Legal · DPA

Data Processing Addendum.

A pre-counter-signed GDPR / UK-GDPR Article 28 DPA, ready to be incorporated by reference into your Master Service Agreement or order form. Most procurement teams accept it as-is; bespoke edits go through legal@cloakapi.io.

Template version 3.1 · Compatible with EU SCCs 2021/914 (Module 2) and the UK International Data Transfer Addendum (ICO v B1.0) · Healthtech / MDR / NHS DSPT addendum included

Executive summary

This DPA names CloakAPI AS as the Processor and the customer (you) as the Controller. The unique architecture means the categories of personal data we process are limited to account/billing identifiers and operational telemetry — for the client-side ways the prompt and response payloads are tokenised on the customer device before they reach our infrastructure, and the gateway is a blind token relay that forwards only those tokens (it does not inspect, detect, or tokenise content on our servers), so the underlying content is not within our processing scope.

Counter-signed version available. The PDF below is signed by Yrjan Klokk (CEO & DPO). Sign as Controller and email it to legal@cloakapi.io; we'll return a fully-executed copy within two business days.
CloakAPI DPA v3.0 (PDF)
SHA-256 64a1...c8e3 · 11 pages · counter-signed 2026-04-01
Request copy

1. Subject matter & duration

The Processor processes Personal Data on behalf of the Controller for the duration of the underlying Service Agreement. Processing terminates when the Service Agreement ends, subject to the retention windows below.

2. Nature & purpose

Processing serves the operation of a privacy-preserving AI gateway: tokenising prompts client-side, routing redacted prompts to AI providers, returning responses, billing usage, and producing the cryptographic receipt chain.

3. Categories of data subjects

4. Categories of personal data

CategoryExamplesSource
Account identifiersName, email, organisation, country, roleController signup form
Billing dataAddress, VAT ID, Stripe customer referenceController portal
Authentication artefactsHashed password, MFA, IP, session metadataController usage
Operational telemetryRequest timestamp, route, latency, byte countGateway runtime
Receipt chain entriesHash digests, ECDSA signatures, sequence numbersGateway runtime

5. Sub-processor list

The full live list (14 entries) is at /legal/subprocessors with 30-day change-notification subscription. The DPA incorporates that list by reference, and customers can object to new sub-processors within the notification window per Art. 28(2).

6. Technical & organisational measures (Annex II)

7. International transfers (Annex III)

The Processor's gateway runs in Hetzner Nuremberg (EU). Where customers route to non-EU providers (e.g. Anthropic US, OpenAI US), transfers are covered by:

Supplementary measures: client-side tokenisation on the customer's device (in-browser WebAssembly for the chat and extension, native Rust in the desktop app) strips direct identifiers (and special-category signals — see §12 below) before the data leaves the EU, and the gateway is a blind token relay that forwards only those tokens without inspecting or detecting content on our servers; the receipt chain proves what was redacted. A separate Transfer Impact Assessment (TIA) is available on request for UK and US destinations.

8. Audit rights

The Controller may, at its own cost, audit the Processor's compliance with this DPA once per year on 30 days' written notice. The Processor will make available any applicable compliance reports or attestations in lieu of on-site audits where reasonable.

9. Data-breach notification

The Processor notifies the Controller within 48 hours of becoming aware of a personal-data breach affecting Controller data, with the information needed for the Controller to meet its 72-hour Art. 33 obligation.

10. Return / deletion on termination

On termination, the Controller can export account data via the portal API. After a 30-day window, residuals are erased. Bookkeeping rows mandated by Norwegian law (5-year retention) are pseudonymised.

11. NIS2 Article 21 supply-chain risk-management measures

Where the Controller is an essential or important entity under Directive (EU) 2022/2555 (NIS2), CloakAPI as a processor and ICT third-party service provider commits to the supply-chain risk-management measures in Article 21(2):

This section is anchored at /legal/dpa#nis2 and may be referenced from procurement questionnaires (DORA, NIS2, ENISA), supplier-risk attestations, and ICT-third-party registers.

12. Article 9 (special category) data — GDPR & UK-GDPR

"Special category" data under GDPR / UK-GDPR Article 9(1) (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health; data concerning a natural person's sex life or sexual orientation) and equivalent "sensitive personal data" under the Data Protection Act 2018 are processed by the Processor only in tokenised form. The client-side tokeniser running on the Controller's device (in-browser WebAssembly, or native Rust in the desktop app) replaces Article 9 indicators with deterministic placeholders before the prompt is transmitted, and the gateway blind-relays only those tokens without inspecting content on our servers; the Processor never sees, stores, or transmits the underlying special-category bytes in the clear.

Where the Controller is a healthcare provider, medical-device manufacturer, or clinical-research organisation processing health data under Article 9(2)(h) (provision of health or social care), 9(2)(i) (public-health interest) or 9(2)(j) (scientific research), the Processor commits to:

Anchor: /legal/dpa#article-9. Cross-references: §6 (TOMs), §13 (Right to erasure), §14 (MDR Art. 14), §15 (NHS DSPT alignment).

13. Article 17 right to erasure (GDPR & UK-GDPR)

The Processor implements Article 17 ("right to be forgotten") for every data subject whose personal data the Processor holds in identifiable form. Mechanics:

Anchor: /legal/dpa#article-17.

14. MDR Article 14 commitment — healthtech / medical-device customers

Where the Controller is a manufacturer or distributor of medical devices subject to Regulation (EU) 2017/745 (Medical Device Regulation, MDR), the Processor commits to the supplier obligations relevant to a software / cloud-service input to a device's quality-management system:

Anchor: /legal/dpa#mdr-article-14.

15. NHS Data Security and Protection Toolkit (DSPT) alignment

Where the Controller is a National Health Service (NHS) body, an NHS contractor, or any UK-health-and-social-care organisation required to publish an annual NHS DSPT assertion, the Processor aligns its TOMs (§6), incident handling (§9, §11(b)), supply-chain governance (§11(d)), and erasure mechanics (§13) to the National Data Guardian's 10 standards, as operationalised by the NHS DSPT (v6, 2024-2025 edition):

The Processor does not itself publish a DSPT assertion (it is not a Data Security and Protection Toolkit Reporting Organisation in its own right; it is a software supplier to such organisations) but provides, on request, the supplier-evidence pack a Controller's DSPT submission needs to evidence its supply chain.

Anchor: /legal/dpa#nhs-dspt.

Related documents