's infrastructure and practices
• Written responses to reasonable written questions from the Controller regarding the Processor's compliance with this DPA

Where such alternative evidence is provided and reasonably addresses the Controller's concerns, the Controller shall consider this before exercising its right to conduct an on-site audit.

11.4 Obligation to inform

The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller pursuant to this Section infringes the GDPR or other Union or Member State data protection provisions.

12. International Data Transfers

12.1 General principle

The Processor shall not transfer personal data to a third country or an international organization unless required to do so by Union or Member State law, or in accordance with the Controller's instructions and subject to appropriate safeguards under Chapter V of the GDPR.

12.2 PII Ghost mode

When the Controller uses PII Ghost mode, all processing occurs on the Processor's server hosted by Hetzner Online GmbH in Helsinki, Finland (EU). No international data transfer takes place.

12.3 Style Ghost and Full Ghost with Anthropic (Claude)

When the Controller selects Anthropic as the AI provider, text is processed within EU infrastructure through Anthropic's multi-region processing capability (available since September 2025 for EU API requests). Data at rest may be stored in the United States. Transfers to the United States are subject to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) between the Processor and Anthropic.

12.4 Style Ghost and Full Ghost with OpenAI (GPT-4.1)

When the Controller selects OpenAI as the AI provider, text is transferred to OpenAI's servers in the United States for processing. Transfers to the United States are subject to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) between the Processor and OpenAI.

12.5 Full Ghost PII protection

When the Controller uses Full Ghost mode, the Processor first detects and removes personal data from the submitted text using Microsoft Presidio (running locally on the Processor's server in Helsinki) before transmitting the cleaned text to the selected AI provider. This means that the AI provider does not receive raw personal data. The Controller acknowledges that PII detection is probabilistic and not guaranteed to identify all personal data (see Section 13.3).

12.6 Transfer impact assessment

The Processor shall, upon the Controller's reasonable request, cooperate in conducting a transfer impact assessment for any international data transfer arising under this DPA.

13. Liability

13.1 GDPR liability

Each Party's liability under this DPA is subject to the liability provisions of the GDPR, in particular Articles 82 and 83. Nothing in this DPA limits or excludes either Party's liability to Data Subjects or Supervisory Authorities under the GDPR.

13.2 Inter-party liability

Liability between the Parties shall be governed by the liability provisions set out in the Principal Agreement (including the Terms of Service), subject to the following:

• The Processor shall be liable for damages caused by processing that does not comply with the obligations of the GDPR specifically directed to processors or with this DPA
• The Controller shall be liable for damages caused by processing that does not comply with the GDPR's obligations directed to controllers or with the Controller's instructions under this DPA

13.3 Limitation regarding PII detection

The Controller acknowledges and agrees that the PII detection functionality provided by the Service (PII Ghost and the PII removal stage of Full Ghost) uses Microsoft Presidio and is probabilistic in nature. The Processor does not warrant or guarantee that all personal data will be detected and removed from submitted text. The Controller is solely responsible for reviewing the output of the Service and verifying that it meets the Controller's requirements before any further use or disclosure.

13.4 Sub-processor liability

The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations in accordance with Article 28(4) GDPR.

14. Term and Termination

14.1 Term

This DPA shall commence on the date of countersignature by both Parties and shall continue in force for the duration of the Principal Agreement.

14.2 Termination

This DPA shall automatically terminate upon the termination or expiry of the Principal Agreement. Either Party may also terminate this DPA:

• If the other Party is in material breach of this DPA and fails to cure the breach within 30 calendar days of receiving written notice of the breach
• In the circumstances described in Section 6.4 (objection to Sub-processor changes)

14.3 Survival

The obligations of the Processor under Sections 4 (Confidentiality), 8 (Data Breach Notification), 10 (Data Deletion and Return), 11 (Audit Rights), and 13 (Liability) shall survive the termination of this DPA to the extent necessary for their fulfilment.

14.4 Governing law

This DPA shall be governed by and construed in accordance with Finnish law. Any dispute arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Helsinki, Finland, without prejudice to the right of Data Subjects to bring proceedings before the courts of the Member State in which they have their habitual residence.

Signatures

Annex I: Processing Details

A. List of Parties

Data exporter (Controller): The entity identified in Section 2.1 of this DPA.

Data importer (Processor): Haamu.ai, operated from Helsinki, Finland. Contact: privacy@haamu.ai.

B. Description of the processing

Subject matter of the processing:

The Processor provides a text anonymization and stylometric transformation service. The Controller submits text containing personal data to the Service, and the Processor processes that text to detect and remove personal data, rewrite the text to alter its stylometric fingerprint, or both.

Duration of the processing:

Processing occurs for the duration of each individual request (typically seconds). No personal data is retained after the response is returned. The DPA remains in force for the duration of the Principal Agreement.

Nature of the processing:

• PII Ghost: Automated detection and replacement of personal data identifiers within text using natural language processing (Microsoft Presidio). All processing occurs on the Processor's server in Helsinki, Finland. Text is processed in memory and discarded immediately.
• Style Ghost: Automated rewriting of text by an AI language model (Anthropic Claude or OpenAI GPT-4.1, as selected by the Controller) to alter stylometric characteristics while preserving meaning. Text is transmitted to the selected AI provider's API for processing.
• Full Ghost: Sequential processing combining PII Ghost (local PII removal) followed by Style Ghost (AI rewriting of the cleaned text). Personal data is stripped locally before any text is transmitted to an AI provider.

Purpose of the processing:

To assist the Controller in anonymizing text by removing personal data identifiers and altering stylometric characteristics, thereby reducing the risk that the text can be attributed to or identify specific individuals.

Types of personal data processed:

Any personal data present in text submitted by the Controller, which may include but is not limited to:

• Names (first names, surnames, full names)
• Email addresses
• Phone numbers
• Physical addresses and locations
• Dates of birth and ages
• National identification numbers (e.g., Finnish henkilotunnus, social security numbers)
• Financial identifiers (e.g., IBAN, credit card numbers)
• Employee or membership identifiers
• IP addresses and online identifiers
• Any other personal data that may be present in free-text form

The Controller may also submit text containing special categories of personal data (Article 9 GDPR), including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. The responsibility for ensuring a lawful basis for processing such data rests solely with the Controller.

Categories of data subjects:

Determined entirely by the Controller. May include any individuals whose personal data appears in the text submitted to the Service, such as employees, customers, patients, students, members, or any other natural persons.

C. Competent supervisory authority

Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto), Lintulahdenkuja 4, 00530 Helsinki, Finland. Website: tietosuoja.fi.

Annex II: Technical and Organizational Measures

The following technical and organizational measures are implemented by the Processor to ensure the security of personal data processed under this DPA. These measures are designed in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing.

1. Measures of pseudonymization and encryption of personal data

• All data in transit between the Controller and the Processor is encrypted using TLS 1.2 or higher
• HSTS (HTTP Strict Transport Security) headers are enforced with a max-age of 2 years, including subdomains
• The PII Ghost and Full Ghost modes perform pseudonymization by replacing detected personal data identifiers with generic placeholders (e.g., replacing a name with "[PERSON]")
• API communications between the Processor's server and Sub-processors (AI providers) use TLS-encrypted connections with API key authentication

2. Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems

• Production server hosted in Hetzner's Helsinki data center with physical security controls, including 24/7 monitoring, biometric access controls, and environmental protections
• SSH key-based authentication required for all server access; password authentication disabled
• Firewall configured to allow only necessary inbound traffic (HTTP/HTTPS)
• Rate limiting and abuse prevention at the application level
• Application-level rate limiting to prevent abuse
• Security headers enforced on all HTTP responses (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Since no personal data is stored by the Processor, data restoration is not applicable for submitted text
• Application configuration and code are maintained in version control (Git) enabling rapid redeployment
• Container-based deployment (Docker) allows rapid service recovery
• Infrastructure as code practices enable reproducible server provisioning

4. Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

• Automated test suite (pytest) covering application functionality including PII detection accuracy
• Code linting and static analysis (Ruff) as part of the development workflow
• Dependency vulnerability monitoring
• Regular review of security headers and TLS configuration

5. Measures for user identification and authorization

• Free tier: no user accounts or authentication required; access is anonymous
• Pro tier: authentication managed through the Principal Agreement; API keys issued where applicable
• Server administration: SSH key-based access restricted to authorized personnel

6. Measures for the protection of data during transmission

• All client-to-server communication encrypted via TLS 1.2+
• All server-to-Sub-processor (AI provider) communication encrypted via TLS
• API keys for Sub-processors stored as environment variables, not in source code
• CORS policy restricts cross-origin requests to authorized domains only

7. Measures for the protection of data during storage

• The Processor does not store submitted text or personal data. All processing occurs in memory and is discarded after the response is returned.
• IP addresses are hashed (HMAC-SHA256, keyed) before being used for rate limiting and usage tracking. Hashed IP addresses and aggregate usage counts are stored in the application database and automatically purged after 90 days. Raw IP addresses are not persisted to disk.
• Application configuration secrets (API keys, secret keys) are stored as environment variables with restricted file permissions.

8. Measures for ensuring physical security of locations at which personal data are processed

• Server hosted in Hetzner Online GmbH data center in Helsinki, Finland, which maintains ISO 27001 certification
• Physical access to the data center is controlled by Hetzner with multi-factor authentication, biometric controls, and 24/7 security monitoring

9. Measures for ensuring events logging

• Application access logs record HTTP request metadata (timestamp, HTTP method, URL path, response status, IP address) but never log submitted text content or personal data contained therein
• Error logs capture application errors without echoing user input (error sanitization is implemented to prevent PII leakage in logs)

10. Measures for ensuring system configuration, including default configuration

• Application enforces secure defaults: API documentation disabled in production, debug mode disabled, secure secret key required
• Input validation and size limits applied to all API endpoints
• Dependencies managed through pinned requirements file

11. Measures for internal IT and IT security governance and management

• Code changes reviewed before deployment
• Version control (Git) with branch protection on the main branch
• Infrastructure changes tracked and documented

12. Measures for ensuring data minimization

• Zero data retention: no submitted text is stored
• No cookies, analytics, or tracking are used
• No user accounts required for the free tier
• In Full Ghost mode, PII is stripped locally before any data leaves EU infrastructure, minimizing the personal data transmitted to Sub-processors
• Only the minimum data necessary for rate limiting (IP address, in memory) is processed beyond the submitted text

Annex III: List of Sub-processors

The following Sub-processors are authorized by the Controller as of the date of this DPA:

End of Data Processing Agreement.