Pricing Blog Contact
Login Try for Free

Data Processing Agreement (DPA) Version 4.2

pursuant to Art. 28 GDPR, Section 203(4) StGB, Section 43e BRAO, Section 9 MBO-Ä, Section 62a StBerG, Regulation (EU) 2024/1689 (AI Act)

KI-Shield SaaS Proxy | As of: May 2026

DATA PROCESSING AGREEMENT (DPA) AND COMMITMENT TO PROFESSIONAL SECRECY

pursuant to Art. 28 GDPR, Section 203(4) German Criminal Code (StGB), Section 43e BRAO, Section 9 MBO-Ä, Section 62a StBerG, and Regulation (EU) 2024/1689 (EU AI Act)

KI-Shield SaaS Proxy As of: May 2026 | Version 4.2

PART A — PREAMBLE AND CONTRACTING PARTIES

(1) This Agreement comprehensively governs the data protection, AI-regulatory and professional-secrecy obligations between the Controller and the Processor in connection with the use of the "KI-Shield" service.

(2) Processor: KI-Shield UG (haftungsbeschränkt) Managing Director: Johanna Bringezu Ritterstraße 2, 99718 Greußen, Germany Commercial Register: HRB 524511, Local Court Jena EUID: DEY1206.HRB524511 VAT ID: DE358414171 Email: info@ki-shield.de (hereinafter "Processor")

(3) Data Protection Officer (DPO) of the Processor: KI-Shield UG is not required to appoint a Data Protection Officer under Section 38(1) of the German Federal Data Protection Act (BDSG), as fewer than 20 persons are continuously engaged in the automated processing of personal data and there is no core activity triggering a mandatory DPIA within the meaning of Art. 37(1) GDPR. Data protection requests are handled centrally at datenschutz@ki-shield.de. A DPO will be appointed as soon as the statutory thresholds are exceeded; the Controller will be informed in that case.

(4) Controller: The contracting party that uses the KI-Shield service (hereinafter "Controller" or "Customer")

(5) This Agreement consists of the following parts:

PART B: Processing on behalf pursuant to Art. 28 GDPR

PART C: Commitment to professional secrecy (Section 203 StGB)

PART D: Profession-specific supplementary provisions

PART E: EU AI Act (Regulation (EU) 2024/1689) — shared obligations

PART F: Final provisions Annexes: TOMs, Sub-processors, Applicable professions, DPIA information

(6) By accepting this Agreement, the Controller confirms that it has taken note of and acknowledges all parts as binding. Parts C, D and E apply automatically to all Controllers, irrespective of the actual profession or specific use case.

PART B — PROCESSING ON BEHALF (Art. 28 GDPR)

§ 1 Subject matter and duration of processing

(1) The subject matter of this Data Processing Agreement is the processing of personal data by the Processor in connection with the provision of the "KI-Shield" service — an AI chat proxy with integrated PII pseudonymisation, a B2B REST API for PII detection, and audit and compliance functionality.

(2) The duration of the processing corresponds to the term of the main agreement (subscription / usage contract). This DPA ends upon termination of the main agreement. Differentiated deletion and retention periods are set out in § 10.

§ 2 Nature and purpose of processing

(1) The processing comprises the following activities:

a) PII Detection: Automated detection of personal data in chat messages using an NLP engine (Microsoft Presidio + spaCy de_core_news_lg / en_core_web_lg, 43 recognizer categories).

b) PII Pseudonymisation: Replacement of detected personal data with consistent pseudonyms before forwarding to the AI provider.

c) Chat Processing: Forwarding of pseudonymised texts to the included default provider (Mistral AI, EU) or to AI providers configured by the Controller (BYOK), and re-pseudonymisation of responses.

d) Audit Signing: Cryptographic signing of processing records using Ed25519 + ML-DSA-65 (NIST FIPS 204).

e) B2B API: Programmatic access to PII detection and audit functions via REST API (where included in the subscribed plan).

(2) Transparency notice — Architecture Mode: During active pseudonymisation in the server-based Architecture Mode, the proxy server technically has brief access to plaintext data held in random-access memory (RAM). The plaintext data are NOT persisted and are discarded from RAM upon completion of pseudonymisation. Only pseudonymised texts are transmitted to the AI provider.

(3) Browser Mode (Zero-Knowledge): If the Controller activates the Browser Mode, pseudonymisation takes place entirely client-side in the Controller's browser. In this mode, the Processor's server at no time has access to personal data in plaintext. For professionals subject to Section 203 StGB (lawyers, doctors, tax advisors etc.), Browser Mode is expressly RECOMMENDED because it optimally safeguards the necessity principle under Section 203(3)(4) StGB (see § 13(5)).

(4) Stored data (chat messages, conversation titles, audit logs) are encrypted with a user-specific key (AES-256 via Fernet). The key is derived from the user's password using Argon2id (256-bit) and exists only in volatile memory (RAM) during an active session — never in the database.

(5) Prohibition of use for model training: Neither the Processor nor the integrated AI providers will use the data transmitted by the Controller to train, develop or improve their own AI models. The Processor has obtained contractual confirmation from Mistral AI and from all standard providers that API submissions are excluded from model training (Mistral DPA, as of April 2026, "no training on customer data"). For BYOK configurations the responsibility for configuring training opt-outs lies with the Controller; the Processor strongly recommends using only providers with a guaranteed training opt-out.

§ 3 Categories of personal data

The following categories of personal data may be processed:

  • Identification data: names, addresses, dates of birth
  • Contact data: email addresses, telephone numbers
  • Financial data: IBAN, credit card numbers, tax IDs
  • Digital identifiers: IP addresses, URLs, usernames
  • Professional and case-related data: file numbers, vehicle registration

numbers, social security numbers

  • Special categories (Art. 9 GDPR): health data, biometric data, genetic

data, racial/ethnic origin, political opinions, religious beliefs, trade-union membership, sex life — only to the extent transmitted by the Controller in chat messages

  • Criminal conviction data (Art. 10 GDPR): only to the extent transmitted

by the Controller

All detected PII data are pseudonymised before being forwarded to external AI providers.

Note: Context-based quasi-identifiers (e.g. writing style, unique situational descriptions) are not automatically detected. Manual tagging is available for such cases.

§ 4 Categories of data subjects

The data subjects are exclusively those persons whose data the Controller transmits for processing. These may in particular include:

  • Customers and prospects of the Controller
  • Employees of the Controller
  • Business partners and suppliers
  • Clients, patients or other third parties whose data the Controller

processes in input texts

§ 5 Technical and organisational measures (TOMs)

The Processor implements the following measures pursuant to Art. 32 GDPR:

5.1 Confidentiality

  • AES-256 encryption (Fernet) of all stored data with user-specific keys
  • Password-based key derivation via Argon2id (256-bit)
  • Encryption keys exist only in volatile memory (RAM), never in the

database

  • TLS 1.3 for all connections (HTTPS enforced via Caddy)
  • HSTS with max-age = 63 072 000
  • Passwords stored as Argon2id hashes
  • Role-based access control (RBAC)
  • mTLS for internal service communication (Step-CA, ECDSA P-256)

5.2 Integrity

  • Cryptographic signatures (Ed25519 + ML-DSA-65) producing a tamper-

resistant audit chain (hybrid signature, BSI compliant)

  • SHA-256 hash chain for audit logs
  • Daily blockchain anchoring on Polygon PoS (Chain ID 137)
  • Write-time verification after each signing

5.3 Availability and resilience

  • Daily automated backups (PostgreSQL pg_dump)
  • Offsite backup on Hetzner Storage Box (Restic, encrypted)
  • Docker containers with automatic restart (Autoheal)
  • Health-check monitoring (database, Redis, PII engine)
  • Rate limiting and DDoS protection (CrowdSec, Fail2Ban, UFW)
  • SIEM monitoring (Wazuh, Grafana, Loki)
  • Target availability: 99.5 % annual average

5.4 Regular review procedures

  • Automated PII detection tests (golden tests, 500 samples every 6 h)
  • Regular vulnerability scans (Trivy)
  • Safe-deploy procedure with pre-deploy backup and automatic rollback
  • Web application firewall (Coraza, OWASP CRS v4.13) against OWASP Top 10
  • Post-quantum cryptography already implemented (FIPS 204)

5.5 Logging

  • Complete audit logs (action, endpoint, IP, request ID, timestamp)
  • NO logging of chat contents or request/response bodies
  • Sensitive headers (Authorization, Cookies) are redacted in logs

5.6 Server location

  • Exclusively Germany (Hetzner Online GmbH, Nuremberg)
  • 8-layer security architecture (network, WAF, transport, application,

data, post-quantum, zero-knowledge, SIEM)

§ 6 Obligations of the Processor

(1) The Processor shall process personal data exclusively on the documented instructions of the Controller.

(2) Instruction process: a) General instruction: arises from this Agreement, the GTC and the configurations made by the Controller in the dashboard (e.g. choice of AI provider, enabling/disabling of PII categories, Zero-Knowledge Mode). Configuration changes are recorded in the audit log with user ID, timestamp and cryptographic signature. b) Individual instruction: in writing or in text form by email to info@ki-shield.de. Oral instructions are permitted only in emergencies and must be confirmed by the Controller in text form within 7 days, otherwise they lapse. c) Confirmation: The Processor confirms receipt of an individual instruction in text form within 48 hours. Implementation takes place without undue delay insofar as technically possible. d) Conflicting instructions: Where instructions conflict, the most recent in time prevails; if no temporal order can be determined, the Processor shall inform the Controller of the conflict without undue delay and continue with the older instruction until the matter is clarified.

(3) The Processor shall inform the Controller without undue delay if it considers that an instruction infringes the GDPR or other Union or Member State data protection provisions (Art. 28(3)(3) GDPR).

(4) The Processor ensures that all persons authorised to process the data have undertaken confidentiality obligations in writing (within the meaning of the text form under Section 126b of the German Civil Code (BGB)) — see also PART C of this Agreement — and have been instructed about the criminal consequences of breaching professional secrecy.

(5) The Processor supports the Controller in fulfilling data-subject rights (Art. 15–22 GDPR) by providing:

  • Audit-log-based evidence
  • CSV/JSON export of processing records
  • Compliance reports and audit proofs
  • Deletion functionality for conversations and audit logs

(6) The Processor supports the Controller in complying with its obligations under Art. 32–36 GDPR, in particular with regard to:

  • Security of processing (Art. 32 GDPR)
  • Notification of personal-data breaches (Art. 33 GDPR)
  • Communication to data subjects (Art. 34 GDPR)
  • Data protection impact assessment (Art. 35 GDPR; see § 6a)
  • Prior consultation with the supervisory authority (Art. 36 GDPR)

(7) NOTIFICATION PERIOD FOR PERSONAL-DATA BREACHES: The Processor shall inform the Controller without undue delay, and in any case within 24 HOURS of becoming aware, of any breach of the protection of personal data (Art. 33 GDPR). This short deadline is intended to enable the Controller to comply reliably with its own 72-hour obligation towards the supervisory authority. The notification shall at minimum include: nature of the breach, categories of data and persons affected, likely consequences and the mitigating measures taken.

§ 6a Data Protection Impact Assessment (DPIA, Art. 35 GDPR)

(1) The Controller is expressly informed that the use of AI systems for processing personal data regularly requires a Data Protection Impact Assessment under Art. 35 GDPR. German supervisory authorities generally consider AI applications to pose a high risk to the rights and freedoms of data subjects.

(2) The obligation to carry out the DPIA rests with the Controller as the controller within the meaning of Art. 4(7) GDPR. A breach of this obligation may be sanctioned with fines of up to EUR 10 million or 2 % of worldwide annual turnover (Art. 83(4) GDPR).

(3) The Processor shall make available to the Controller, free of charge, all information required for the DPIA, in particular:

  • Description of the processing operations (see § 2)
  • Technologies used (see § 5)
  • Risk assessment of its own TOMs
  • Template and model for an AI-specific DPIA

(available at ki-shield.eu/dpia-template)

  • Support from the DPO of the Processor, once appointed

(4) A full DPIA template can be found in Annex 4. Use of this template does not relieve the Controller of its independent assessment of its specific use case.

§ 7 Sub-processing

(1) The Controller consents to the engagement of the following sub-processors:

  • Hetzner Online GmbH | Server hosting | Nuremberg, Germany
  • Stripe Payments Europe, Ltd. | Payment processing | Dublin, Ireland (EU)
  • Mistral AI | AI inference (pseudonymised data) | Paris, France (EU)

A full and up-to-date list including all sub-sub-processors is set out in Annex 2.

(2) The Processor shall inform the Controller in advance in text form of any intended change concerning the addition or replacement of sub- processors. The Controller may object to the change within 14 days of receipt of the notification.

(3) In the event of a justified objection, the Processor is entitled to terminate the main agreement extraordinarily with a notice period of 30 days to the end of the month.

(4) Multi-tier sub-processing: The Processor shall contractually ensure that sub-processors comply with the same data protection obligations as set out in this Agreement (Art. 28(4) GDPR), including: a) the confidentiality obligation regarding professional secrets under Section 203 StGB, to the extent applicable, b) the prohibition on using data for model training, c) the obligation to bind their own sub-processors to equivalent obligations (chain effect).

(5) Mistral AI as default AI provider: The Processor has concluded a DPA with Mistral AI which covers in particular: (a) processing exclusively in the EU, (b) no model training on customer data, (c) the obligation on Mistral's own sub-processors to comply with comparable standards. The current list of Mistral sub- processors is published by the Processor at ki-shield.eu/sub-processors.

(6) BYOK (Bring Your Own Key) clarification: Where the Controller configures its own AI provider via BYOK by supplying its own API key, the contractual relationship for the AI processing exists exclusively between the Controller and the chosen BYOK provider. KI-Shield acts solely as a technical intermediary that forwards pseudonymised data on behalf of the Controller and is NOT a sub-processor within the meaning of Art. 28(2) GDPR for the BYOK provider. The Controller is the sole data controller vis-à-vis its BYOK provider and remains responsible in particular for: (a) entering into any contractual arrangements (DPA, SCC) directly with the BYOK provider; (b) performing a separate Transfer Impact Assessment (TIA) where the BYOK provider is located in a third country; (c) configuring training opt-outs at the BYOK provider; (d) assessing AI Act compliance for the BYOK model. The sub-processors listed in § 7(1) and Annex 2 do NOT include BYOK providers, since these are not sub-processors of KI-Shield.

§ 8 Transfer to third countries

(1) The primary data processing (PII detection, pseudonymisation, encryption, storage) takes place exclusively on servers in Germany (Hetzner Online GmbH, Nuremberg).

(2) Transfer of pseudonymised data to AI providers in third countries (particularly the USA) only takes place where the Controller actively configures a corresponding provider via BYOK. The transmitted data contain no personal data in plaintext — only pseudonymised text that cannot be re-identified without the mapping table (which never leaves the server).

(3) For payment processing via Stripe Payments Europe, Ltd. (seat in Dublin, Ireland), processing takes place primarily in the EU. To the extent that Stripe uses technical services of its US parent company (Stripe Inc.), the following transfer mechanisms apply cumulatively: a) Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR, b) EU-US Data Privacy Framework (DPF) under the European Commission adequacy decision of 10 July 2023, where Stripe Inc. is certified under the DPF, c) additional technical and organisational measures (encryption, data minimisation).

(4) The Controller is informed that it remains responsible, under its own data protection responsibility, for the permissibility of using AI providers in third countries. KI-Shield constitutes an additional technical safeguard but does not replace the Controller's own independent assessment.

§ 9 Rights of the Controller — audits and evidence

(1) The Controller has the right:

  • To inspect the TOMs (this document as well as the Record of

Processing Activities at ki-shield.eu/record-of-processing)

  • To access and export audit logs and compliance reports via the

dashboard

  • To request deletion of all data after termination
  • Upon request, to receive evidence of compliance with the obligations

set out in this DPA

(2) Audit options: The Processor enables the Controller to demonstrate compliance with the TOMs on the following tiered basis: a) Self-assessment via a completed TOM document (free of charge, available electronically at any time), b) Remote audit by video conference with live viewing of configurable system components (free of charge, once per year, appointment after 14 days' notice), c) On-site audit at the Processor's or data-centre premises (notice of at least 14 days; costs borne by the Controller unless a specific breach is the cause of the audit — in which case the Processor bears the costs), d) Recognition of equivalent evidence: As soon as the Processor obtains corresponding attestations, these will be accepted as equivalent evidence. Eligible are in particular attestations by independent auditors under ISO 27001, SOC 2 Type II, BSI C5, ISO 27701 as well as certifications under Art. 42 GDPR and approved codes of conduct under Art. 40 GDPR. As of April 2026, the Processor does not hold any such attestations; acquisition is planned for the mid term. Until then, evidence is provided via self-assessment (a) and remote/on-site audits (b/c).

(3) The Processor is entitled to exclude trade and business secrets as well as security-relevant configuration details from audit inspection where this is necessary to protect those secrets or system security.

§ 10 Deletion, return, retention periods

(1) Differentiated deletion periods:

+--------------------------------+-------------------------------------+ | Data category | Deletion period | +--------------------------------+-------------------------------------+ | Conversations (Free plan) | 7 days automatic | | Conversations (paid plans) | unlimited; deletion at any time | | | via dashboard | | Audit logs (operational) | 12 months from creation | | Audit logs (compliance) | 6 years (Section 257 HGB); 10 years | | | for tax-relevant matters | | | (Section 147 AO) | | Backups (operational) | 30 days rolling window, then | | | automatic overwrite | | Backups (offsite, Storage Box) | 90 days, then pruning | | Invoice and contract data | 10 years (Section 147 AO) | | Authentication data | without undue delay after | | | deletion of the user account | +--------------------------------+-------------------------------------+

(2) After termination of the processing, the Processor shall delete all personal data without undue delay, unless a statutory retention obligation applies. There is no right to early deletion of data subject to retention obligations.

(3) Before termination, the Controller may export all data (audit logs, conversations) as CSV/JSON via the dashboard.

(4) The Processor shall confirm the complete deletion to the Controller in writing upon request, stating the categories deleted and the times of deletion.

(5) Data-carrier destruction at the end of hardware life is performed by Hetzner Online GmbH in accordance with DIN 66399 security level 3 or higher (Hetzner data-carrier destruction process).

§ 10a Blockchain anchoring and the right to erasure

(1) The Processor anchors the audit chain daily on the public Polygon PoS blockchain (Chain ID 137). Only the SHA-256 hash of the daily audit chain endpoint is anchored.

(2) The hashes stored on the blockchain do NOT constitute personal data within the meaning of Art. 4(1) GDPR on their own: a) Hashes are cryptographically irreversible (one-way), b) without access to the Processor's associated database, there is no possibility of re-identification, c) audit contents themselves are NOT transferred to the blockchain.

(3) Where a data subject exercises the right to erasure under Art. 17 GDPR, all plaintext data and audit entries stored in the Processor's database are deleted. The hashes remaining on the blockchain thereby lose any personal reference, because the possibility of re-identification disappears ("cryptographically erased" / crypto-shredding principle).

(4) Technical removal of the hashes from the blockchain is by its nature not possible; in the Processor's view, however, it is also not legally required, because the remaining hashes no longer constitute personal data. This assessment follows the recommendations of the CNIL (French supervisory authority) on blockchain and GDPR ("Solutions for a responsible use of the blockchain in the context of personal data", CNIL, 2018) and the prevailing view in the relevant legal literature.

(5) Before activation of the blockchain anchoring, the Controller is transparently informed about how it works. Deactivation at account level is possible via the dashboard; in that case, only cryptographic signatures (Ed25519 + ML-DSA-65) without public anchoring are used.

§ 11 Liability (GDPR part)

(1) Liability is governed by Art. 82 GDPR. Each party involved in the processing is liable for damage caused by processing that does not comply with this Regulation.

(2) Mutual indemnification: If one party submits claims to damages raised by third parties against the other party on the grounds that processing infringed the GDPR, the party in whose sphere of responsibility the cause of the damage lies undertakes to indemnify the other. Where a party proves that it is in no way responsible for the cause of the damage, it is exempt from liability (Art. 82(3) GDPR).

(3) PII detection is performed on a best-effort basis. No guarantee is given of completeness of detection. The Processor uses state-of-the- art technologies but cannot guarantee complete detection of all personal data in every context.

(4) KI-Shield constitutes an additional technical safeguard within the meaning of Art. 25 and Art. 32 GDPR. KI-Shield alone does not establish full GDPR compliance — it complements the Controller's existing compliance strategy as a technical and organisational measure (TOM).

§ 11a Extraordinary right of termination of the Controller

(1) The Controller may terminate the main agreement extraordinarily without notice if the Processor: a) intentionally or with gross negligence infringes provisions of the GDPR or of this Agreement, b) fails to comply with a proper instruction of the Controller without justified reason or within a reasonable period, c) persistently fails to maintain the TOMs agreed in § 5 and allows a reasonable cure period of 30 days to expire without effect, d) fails to comply with a justified audit request under § 9.

(2) In the event of extraordinary termination, the Processor shall refund payments already made pro rata for the unused period.

(3) Claims for damages remain unaffected.

PART C — COMMITMENT TO PROFESSIONAL SECRECY (Section 203 StGB)

§ 12 Scope and purpose

(1) Insofar as the Controller is a professional secrecy holder within the meaning of Section 203 of the German Criminal Code (StGB) — or processes data subject to a statutory professional secrecy (e.g. attorney-client privilege, medical confidentiality, tax secrecy) — this PART C supplements the DPA in PART B with the professional-law obligations required.

(2) The application of this part does not depend on an express declaration by the Controller. It applies automatically and as a precaution to all Controllers in order to cover any potential transmission of professionally privileged data on a legally sound basis.

(3) The Processor is aware that it acts as a "contributing person" within the meaning of Section 203(4)(2) StGB insofar as the Controller is a professional secrecy holder.

§ 13 Confidentiality obligation and necessity

(1) The Processor and all persons acting for it undertake not to disclose without authorisation any third-party secrets — in particular secrets belonging to the private sphere, business or trade secrets — that have become known to them in the course of providing their services to the Controller.

(2) This obligation applies both during the term of the Agreement and, without limit in time, after its termination.

(3) The Processor shall use any disclosed secrets exclusively for the purpose resulting from the main agreement and this DPA (provision of the KI-Shield services).

(4) Necessity of disclosure (Section 203(3) StGB): The Processor only has disclosed to it those secrets that are strictly necessary for the proper performance of its activity. The KI-Shield architecture is deliberately designed to comprehensively safeguard the necessity principle:

a) Architecture Mode: Plaintext data do not leave the internal pseudonymisation process. They exist only for milliseconds in RAM and are then discarded automatically. Human inspection is neither intended nor technically routinely possible.

b) Browser Mode (RECOMMENDED for professional secrecy holders): Plaintext data do not leave the Controller's client at all. No secret is disclosed to the Processor in the technical or legal sense. In this mode, Section 203 StGB does not apply because the element of "disclosure" is absent.

c) Encrypted storage: Conversations are stored with user-specific keys known only to the Controller (Argon2id derivation from the password). Even the Processor's database administrators cannot decrypt stored content.

(5) Recommendation for professional secrecy holders: For lawyers, doctors, tax advisors and other professions under Section 203 StGB, the Processor strongly recommends the use of Browser Mode. This recommendation is displayed prominently in the dashboard once the Controller assigns itself to a relevant profession during onboarding.

(6) The Processor shall not make secrets accessible to third parties unless: a) the Controller has given written consent, or b) there is a statutory obligation to disclose (e.g. criminal- procedure seizure, order by a supervisory authority). In case (b), the Processor shall inform the Controller without undue delay, to the extent legally permitted.

§ 14 Information about criminal liability under Section 203 StGB

(1) The Processor is aware — and hereby confirms that it has been informed — of the criminal liability for the unauthorised disclosure of third-party secrets under Section 203 StGB.

(2) Section 203(4) StGB reads in substance: "The same penalty applies to any person who, as a contributing person, discloses a third-party secret that became known to them in the course of their activity or on the occasion of it."

(3) Penalty range: imprisonment of up to one year or a fine; in especially serious cases, imprisonment of up to two years or a fine (Section 203(6) StGB).

(4) The Processor has bound all of its own employees, external service providers and other contributing persons who may have access to Controller data in the course of providing the services to the professional secrecy in text form (within the meaning of Section 126b of the German Civil Code (BGB)) and has informed them about the criminal liability under Section 203 StGB. According to the prevailing view, text form satisfies the requirements of Section 203(4)(2) StGB and of Section 43e(4) BRAO. These commitments are documented and can be provided to the Controller upon request.

§ 15 Employee commitment and technical safeguards

(1) The Processor keeps an internal register of persons bound pursuant to § 14(4).

(2) The Processor implements the following technical and organisational measures to exclude unauthorised knowledge-taking by its own employees:

a) Architecture Mode: plaintext data only exist briefly in volatile memory during automatic pseudonymisation; no human access is provided for or possible.

b) Browser Mode: plaintext data do not leave the Controller's client — not even the Processor's employees have technical access (true Zero-Knowledge).

c) Encryption of stored data with user-specific keys (see § 5.1) — even the database administrator cannot read stored content without the relevant user's key.

d) Strict role-based access control (RBAC); four-eyes principle for production access.

e) Full audit logs of all administrative access.

§ 16 US Cloud Act and access by foreign authorities

(1) The Processor is a German legal entity established in Germany and is not subject to the US Cloud Act or comparable extraterritorial access regimes.

(2) The primary processing and storage location is Germany (Hetzner Online GmbH, Nuremberg). Any obligation to disclose data to foreign authorities exists only within the narrow limits of applicable European mutual-assistance agreements.

(3) If a third-country AI provider is used via BYOK, the Processor expressly draws attention to the risk of access by foreign authorities. In that case, only pseudonymised data are transmitted; the re-identification table remains on the Processor's servers in Germany.

PART D — PROFESSION-SPECIFIC SUPPLEMENTARY PROVISIONS

§ 17 Lawyers and bar associations (Section 43e BRAO)

(1) Insofar as the Controller is a lawyer within the meaning of the German Federal Lawyers' Act (BRAO), this Agreement additionally satisfies the requirements of Section 43e BRAO for the engagement of service providers where access to third-party secrets cannot be excluded.

(2) The Processor a) has been expressly informed under Section 43e(4) BRAO that the unauthorised disclosure of third-party secrets is a criminal offence under Section 203 StGB, b) undertakes to maintain confidentiality regarding all mandate secrets that come to its knowledge in the course of its activity, c) is entitled to engage further persons to contribute, provided they have been bound in text form pursuant to § 14(4), d) shall inform the lawyer without undue delay if a third party (e.g. an authority) requests the release of or access to mandate data.

(3) The engagement of the services is necessary within the meaning of Section 43e(1) BRAO, as it serves an efficient and data-protection- compliant mandate handling. In Browser Mode, the necessity principle is optimally safeguarded, since no mandate secrets are disclosed to the Processor.

§ 18 Medical professionals (Section 9 MBO-Ä, Section 203(1) No. 1 StGB)

(1) Insofar as the Controller is a physician, dentist, veterinarian, pharmacist or member of any other healing profession within the meaning of Section 203(1) No. 1 StGB, this Agreement additionally serves as a confidentiality undertaking within the meaning of the applicable professional codes (in particular Section 9 of the Model Professional Code of Conduct for Physicians of the German Medical Association).

(2) The Processor a) has been informed about the medical duty of confidentiality and its meaning, b) undertakes to process patient data exclusively within the scope of this Agreement, c) applies the technical and organisational measures described in

§ 5 and § 15 for special protection of health data (Art. 9 GDPR).

(3) For the processing of health data, Browser Mode is expressly recommended.

§ 19 Tax advisors (Section 62a StBerG)

(1) Insofar as the Controller is a tax advisor, tax agent or auditor within the meaning of the German Tax Advisers Act (StBerG), this Agreement satisfies the requirements of Section 62a StBerG.

(2) The Processor a) has been informed under Section 62a(4) StBerG about the criminal liability under Section 203 StGB, b) undertakes to maintain confidentiality regarding all mandate relationships that come to its knowledge, in particular tax- relevant data, c) guarantees that the engagement within the meaning of Section 62a(1) StBerG is necessary and appropriate in compliance with this Agreement.

§ 20 Other professions

(1) For other professions covered by Section 203 StGB (e.g. notaries, auditors, sworn accountants, members of the press chamber, social workers, psychologists, professional psychotherapists, staff of recognised counselling centres under Section 3, Section 8 SchKG), the provisions of this PART C apply accordingly.

(2) The special rules of the applicable professional codes are thereby covered.

PART E — EU AI ACT (Regulation (EU) 2024/1689)

§ 21 Roles under the AI Act

(1) Within the meaning of Regulation (EU) 2024/1689 ("AI Act" / "EU AI Act"), the Processor provides a platform that integrates third-party AI models (e.g. Mistral AI) and enriches them with proprietary functions (PII detection, pseudonymisation, audit trail). The precise role-based classification under Art. 3 AI Act (provider within the meaning of No. 3, deployer within the meaning of No. 4, or distributor within the meaning of No. 7) depends on the specific use case and is continuously reviewed by the Processor. In no case is the Processor a provider of a General-Purpose AI model (GPAI) within the meaning of Art. 51 AI Act; GPAI models are exclusively integrated from third-party providers.

(2) The Controller typically acts as a deployer within the meaning of Art. 3(4) AI Act and thereby assumes its own obligations, in particular: a) risk assessment of the specific use case, b) ensuring human oversight (human-in-the-loop), c) information and transparency towards affected data subjects, d) records of use (supported automatically by the Processor's audit system).

§ 22 Transparency obligations (Art. 50 AI Act)

(1) The Processor marks all content generated by the AI system technically and in a manner clearly recognisable to the end user as AI-generated (in particular in the chat history of the dashboard).

(2) The Processor provides machine-readable labelling of AI-generated outputs as required by Art. 50(2) AI Act. This is implemented via structured metadata (e.g. C2PA-compliant manifests in exports, JSON markings in API responses, and header fields in streaming responses).

(3) The Controller is obliged to make any further use of AI-generated content transparent to end users (Art. 50(4) AI Act).

§ 23 GPAI obligations and copyright

(1) The models used in the default provider Mistral AI meet the requirements for GPAI models under Art. 53 AI Act. The Processor confirms that Mistral AI complies with the transparency and copyright rules applicable since 2 August 2025 (public summary of training data, EU copyright compliance).

(2) When using third-party models via BYOK, the Controller is responsible for assessing the AI Act compliance of those third-party models.

§ 24 High-risk AI systems and prohibited practices

(1) KI-Shield is not designed as a high-risk AI system within the meaning of Annex III of the AI Act. The Controller is informed that the use in high-risk application areas (e.g. personnel selection, credit scoring, law enforcement) triggers additional obligations under Art. 8 ff. of the AI Act, which the Controller, as deployer, must fulfil.

(2) Prohibited practices under Art. 5 of the AI Act (e.g. social scoring, real-time biometric remote identification, manipulative influencing) are not permitted via KI-Shield. The Controller confirms that it will not use the service for such purposes. Violations entitle the Processor to extraordinary termination with immediate effect.

PART F — FINAL PROVISIONS

§ 25 Term, termination and consequences

(1) This Agreement enters into force upon electronic acceptance by the Controller and ends with the termination of the main agreement.

(2) The confidentiality obligations under PART C continue to apply beyond the end of the Agreement without any time limit.

(3) Upon termination of the main agreement, the consequences set out in

§ 10 of this Agreement apply.

(4) Extraordinary termination rights of the Controller are governed by

§ 11a, those of the Processor by § 7(3) and § 24(2).

§ 26 Written form, electronic signature

(1) This Agreement is concluded in electronic form by confirmation in the KI-Shield dashboard. This form satisfies the requirements of Art. 28(9) GDPR ("electronically") and of the text form under Section 126b BGB, which in turn meets the requirements of Section 203(4) StGB, Section 43e(4) BRAO, Section 9 MBO-Ä and Section 62a(4) StBerG.

(2) A qualified electronic signature (QES) within the meaning of the eIDAS Regulation is not required.

(3) The acceptance is documented in the audit log with cryptographic signature (Ed25519 + ML-DSA-65), timestamp, IP address and document hash. The Controller can access this evidence at any time via the dashboard.

§ 27 Applicable law, place of jurisdiction

(1) The law of the Federal Republic of Germany applies to the exclusion of the UN Convention on Contracts for the International Sale of Goods.

(2) If the Controller is an entrepreneur within the meaning of Section 14 BGB, a legal person under public law, or a special fund under public law, the exclusive place of jurisdiction for all disputes arising out of or in connection with this Agreement is the seat of the Processor (local / regional court at the seat of Greußen, Thuringia, Germany). For consumers within the meaning of Section 13 BGB, the statutory places of jurisdiction apply.

(3) The Processor is entitled to bring proceedings against the Controller at its general place of jurisdiction as well.

§ 28 Severability clause

Should individual provisions of this Agreement be or become invalid, the validity of the remaining provisions shall not be affected thereby. The invalid provision shall be replaced by the valid provision that comes closest to what was economically intended by the invalid one.

ANNEX 1 — TECHNICAL AND ORGANISATIONAL MEASURES (TOM, Art. 32 GDPR)

See detailed list in § 5 of this Agreement. Current version available online at: ki-shield.eu/tom

ANNEX 2 — SUB-PROCESSORS (Art. 28(4) GDPR)

As of: April 2026

1. Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany

Service: Server hosting (dedicated servers, Nuremberg, Germany) Data categories: all data processed on the servers Third country: No Contractual basis: DPA in place

2. Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland

Service: Payment processing Data categories: email address, payment data, billing address Third country: use of technical sub-services of US parent company possible Transfer mechanisms: SCCs + EU-US DPF (cumulative)

3. Mistral AI, 6 rue Ménars, 75002 Paris, France

Service: AI inference (default provider, exclusively pseudonymised data) Data categories: pseudonymised chat content (no plaintext PII) Third country: No (processing in the EU) Model training on customer data: excluded (per Mistral DPA) Mistral sub-processors: current list available on request

A fully up-to-date list of all sub-sub-processors is available at: ki-shield.eu/sub-processors

ANNEX 3 — APPLICABLE PROFESSIONS

This Agreement is primarily addressed to the following professions whose data are subject to professional secrecy under Section 203 StGB:

  • Lawyers (BRAO, Section 43e BRAO)
  • Notaries (BNotO)
  • Patent attorneys (PAO)
  • Tax advisors, tax agents (StBerG, Section 62a StBerG)
  • Auditors, sworn accountants (WPO)
  • Doctors, dentists, veterinarians, pharmacists (MBO-Ä, Section 9 MBO-Ä)
  • Professional psychologists, psychotherapists (PsychThG)
  • Staff of recognised counselling centres (Section 3, Section 8 SchKG)
  • Social workers, social pedagogues with state recognition
  • Members or delegates of a recognised press chamber
  • Private investigators (where Section 203(1) No. 6 StGB applies)

PART C applies automatically and irrespective of the actual profession context.

ANNEX 4 — DPIA INFORMATION SHEET (Art. 35 GDPR)

Note: This annex does not replace the Controller's own DPIA but provides the KI-Shield-specific information for the Controller to integrate into its own DPIA.

A. SYSTEM DESCRIPTION

  • Service: KI-Shield SaaS proxy (PII-pseudonymised AI chat)
  • Operating modes: Architecture Mode, Browser Mode (Zero-Knowledge)
  • Default AI provider: Mistral AI (EU)
  • Optional via BYOK (Controller's own provider relationship — KI-Shield is NOT a sub-processor for these, see § 7(6)): OpenAI, Anthropic, Groq, others

B. PURPOSES OF PROCESSING

  • PII detection and pseudonymisation
  • AI-assisted processing of texts / requests
  • Audit trail and compliance evidence

C. CATEGORIES OF DATA SUBJECTS AND DATA

See §§ 3, 4 of this Agreement.

D. RISK ASSESSMENT (KI-SHIELD INTERNAL VIEW)

Methodology: The following assessment follows the methodology of BSI Standard 200-3 (IT baseline risk analysis) in combination with ISO/IEC 27005 (Information Security Risk Management). Probability is rated on a four-tier scale (very low / low / medium / high).

  • Probability of unauthorised disclosure: low (Architecture Mode)

to very low (Browser Mode)

  • Probability of data loss: low (multi-stage backups)
  • Probability of unauthorised access: low (8 security layers, SIEM,

mTLS, Argon2id encryption)

  • Severity of potential harm to data subjects:

depending on data category (Art. 9/10 GDPR: high; standard PII: medium)

  • Risk of AI hallucinations / misinformation:

medium; addressed through human-in-the-loop and disclaimer

E. REMEDIAL MEASURES OF THE PROCESSOR

  • Technical measures: see § 5
  • Organisational measures: § 14, § 15
  • Contractual measures: this Agreement in its entirety

F. RECOMMENDED MEASURES OF THE CONTROLLER

  • Activate Browser Mode (especially for professional secrecy holders)
  • Use manual tagging for context-identifiers
  • Train employees on input caution
  • Keep own records of AI usage (obligation under Art. 26 AI Act as

deployer)

  • Inform data subjects about the use of AI

END OF AGREEMENT

Agreement version: 4.2 As of: May 2026 Note: This version fully supersedes v1.0, v2.0, v3.0, v4.0 and v4.1. Signatures of earlier versions become invalid; Controllers must re-accept v4.2. Changelog v4.1 → v4.2: New § 7(6) — BYOK clarification (Controller-direct relationship; KI-Shield not a sub-processor for BYOK providers); minor Annex 4 wording alignment.

Document hash (SHA-256 generated upon signing): [auto]

DPA v4.2 — synchronised with backend (services/avv.py). Updates announced per Terms § 19. Questions: privacy@ki-shield.de · Records of Processing: /processing-records