Guardion.AI — AI Security and Observability Platform
This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Terms of Service (the "Agreement") between:
Customer (the "Controller" / "Business"), the entity that has executed the Agreement with Guardion.AI; and
Metatext AI LLC, a Delaware limited liability company doing business as Guardion.AI (the "Processor" / "Service Provider" / "Operator"), with its principal place of business in the United States.
Collectively referred to as the "Parties" and each a "Party."
This DPA applies to the extent that Guardion.AI processes Personal Data on behalf of the Customer in the course of providing the Guardion.AI platform and related services (the "Services") under the Agreement. This DPA is incorporated into and subject to the terms of the Agreement.
1. Background and Scope
1.1. Guardion.AI provides an AI security and observability platform designed for generative AI systems. The Services enable Customers to monitor, evaluate, and enforce guardrails on AI interactions within their applications.
1.2. In the course of providing the Services, Guardion.AI may process Personal Data on behalf of the Customer. This DPA sets out the Parties' obligations with respect to such processing.
1.3. This DPA applies to all processing of Personal Data by Guardion.AI in connection with the Services, regardless of the format or medium in which such Personal Data is processed.
1.4. This DPA supplements, and does not replace, any obligations relating to Personal Data processing that the Parties may have agreed upon in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters concerning the processing of Personal Data.
1.5. This DPA shall remain in effect for the duration of the Agreement and for as long as Guardion.AI retains any Personal Data processed on behalf of the Customer.
2. Definitions
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not defined herein shall have the meanings ascribed to them in the Agreement.
2.1. "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 ("UK GDPR"); (c) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); (d) the Brazilian General Data Protection Law, Lei Geral de Protecao de Dados ("LGPD"); and (e) any other applicable data protection or privacy laws.
2.2. "Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. Under the CCPA, the Controller is referred to as the "Business." Under the LGPD, the Controller is referred to as the "Controlador."
2.3. "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
2.4. "Personal Data" means any information relating to a Data Subject that is processed by Guardion.AI in connection with the Services. Under the CCPA, this corresponds to "Personal Information." Under the LGPD, this corresponds to "Dados Pessoais."
2.5. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
2.6. "Processing" (and its cognates, including "process" and "processed") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
2.7. "Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. Under the CCPA, the Processor is referred to as the "Service Provider." Under the LGPD, the Processor is referred to as the "Operador."
2.8. "Sub-processor" means any third party engaged by Guardion.AI to process Personal Data on behalf of the Customer in connection with the Services.
2.9. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission or other competent authority.
2.10. "Services" means the Guardion.AI platform and any related services provided by Guardion.AI to the Customer under the Agreement.
3. Data Processing — Roles and Responsibilities
3.1. Customer as Controller. The Customer acts as the Controller with respect to Personal Data processed under this DPA. The Customer determines the purposes and means of the processing of Personal Data and is responsible for ensuring that it has a lawful basis for providing Personal Data to Guardion.AI for processing.
3.2. Guardion.AI as Processor. Guardion.AI acts as the Processor with respect to Personal Data processed on behalf of the Customer. Guardion.AI shall process Personal Data only in accordance with the Customer's documented instructions and applicable law.
3.3. Customer Obligations. The Customer shall:
(a) comply with all Applicable Data Protection Law in its use of the Services and its issuance of processing instructions to Guardion.AI;
(b) ensure that it has obtained all necessary consents, authorizations, and legal bases required for the lawful transfer of Personal Data to Guardion.AI;
(c) ensure that it has provided adequate notice to Data Subjects regarding the processing of their Personal Data in connection with the Services; and
(d) be solely responsible for the accuracy, quality, and legality of the Personal Data provided to Guardion.AI;
(e) acknowledge that Guardion.AI, as an AI Security Gateway, processes AI interaction content as it flows through the Platform, and that Guardion.AI does not control the content that End Users submit to the Customer's AI systems. The Customer is solely responsible for implementing appropriate input controls, notices, and safeguards regarding the data that End Users submit to AI systems monitored through the Platform.
3.4. Guardion.AI Obligations. Guardion.AI shall:
(a) process Personal Data only on behalf of the Customer and in accordance with the Customer's documented instructions, unless required to do so by applicable law, in which case Guardion.AI shall inform the Customer of that legal requirement before processing (unless prohibited by law from doing so);
(b) ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
(c) implement and maintain appropriate technical and organizational measures to protect Personal Data, as described in Annex C;
(d) assist the Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law; and
(e) not sell, retain, use, or disclose Personal Data for any purpose other than providing the Services, and not combine Personal Data with data obtained from other sources except as necessary to provide the Services.
3.5. No Secondary Use. Guardion.AI shall not use Personal Data for any purpose other than providing the Services as instructed by the Customer. Without limitation, Guardion.AI shall not use Personal Data to train, improve, or develop any machine learning models, artificial intelligence systems, or other products or services, whether for Guardion.AI's own benefit or for the benefit of any third party.
4. Processing Instructions
4.1. Guardion.AI shall process Personal Data only in accordance with the Customer's documented instructions. The Agreement (including this DPA) constitutes the Customer's initial documented instructions for processing. The Customer may issue additional written instructions consistent with the terms of the Agreement.
4.2. If Guardion.AI reasonably believes that an instruction from the Customer infringes Applicable Data Protection Law, Guardion.AI shall promptly notify the Customer and shall be entitled to suspend performance of the relevant processing activity until the Customer modifies or confirms the instruction.
4.3. The details of the processing activities, including the subject matter, duration, nature, and purpose of processing, the categories of Personal Data, and the categories of Data Subjects, are set out in Annex A.
5. Transfer of Personal Data and Sub-processors
5.1. Data Location
Personal Data processed by Guardion.AI is stored in the United States on Google Cloud Platform ("GCP") infrastructure. By entering into this DPA, the Customer authorizes the storage and processing of Personal Data in the United States.
5.2. Authorized Sub-processors
5.2.1. The Customer provides general authorization for Guardion.AI to engage Sub-processors to assist in providing the Services, subject to the requirements set forth in this Section 5.
5.2.2. The current list of Sub-processors engaged by Guardion.AI is set out in Annex B. Guardion.AI shall make available to the Customer the current list of Sub-processors upon request.
5.2.3. Guardion.AI shall impose data protection obligations on each Sub-processor that are no less protective than those set forth in this DPA, by way of a written contract.
5.3. Notification of New Sub-processors
5.3.1. Guardion.AI shall notify the Customer in writing (including by email) at least thirty (30) days prior to engaging any new Sub-processor or replacing an existing Sub-processor.
5.3.2. The notification shall include the name and location of the proposed Sub-processor, and a description of the processing activities to be performed.
5.4. Objection to Sub-processors
5.4.1. The Customer may object to a new Sub-processor by providing written notice to Guardion.AI within fifteen (15) days of receiving notification under Section 5.3.1, setting out reasonable grounds for the objection related to data protection.
5.4.2. If the Customer objects, the Parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no resolution is reached within thirty (30) days, the Customer may terminate the affected Services without penalty by providing written notice to Guardion.AI.
5.5. Sub-processor Liability
Guardion.AI shall remain fully liable to the Customer for the performance of each Sub-processor's obligations under this DPA.
6. Data Security, Audits, and Security Notifications
6.1. Security Measures
6.1.1. Guardion.AI shall implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as described in Annex C.
6.1.2. Guardion.AI shall regularly test, assess, and evaluate the effectiveness of its technical and organizational measures for ensuring the security of processing.
6.2. Personal Data Breach Notification
6.2.1. Guardion.AI shall notify the Customer without undue delay, and in any event within forty-eight (48) hours of becoming aware of a Personal Data Breach affecting the Customer's Personal Data.
6.2.2. Such notification shall include, to the extent available:
(a) a description of the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned;
(b) the name and contact details of Guardion.AI's data protection officer or other contact point from whom more information may be obtained;
(c) a description of the likely consequences of the Personal Data Breach; and
(d) a description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
6.2.3. Where it is not possible to provide all information simultaneously, Guardion.AI shall provide the information in phases without undue further delay.
6.2.4. Guardion.AI shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
6.3. Audits
6.3.1. Guardion.AI shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer.
6.3.2. The Customer shall provide at least thirty (30) days' prior written notice of any audit request. Audits shall be conducted during normal business hours, no more than once per twelve (12) month period (unless required by a supervisory authority or following a Personal Data Breach), and subject to reasonable confidentiality obligations.
6.3.3. Guardion.AI may satisfy audit requests by providing the Customer with relevant third-party audit reports, certifications, or summaries of its security practices, where available.
7. Access Requests and Data Subject Rights
7.1. Guardion.AI shall, taking into account the nature of the processing, assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests by Data Subjects exercising their rights under Applicable Data Protection Law, including but not limited to:
(a) the right of access;
(b) the right to rectification;
(c) the right to erasure ("right to be forgotten");
(d) the right to restriction of processing;
(e) the right to data portability;
(f) the right to object to processing; and
(g) the right not to be subject to a decision based solely on automated processing, including profiling.
7.2. If Guardion.AI receives a request from a Data Subject in relation to the Customer's Personal Data, Guardion.AI shall promptly notify the Customer and shall not respond to the request except on the Customer's documented instructions or as required by applicable law.
7.3. Guardion.AI shall provide reasonable cooperation and assistance to the Customer in responding to Data Subject requests, at the Customer's expense (except where such cost arises from Guardion.AI's breach of this DPA).
7.4. Response SLA. Guardion.AI shall acknowledge and begin processing Customer requests related to Data Subject rights within five (5) business days of receiving a written request from the Customer. Guardion.AI shall use commercially reasonable efforts to complete its assistance within the timeframes required by Applicable Data Protection Law.
8. Data Return and Destruction
8.1. Upon termination or expiration of the Agreement, and upon the Customer's written request made within thirty (30) days of such termination or expiration, Guardion.AI shall return to the Customer all Personal Data in its possession in a commonly used, machine-readable format, or provide the Customer with the ability to export such data through the Services.
8.2. Following the expiration of the thirty (30) day period described in Section 8.1, or upon the Customer's written instruction (whichever is earlier), Guardion.AI shall delete all Personal Data in its possession, except to the extent that applicable law requires further storage of such Personal Data.
8.3. Logical Deletion and Backup Retention. Guardion.AI performs logical deletion of Personal Data. Copies of Personal Data may persist in encrypted backup systems for up to ninety (90) days following deletion, after which they are automatically purged through Guardion.AI's standard backup retention cycle. Guardion.AI shall not actively process any such backup copies except as necessary for disaster recovery.
8.4. Upon request, Guardion.AI shall provide written certification to the Customer confirming the deletion of Personal Data in accordance with this Section 8.
9. DPIA and Prior Consultation
9.1. Guardion.AI shall provide reasonable assistance to the Customer with any data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities or other competent data protection authorities, to the extent required under Applicable Data Protection Law and taking into account the nature of the processing and the information available to Guardion.AI.
9.2. Such assistance shall be provided at the Customer's expense (except where such cost arises from Guardion.AI's breach of this DPA).
10. CCPA Provisions
This Section 10 applies to the extent that the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA"), applies to the processing of Personal Data under this DPA.
10.1. Service Provider Status. For purposes of the CCPA, Guardion.AI is a "Service Provider" and the Customer is a "Business." Guardion.AI processes Personal Information (as defined by the CCPA) on behalf of the Customer and only for the business purposes specified in the Agreement and this DPA.
10.2. Restrictions on Use. Guardion.AI shall not:
(a) sell or share (as those terms are defined by the CCPA) Personal Information received from or on behalf of the Customer;
(b) retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement and this DPA, including for any commercial purpose other than providing the Services;
(c) retain, use, or disclose Personal Information outside of the direct business relationship between Guardion.AI and the Customer; or
(d) combine Personal Information received from or on behalf of the Customer with Personal Information received from other sources, except as expressly permitted by the CCPA.
10.3. Compliance Certification. Guardion.AI certifies that it understands and shall comply with the restrictions set forth in this Section 10 and the CCPA.
10.4. Right to Monitor. The Customer shall have the right to take reasonable and appropriate steps to help ensure that Guardion.AI uses Personal Information in a manner consistent with the Customer's obligations under the CCPA. Guardion.AI shall notify the Customer if it determines that it can no longer meet its obligations under the CCPA.
10.5. Consumer Rights. Guardion.AI shall assist the Customer in responding to verifiable consumer requests made pursuant to the CCPA, including requests to know, delete, and correct Personal Information.
11. LGPD Provisions
This Section 11 applies to the extent that the Brazilian General Data Protection Law (Lei Geral de Protecao de Dados Pessoais, Lei n. 13.709/2018, the "LGPD") applies to the processing of Personal Data under this DPA.
11.1. Operator Status. For purposes of the LGPD, Guardion.AI acts as an Operator ("Operador") and the Customer acts as a Controller ("Controlador"). Guardion.AI processes Personal Data ("Dados Pessoais") solely on the basis of the Controller's instructions and in accordance with the LGPD.
11.2. Obligations under Article 39. In accordance with Article 39 of the LGPD, Guardion.AI, as the Operator, shall:
(a) process Personal Data strictly in accordance with the instructions provided by the Controller;
(b) maintain records of processing activities carried out on behalf of the Controller, as required by Article 37 of the LGPD;
(c) implement security measures, technical standards, and organizational measures appropriate to protect Personal Data, in accordance with Articles 46 and 47 of the LGPD;
(d) notify the Controller promptly of any security incident that may result in risk or relevant damage to Data Subjects, in accordance with Article 48 of the LGPD; and
(e) cooperate with the Controller in fulfilling the Controller's obligations under the LGPD, including responding to requests from the Autoridade Nacional de Protecao de Dados ("ANPD") and from Data Subjects.
11.3. International Transfers. To the extent that Personal Data originating from Brazil is transferred internationally, such transfer shall be conducted in accordance with Chapter V of the LGPD (Articles 33–36), including through the use of standard contractual clauses or other mechanisms approved by the ANPD. Guardion.AI adopts the following safeguards for international transfers of Brazilian Personal Data:
(a) Contractual safeguards: Data processing agreements with all Sub-processors that include obligations regarding data security, confidentiality, purpose limitation, and breach notification, aligned with ANPD guidance;
(b) Technical safeguards: Encryption in transit (TLS 1.2+) and at rest (AES-256), role-based access controls, and audit logging on all systems that process Brazilian Personal Data;
(c) Organizational safeguards: Due diligence assessments of Sub-processors, periodic compliance reviews, and contractual flow-down of data protection obligations to all downstream processors; and
(d) Risk-based approach: Transfer impact assessments conducted where required to evaluate the legal framework of the destination country and to identify and implement supplementary measures as necessary.
11.4. Data Protection Officer. Guardion.AI's Data Protection Officer may be contacted at:
Chau Sahn Email: privacy@guardion.ai
12. Standard Contractual Clauses
12.1. To the extent that the processing of Personal Data under this DPA involves the transfer of Personal Data from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, the Parties agree that the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914) shall apply and are hereby incorporated by reference.
12.2. For transfers subject to the UK GDPR, the Parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the UK Information Commissioner's Office, shall apply.
12.3. For transfers subject to the Swiss Federal Act on Data Protection ("FADP"), the SCCs shall apply with the modifications necessary to comply with the FADP.
12.4. For the purposes of the SCCs:
(a) Module Two (Controller to Processor) shall apply;
(b) Clause 7 (the optional docking clause) is included;
(c) Under Clause 9, Option 2 (general written authorization) applies, with a prior notice period of thirty (30) days as set forth in Section 5.3 of this DPA;
(d) Under Clause 11, the optional language is not included;
(e) Under Clause 17, Option 1 applies, governed by the laws of Ireland;
(f) Under Clause 18(b), disputes shall be resolved before the courts of Ireland;
(g) Annex I of the SCCs shall be deemed completed with the information set out in Annex A of this DPA;
(h) Annex II of the SCCs shall be deemed completed with the information set out in Annex C of this DPA; and
(i) Annex III of the SCCs shall be deemed completed with the information set out in Annex B of this DPA.
12.5. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail with respect to the transferred Personal Data.
12A. Canada Addendum (PIPEDA)
This Section 12A applies to the extent that the Personal Information Protection and Electronic Documents Act ("PIPEDA") or substantially similar provincial legislation applies to the processing of Personal Data under this DPA.
12A.1. Guardion.AI acknowledges that, in processing Personal Data of Canadian Data Subjects, it shall comply with the principles set out in Schedule 1 of PIPEDA, including accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.
12A.2. Guardion.AI shall implement safeguards appropriate to the sensitivity of the Personal Data, and shall protect Personal Data against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.
12A.3. Upon request by a Canadian Data Subject, Guardion.AI shall assist the Customer in providing access to, or correction of, the Data Subject's Personal Data, in accordance with PIPEDA.
13. General Provisions
13.1. Order of Precedence. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.2. Limitation of Liability. Each Party's liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Agreement.
13.3. Governing Law. This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except where Applicable Data Protection Law requires otherwise (including, without limitation, the governing law provisions of the Standard Contractual Clauses).
13.4. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
13.5. Amendments. This DPA may be amended only in writing signed by both Parties, except that Guardion.AI may update Annexes B and C from time to time to reflect changes in Sub-processors and security measures, provided that such updates do not materially reduce the level of protection afforded to Personal Data.
13.6. Contact. For all inquiries regarding data protection and this DPA, the Customer may contact Guardion.AI's Data Protection Officer:
Chau Sahn Email: privacy@guardion.ai
Annex A — Processing Details
A.1. Subject Matter and Duration of Processing
| Item | Description |
|---|---|
| Subject Matter | Processing of Personal Data in connection with the provision of the Guardion.AI platform and related services. |
| Duration | For the duration of the Agreement, plus any post-termination retention period specified in Section 8 of this DPA. |
A.2. Nature and Purpose of Processing
| Purpose | Description |
|---|---|
| AI Interaction Monitoring | Collection, storage, and analysis of AI interaction logs (prompts, completions, and metadata) that flow through the Guardion.AI security gateway. Guardion.AI operates as an AI Security Gateway for AI agents and generative AI systems, processing the information contained within chats and AI agent content to monitor, evaluate, and protect Customer's AI systems against security threats, policy violations, and harmful content. |
| Guardrail Evaluation | Processing of AI interaction data to evaluate and enforce content safety, security, and compliance guardrails configured by the Customer. |
| Account Management | Processing of user account data for authentication, authorization, billing, and platform administration purposes. |
| Platform Operations | Processing necessary for the operation, maintenance, and improvement of the Services as directed by the Customer. |
A.3. Categories of Personal Data
| Category | Examples |
|---|---|
| AI Interaction Logs | Prompts, completions, and content from end-user interactions with Customer's AI systems that flow through the Guardion.AI security gateway. This includes any information users send to AI agents and any information the agents generate in response, which may contain Personal Data such as names, email addresses, or other identifiers. |
| Guardrail Evaluation Data | Results of policy evaluations, flagged content, risk scores, and related metadata associated with AI interactions. |
| User Account Data | Names, email addresses, job titles, company names, IP addresses, authentication credentials, and usage activity of Customer's authorized users of the Guardion.AI platform. |
| Technical and Operational Data | API keys (hashed), session identifiers, timestamps, log files, browser and device information, and platform usage analytics. |
A.4. Categories of Data Subjects
| Category | Description |
|---|---|
| Customer Personnel | Employees, contractors, and authorized users of the Customer who access the Guardion.AI platform. |
| End Users | Individuals who interact with the Customer's AI-powered applications that are monitored through Guardion.AI, whose Personal Data may be incidentally included in AI interaction logs. |
A.5. Retention
The retention periods below apply to Personal Data processed by Guardion.AI on behalf of the Customer (processor data). Retention periods for data collected by Guardion.AI as a controller (e.g., account registration data, billing records) are governed by the Guardion.AI Privacy Policy.
| Data Category | Retention Period |
|---|---|
| AI Interaction Logs | As configured by the Customer, or for the duration of the Agreement, whichever is shorter. |
| Guardrail Evaluation Data | As configured by the Customer, or for the duration of the Agreement, whichever is shorter. |
| User Account Data | For the duration of the Agreement, plus thirty (30) days for data return, plus ninety (90) days for backup purge cycle. |
| Technical and Operational Data | Up to twelve (12) months for operational purposes, unless a shorter period is required by law or requested by the Customer. |
Annex B — Sub-processor List
The following Sub-processors are authorized by the Customer as of the effective date of this DPA:
| Sub-processor | Purpose | Data Processed | Location | Transfer Mechanism | Security Certifications |
|---|---|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud infrastructure, compute, storage, and AI interaction processing | All categories of Personal Data as described in Annex A, including AI interaction content processed through the Guardion.AI security gateway | United States | DPA + SCCs | SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018 |
| Cloudflare | Content delivery network (CDN), DDoS protection, and web application firewall | Technical and Operational Data (web traffic, DNS queries, session data) | United States (global CDN) | DPA + SCCs | SOC 2, ISO 27001, PCI DSS |
| PostHog | Product analytics | Technical and Operational Data (anonymized usage analytics) | United States | DPA + SCCs | SOC 2 |
| Sentry | Error monitoring and application performance | Technical and Operational Data (error logs, stack traces, application diagnostics) | United States | DPA + SCCs | SOC 2 |
Guardion.AI shall notify the Customer of any changes to this list in accordance with Section 5.3 of this DPA.
Annex C — Technical and Organizational Security Measures
Guardion.AI implements and maintains the following technical and organizational security measures to protect Personal Data. These measures are subject to ongoing review and improvement.
C.1. Access Control
| Measure | Description |
|---|---|
| Authentication | Multi-factor authentication (MFA) enforced for all Guardion.AI personnel accessing production systems. Role-based access control (RBAC) with least-privilege principles. |
| Authorization | Access to Personal Data is restricted to authorized personnel on a need-to-know basis. Access rights are reviewed periodically and revoked upon termination of employment or change of role. |
| Customer Isolation | Logical separation of Customer data in multi-tenant environments. Each Customer's data is accessible only to that Customer and authorized Guardion.AI personnel. |
C.2. Encryption
| Measure | Description |
|---|---|
| In Transit | All data transmitted between the Customer and Guardion.AI is encrypted using TLS 1.2 or higher. |
| At Rest | All Personal Data stored at rest is encrypted using AES-256 encryption or equivalent industry-standard algorithms. |
| Key Management | Encryption keys are managed through cloud-provider key management services with access controls and audit logging. |
C.3. Network Security
| Measure | Description |
|---|---|
| Firewalls | Network firewalls and security groups are configured to restrict inbound and outbound traffic to authorized services and ports. |
| Monitoring | Continuous network monitoring and intrusion detection systems are deployed to identify and respond to potential threats. |
| Segmentation | Production environments are logically segmented from development and staging environments. |
C.4. Application Security
| Measure | Description |
|---|---|
| Secure Development | Guardion.AI follows secure software development lifecycle (SDLC) practices, including code reviews, static analysis, and dependency vulnerability scanning. |
| Vulnerability Management | Regular vulnerability assessments and patching of systems and dependencies. Critical vulnerabilities are addressed promptly. |
| API Security | API authentication via secure tokens. Rate limiting and input validation are enforced on all API endpoints. |
C.5. Organizational Measures
| Measure | Description |
|---|---|
| Personnel Security | Background checks for personnel with access to Personal Data. Confidentiality agreements are executed with all employees and contractors. |
| Training | Regular data protection and security awareness training for all personnel involved in the processing of Personal Data. |
| Incident Response | Documented incident response plan with defined roles, escalation procedures, and communication protocols. Incidents are reviewed and lessons learned are incorporated into security practices. |
C.6. Business Continuity and Disaster Recovery
| Measure | Description |
|---|---|
| Backups | Regular encrypted backups of Personal Data with a ninety (90) day retention cycle. Backups are tested periodically for integrity and recoverability. |
| Redundancy | Production infrastructure is deployed with redundancy to ensure high availability. |
| Recovery | Documented disaster recovery procedures with defined recovery time and recovery point objectives. |
C.7. Logging and Audit Trail
| Measure | Description |
|---|---|
| Audit Logging | Guardion.AI maintains audit logs of access to and actions performed on Personal Data, including: user identity, timestamp, action performed, IP address, and affected resources. |
| Log Retention | Audit logs are retained for a minimum of twelve (12) months and are available to support Customer audit and compliance requirements. |
| Log Integrity | Audit logs are stored in append-only or tamper-evident formats and are protected against unauthorized modification or deletion. |
| Log Access | Access to audit logs is restricted to authorized security and operations personnel. Customers may request audit log extracts relevant to their data upon reasonable written request. |
C.8. Data Minimization and Retention
| Measure | Description |
|---|---|
| Data Minimization | Guardion.AI processes only the minimum Personal Data necessary to provide the Services. |
| Retention Controls | Automated retention and deletion mechanisms are in place to ensure Personal Data is not retained beyond the periods specified in Annex A. |
| Logical Deletion | Deletion of Personal Data is performed logically, with backup copies purged through the standard ninety (90) day backup retention cycle. |
This Data Processing Agreement is effective as of the date the Customer accepts the Agreement or begins using the Services, whichever is earlier.
Metatext AI LLC (d/b/a Guardion.AI)
Data Protection Officer: Chau Sahn Email: privacy@guardion.ai
Last Updated: March 2026