Data Processing Agreement
Version 1.0 - Effective: February 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Tokligence Inc. ("Processor") and the customer ("Controller") for the use of Tokligence Guard services.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Subject" means the individual to whom Personal Data relates.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Protection Laws" means GDPR, CCPA, and other applicable data protection regulations.
2. Scope of Processing
2.1 Nature and Purpose
The Processor processes Personal Data solely to provide the Guard service, which includes detecting and redacting sensitive information in text before transmission to third-party LLM services.
2.2 Categories of Data
- Names and contact information
- National identification numbers
- Financial information (credit cards, bank accounts)
- Credentials and API keys
- Any other PII detected by the Service
2.3 Data Retention
Zero Retention Policy
Sensitive Personal Data processed for detection and redaction is NOT stored. Processing occurs in real-time and data is immediately discarded after the redaction operation completes.
3. Obligations of the Processor
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Notify the Controller without undue delay of any Personal Data breach
- Delete or return all Personal Data upon termination of services
- Make available all information necessary to demonstrate compliance
4. Security Measures
The Processor implements the following security measures:
Encryption
- TLS 1.3 for data in transit
- AES-256 for data at rest
Access Control
- Role-based access control
- Multi-factor authentication
Monitoring
- 24/7 security monitoring
- Audit logging
Compliance
- SOC 2 Type II certified
- Annual penetration testing
5. Sub-processors
The Controller authorizes the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud Infrastructure | US, EU, APAC |
| Stripe | Payment Processing | US |
| SendGrid | Email Delivery | US |
The Processor will notify the Controller of any changes to sub-processors with at least 30 days notice.
6. International Transfers
For transfers outside the EEA, the Processor ensures appropriate safeguards through:
- EU Standard Contractual Clauses (SCCs)
- Data residency options (EU, US, APAC regions available)
- Binding Corporate Rules where applicable
7. Data Subject Rights
The Processor will assist the Controller in fulfilling Data Subject requests including access, rectification, erasure, restriction, portability, and objection to processing.
8. Breach Notification
The Processor will notify the Controller of any Personal Data breach within 48 hours of becoming aware, providing all information necessary for the Controller to meet its obligations under Data Protection Laws.
9. Audits
Upon reasonable request and subject to confidentiality obligations, the Processor will make available audit reports and allow for audits conducted by the Controller or an appointed auditor.
10. Contact
For questions about this DPA or to exercise rights under Data Protection Laws:
Data Protection Officer
Email: dpo@tokligence.ai
Tokligence Inc.