Data Processing Agreement
Effective Date: February 27, 2026 · Last Updated: February 27, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between LeakShield Technologies LLC, d/b/a LeakGuard AI ("Processor," "we," "us") and the entity or individual agreeing to these terms ("Controller," "you," "Customer") for the provision of the LeakGuard AI revenue leak detection platform ("Service").
This DPA applies to the extent that we process Personal Data on your behalf as a data processor within the meaning of the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), or comparable data protection legislation.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
- "Sub-Processor" means a third party engaged by us to process Personal Data on your behalf.
- "Data Subject" means the identified or identifiable person to whom the Personal Data relates.
- "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries (Commission Implementing Decision (EU) 2021/914).
2. Scope and Role of the Parties
2.1 You are the Controller of Personal Data submitted to the Service. We are the Processor and will only process Personal Data on your documented instructions.
2.2 The categories of Personal Data processed and the purposes of processing are described in Annex 1 below.
2.3 We will not process Personal Data for any purpose other than as necessary to provide the Service, unless required by applicable law. In such a case, we will inform you of that legal requirement before processing, unless legally prohibited from doing so.
3. Controller Obligations
3.1 You represent and warrant that: (a) you have a lawful basis under Article 6 GDPR for each processing activity; (b) you have provided appropriate notices to, and where required obtained valid consent from, Data Subjects; and (c) your instructions to us comply with applicable data protection law.
3.2 You are responsible for ensuring the accuracy, quality, and legality of the Personal Data you provide to us.
4. Processor Obligations
4.1 Confidentiality. We ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2 Security Measures. We implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Annex 2.
4.3 Assistance. Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to fulfil your obligations to respond to Data Subject requests exercising their rights under Chapter III GDPR.
4.4 Breach Notification. We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification will include the nature of the breach, the categories and approximate number of Data Subjects concerned, the likely consequences, and the measures taken or proposed to address the breach.
4.5 Deletion or Return. Upon termination of the Service or upon your written request, we will delete all Personal Data processed on your behalf within 30 days, unless applicable law requires further storage. We will provide written confirmation of deletion upon request.
4.6 Audit Rights. We will make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audits may be conducted once per year with 30 days' prior written notice during normal business hours.
5. Sub-Processors
5.1 You provide general authorization for us to engage Sub-Processors listed in Annex 3. We will inform you of any intended changes to Sub-Processors (additions or replacements) by updating this page and notifying you via email at least 14 days before the change takes effect.
5.2 You may object to a new Sub-Processor by notifying us in writing within 14 days of receiving notice. If we cannot reasonably accommodate your objection, you may terminate the affected Service without penalty.
5.3 We impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA, ensuring in particular that the Sub-Processor provides sufficient guarantees to implement appropriate technical and organizational measures.
6. International Transfers
6.1 The Service is hosted in the United States (AWS US East). To the extent that Personal Data is transferred from the EEA, UK, or Switzerland to the United States, the transfer is governed by the EU-U.S. Data Privacy Framework and, where applicable, the Standard Contractual Clauses (Module 2: Controller to Processor) as approved by the European Commission.
6.2 We will cooperate in good faith to implement any additional safeguards required by applicable supervisory authorities to ensure an adequate level of protection for transferred Personal Data.
7. Liability
7.1 Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement.
7.2 We will indemnify you against any direct damages, fines, or penalties imposed by a supervisory authority that result directly from our breach of this DPA or our failure to comply with applicable data protection law, to the extent that such damages, fines, or penalties are not attributable to your instructions or actions.
8. Term and Termination
This DPA takes effect when you begin using the Service and continues for as long as we process Personal Data on your behalf. Provisions that by their nature should survive termination (including Section 4.5, 4.6, and 7) will survive.
Annex 1 — Description of Processing
| Categories of Data Subjects | Customer's employees, contractors, and business contacts whose information is submitted to the Service |
| Categories of Personal Data | Name, email address, company name, job title/role, IP address, browser metadata, session identifiers. Business data (financial summaries, pricing, contracts, revenue metrics) may contain incidental personal data. |
| Processing Activities | Account management, authentication, AI-powered revenue analysis, report generation, billing, customer support, security monitoring |
| Purpose of Processing | Provision of the LeakGuard AI revenue leak detection and optimization Service |
| Duration | For the term of the Agreement plus 30 days for deletion |
Annex 2 — Technical and Organizational Measures
- Encryption in transit: TLS 1.2+ for all external connections (HTTPS enforced)
- Authentication: Email/password with bcrypt hashing, TOTP-based two-factor authentication, API key authentication with SHA-256 hashing
- Access control: Role-based access control (RBAC) with admin/client separation, multi-tenant data isolation
- Session security: HttpOnly, Secure, SameSite=Strict cookies; Redis-backed sessions
- Network security: HTTPS-only with HSTS, internal services bound to localhost, firewall restricting SSH access
- Application security: CSRF protection, Content Security Policy, X-Frame-Options, rate limiting, input validation
- Monitoring: Prometheus metrics, Grafana dashboards, automated alerting (email + Telegram)
- Breach notification: Within 72 hours of discovery
- Data minimization: Only essential cookies (session + CSRF), no tracking or advertising
Annex 3 — Authorized Sub-Processors
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | United States (US East) | All Service data (encrypted at rest and in transit) |
| Stripe, Inc. | Payment processing and billing | United States | Customer name, email, billing address, payment details |
| OpenAI, Inc. | AI-powered business data analysis | United States | Business context data only (financial summaries, pricing, contracts). No personal identifiers transmitted. Zero data retention by provider. |
| OpenRouter (Mash Computer Science LLC) | AI model routing for business analysis | United States | Business context data only. No personal identifiers transmitted. Zero data retention by provider. |
| Resend, Inc. | Transactional email delivery | United States | Recipient email address, email content |
Last updated: February 27, 2026. Changes to this list will be communicated 14 days in advance via email notification.
Contact
For questions about this DPA or to exercise your rights:
LeakShield Technologies LLC, d/b/a LeakGuard AI
Data Protection Contact: privacy@leaksshield.com
Website: https://leaksshield.com