As of: March 27, 2026
Data Processing Agreement (DPA)
pursuant to Art. 28 Para. 3 of Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR)
between
the user of the Aegis service — including the Chrome extension and the website demo (hereinafter "Controller")
and
Kaino GmbH
Grabenweg 68, 4th Floor E5_2
6020 Innsbruck, Austria
UID: ATU77867578 · FN: 573644w
Email: aegis@kaino.io
(hereinafter referred to as the "Processor")
— hereinafter collectively referred to as the "Parties" —
§ 1 Subject Matter and Duration of Processing
1.1 Subject Matter
This agreement governs the rights and obligations of the parties in connection with the processing of personal data by the processor on behalf of the controller. It specifies the data protection obligations of the parties arising from the use of the Aegis service—including all plans (PLUS, PRO, and ENTERPRISE) as well as the website demo offered on the product page ("Try It").
The Processor shall process personal data exclusively on documented instructions from the Controller (Art. 28 Para. 3 lit. a GDPR), unless required to do so by Union law or the law of the Member State to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
1.2 Duration
For subscribers, this agreement takes effect upon conclusion of the subscription (Aegis PLUS or Aegis PRO) and terminates automatically upon termination of the subscription, regardless of the reason. For use of the website demo, this agreement takes effect upon uploading a document and terminates upon completion of the respective processing. The obligations under §§ 5, 7, 8, and 10 continue beyond the end of the agreement, with the audit right pursuant to § 8 limited to 60 days after the end of the agreement.
§ 2 Nature and Purpose of Processing
2.1 Purpose
Detection and anonymization of personal data in the controller's documents using AI-powered processing before these documents are transmitted to AI chat platforms (such as ChatGPT, Claude, or Gemini).
2.2 Nature of Processing
- Receipt of encrypted document content (HTTPS/TLS)
- AI-powered detection of personal data (Named Entity Recognition)
- OCR processing for image files (PNG, JPEG, TIFF)
- Removal of embedded metadata from image files
- Replacement of detected personal data with placeholders
- Return of the anonymized text and placeholder mapping to the Controller
2.3 No Storage
Document content is not stored by the Processor after processing. Processing takes place exclusively in memory (in-memory processing). After the result is returned, all document data is immediately deleted.
2.4 No Model Training
Document contents are not used by the processor or by the subprocessors listed in § 6.1 for training or improving AI models.
§ 3 Types of Personal Data and Categories of Data Subjects
3.1 Types of Personal Data
The Controller's documents may contain, in particular, the following categories of personal data:
- Names (first and last names, academic titles)
- Contact details (email addresses, phone numbers, postal addresses)
- Identification numbers (social security numbers, ID card numbers)
- Financial information (credit card numbers, bank details)
- Dates of birth
- IP addresses
- Other personal data contained in documents
Special categories of personal data (Art. 9 GDPR): The Controller is responsible for ensuring that the processing of special categories of personal data (e.g., health data, biometric data) only takes place if there is a legal basis pursuant to Art. 9 Para. 2 GDPR. The Processor cannot technically determine the presence of such data in advance.
3.2 Categories of Data Subjects
Depending on the Controller's documents, the following may be affected:
- Employees and applicants of the Controller
- Customers and business partners of the Controller
- Patients, clients, customers
- Other natural persons named in documents
§ 4 Obligations of the Controller
The Controller is solely responsible for the lawfulness of processing personal data. In particular, the Controller ensures:
- that they have an appropriate legal basis for transmitting third-party personal data to the Processor (e.g., Art. 6 Para. 1 lit. f GDPR — legitimate interest in anonymization);
- that they have informed the data subjects about the processing, insofar as this is reasonable and legally required (Art. 13, 14 GDPR);
- that they have independently assessed the risks to the rights and freedoms of data subjects before transmission;
- that instructions to the Processor comply with the GDPR.
§ 5 Obligations of the Processor
5.1 Adherence to Instructions
The Processor shall process personal data exclusively on documented instructions from the Controller — including with regard to the transfer of personal data to a third country or an international organization —, unless required to do so by Union law or the law of the Member State to which the Processor is subject (Art. 28 Para. 3 lit. a GDPR).
The use of the Aegis service in accordance with the applicable terms of use constitutes the documented instruction of the Controller. Further individual instructions require written form (email sufficient) to aegis@kaino.io.
5.2 Confidentiality
The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28 Para. 3 lit. b GDPR).
5.3 Technical and Organizational Measures
The Processor shall implement all technical and organizational measures required by Art. 32 GDPR to ensure a level of security appropriate to the risk. The measures are described in Annex 1 (at the end of this Agreement).
5.4 Support for the Controller
The Processor shall assist the Controller, taking into account the nature of the processing:
- in fulfilling the obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR (Art. 28 Para. 3 lit. e GDPR);
- in ensuring compliance with the obligations referred to in Articles 32 to 36 GDPR (security of processing, notification of a personal data breach, data protection impact assessment, prior consultation) (Art. 28 Para. 3 lit. f GDPR).
5.5 Notification of Data Breaches
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (Art. 33 Para. 2 GDPR). The notification shall at least:
- describe the nature of the breach;
- communicate the categories and approximate number of data subjects and data records concerned;
- describe the likely consequences;
- describe the measures taken or proposed.
The notification shall be sent by email to the Controller's email address stored during the subscription. For users of the website demo whose email address is not known to the processor, notification shall be made by publication on the processor's website.
5.6 Information on Unlawful Instructions
The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions (Art. 28 Para. 3 Subpara. 2 GDPR).
§ 6 Sub-processors
6.1 Approved Sub-processors
The Controller hereby grants the Processor a general written authorization to engage the following sub-processors (Art. 28 Para. 2 GDPR):
| Sub-processor | Purpose | Location |
|---|---|---|
| OVHCloud SAS, Roubaix, France | AI-powered anonymization and OCR processing of document contents (Zero Data Retention) | EU (France) |
| Scaleway SAS, Paris, France | AI-powered anonymization and OCR processing of document content (Zero Data Retention) | EU (France) |
| Hetzner Online GmbH, Gunzenhausen, Germany | Server hosting and API infrastructure (aegis.kaino.io) |
Germany |
| Raidboxes GmbH, Münster, Germany | Website hosting and processing of demo document uploads | Germany |
The processor has concluded agreements with all subprocessors pursuant to Art. 28(4) GDPR, imposing upon them the same data protection obligations as set forth in this agreement.
6.2 Changes to Sub-processors
The Processor shall inform the Controller in advance of any intended addition or replacement of sub-processors and shall give the Controller the opportunity to object to these changes (Art. 28 Para. 2 GDPR).
Information shall be provided by updating the sub-processor list on the Processor's website (kaino.io/aegis/privacy, Section 7) and by email to the Controller at least 30 days before the intended change.
If the Controller raises a justified objection within 30 days of notification, the Parties shall endeavor to find an amicable solution. If no agreement can be reached, the Controller shall have an extraordinary right to terminate the subscription.
6.3 No Third Country Transfer
All document processing takes place exclusively within the EU/EEA. The Processor does not transfer any document content to third countries.
§ 7 Deletion and Return of Data
7.1 During Processing
Document content is immediately and automatically deleted after anonymization is complete. No permanent storage of document content occurs.
7.2 After Termination of the Agreement
The Processor shall delete within 30 days after termination of the subscription all personal data related to the data processing, unless retention is required by Union law or the law of the Member State (Art. 28 Para. 3 lit. g GDPR).
Since no document content is permanently stored, deletion is limited to:
- Customer master data (email address, name, company name): Irreversible anonymization within 30 days after termination of the subscription
- Usage statistics: Anonymization within 30 days after termination of the subscription
- Server access logs: Automatic deletion after 30 days
§ 8 Audit and Inspection Rights
8.1 Controller's Right of Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and allow for and contribute to audits — including inspections — conducted by the Controller or another auditor mandated by the Controller (Art. 28 Para. 3 lit. h GDPR).
8.2 Implementation
Audits shall be conducted under the following conditions:
- Written notice at least 30 days in advance (email sufficient)
- Conducted during normal business hours
- The auditor is bound by confidentiality
- The audit must not disproportionately impair the Processor's operations
- Maximum one audit per calendar year, unless a specific reason requires an additional audit
8.3 Proof of Compliance
The Processor may also demonstrate compliance with its obligations by submitting a current certificate, an audit report, or an excerpt thereof from an independent auditor.
§ 9 Liability
The liability of the Parties shall be governed by Art. 82 GDPR. In all other respects, the general liability provisions of the Aegis Terms of Use shall apply.
§ 10 Final Provisions
10.1 Precedence
In the event of contradictions between this DPA and other agreements between the Parties — including the Terms of Use — this DPA shall take precedence with regard to the protection of personal data.
10.2 Amendments
Amendments to this Agreement require text form. Material changes will be communicated to the Controller at least 30 days before they take effect. If the Controller does not object within 30 days of notification, the amendment shall be deemed accepted.
10.3 Applicable Law and Jurisdiction
This Agreement is governed by Austrian law. The place of jurisdiction is Innsbruck, Austria, to the extent permitted by law.
10.4 Severability Clause
Should any provision of this Agreement be invalid or unenforceable, the remaining provisions shall remain unaffected. The invalid provision shall be replaced by a valid one that comes closest to the economic purpose.
Annex 1: Technical and Organizational Measures (Art. 32 GDPR)
Kaino GmbH does not operate its own data centers. Physical security measures (access control, power supply, fire protection, climate control) are provided by the infrastructure providers Hetzner Online GmbH (Germany, ISO 27001), OVHCloud SAS (France, ISO 27001), and Scaleway SAS (France, ISO 27001). For their technical and organizational measures, we refer to:
- Hetzner Online GmbH: hetzner.com/de/legal/privacy-policy
- OVHCloud SAS: ovhcloud.com/de/personal-data-protection
- Scaleway SAS: scaleway.com/en/privacy-policy
Kaino GmbH is responsible for the following application-side measures:
1. Transient Processing (Core Security Feature)
Document content is processed exclusively in memory (in-memory processing) and immediately discarded after the result is returned. No permanent storage of document content occurs. This architectural principle eliminates significant risks associated with data retention: in the event of a system failure, no document data is lost because none is stored. The zero data retention principle applies consistently throughout the entire processing chain—including the subprocessors OVHCloud and Scaleway.
Data minimization through rule-based preprocessing: Before transmission to AI-powered processing, Kaino GmbH performs server-side rule-based preprocessing in which already identified personal data (e.g., names, email addresses, phone numbers) are replaced with placeholders. The content transmitted to the AI models is therefore already partially anonymized, thereby reducing the amount of personal data processed by subprocessors to the technically necessary minimum.
2. Confidentiality (Art. 32 Para. 1 lit. b GDPR)
| Measure | Implementation |
|---|---|
| Access Control | API access exclusively with a valid product key; no anonymous access |
| Authorization Control | Server access restricted to a narrowly defined group of people; access via SSH with key authentication; two-factor authentication (2FA) for all systems; principle of least privilege |
| Separation Control | Client separation through individual product keys; no cross-client data processing |
| Confidentiality Obligation | All persons with access to personal data are bound by confidentiality (§ 5.2 of this Agreement) |
3. Integrity (Art. 32 Para. 1 lit. b GDPR)
| Measure | Implementation |
|---|---|
| Transfer Control | Exclusively encrypted transmission (HTTPS/TLS); no unencrypted connections |
| Input Control | Logging of API access (server access logs, 30-day retention) |
4. Availability and Resilience (Art. 32 Para. 1 lit. b, c GDPR)
Availability and resilience are ensured by the infrastructure providers (redundant power supply, network connectivity, air conditioning). Since no document content is permanently stored, backup and recovery procedures for document data are not necessary.
5. Encryption and Pseudonymization (Art. 32 Para. 1 lit. a GDPR)
| Measure | Implementation |
|---|---|
| Transport Encryption | HTTPS/TLS for all API communication |
| Storage Encryption | Encryption-at-Rest for customer master data (email address, name, company name) |
| Pseudonymization | Core function of the service: replacement of personal data with placeholders |
6. Review (Art. 32 Para. 1 lit. d GDPR)
| Measure | Implementation |
|---|---|
| Regular review | Annual assessment of the effectiveness of technical and organizational measures |
| Event- and Change-Related Review | Review of technical and organizational measures in case of infrastructure changes, security incidents, and changes to sub-processors |
| Order Control | DPAs concluded with all sub-processors; review in case of contract changes or provider changes |
