Records of Processing Activities
pursuant to Art. 30(2) GDPR (Processor)
As of: April 2026, Version 2.0
1. Name and Contact Details of the Processor
KI-Shield UG (limited liability)
Managing Director: Johanna Bringezu
Ritterstraße 2
99718 Greußen, Germany
Commercial Register: HRB 524511, Local Court of Jena
Email: info@ki-shield.de
Phone: +49 175 648 66 34
2. Categories of Processing Activities
The following processing activities are carried out on behalf of the Controller (Customer) within the scope of the “KI-Shield” service:
| Processing Activity | Purpose | Categories of Data Subjects | Categories of Personal Data |
|---|---|---|---|
| PII Detection & Pseudonymisation | Automated detection and replacement of personal data in user inputs with pseudonyms before forwarding to AI providers | Clients, patients, customers, employees and other persons referenced in input texts | Up to 42 PII categories: names, email addresses, phone numbers, addresses, IBAN, tax IDs, dates of birth, IP addresses, health data (Art. 9), criminal-conviction data (Art. 10), and others |
| Chat Message Storage | Storage of encrypted conversations for subsequent retrieval by the user | Registered users of the service | Pseudonymised texts, conversation titles, timestamps (all AES-256 encrypted) |
| Audit Logging | Tamper-evident documentation of all processing operations to fulfil the accountability obligation (Art. 5(2) GDPR) | Registered users of the service | User ID, timestamp, processing type, PII statistics (no plaintext data), cryptographic signatures |
| Account Management | Administration of user accounts, authentication, billing | Registered users of the service | Email address, name, password hash (Argon2id), plan type, Stripe customer ID |
| DPA Management | Administration of Data Processing Agreements (Art. 28 GDPR) | Customer organisations, designated contacts | Company name, contact person, DPA status, date of conclusion |
| B2B Certificates & API Keys | mTLS authentication and API access for B2B customers | B2B customers, technical contacts | Organisation name, API key (hashed), certificate data, usage statistics |
| SIEM & Security Logging | Detection of security incidents (Art. 32 GDPR) | All system users (indirectly), attackers (IP) | IP addresses, user-agent, timestamps, request URLs (PII removed by log_sanitiser) |
| Backup & Archiving | Data-loss prevention, disaster recovery, audit retention | All persons whose data is contained in the backed-up databases | Pseudonym mappings, user accounts, audit logs (all AES-256 encrypted) |
3. Categories of Recipients
Personal data is transmitted to or made accessible to the following recipients:
| Recipient | Purpose | Data | Location |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting (infrastructure) | All processed data (encrypted) | Nuremberg, Germany |
| AI Providers (OpenAI, Anthropic, Google, etc.) | AI inference | Exclusively pseudonymised texts – no personal data in plaintext | Depending on provider (USA, EU) |
| Stripe Payments Europe, Ltd. | Payment processing | Email address, payment information | Dublin, Ireland (EU) |
| Polygon Blockchain | Audit anchoring | Exclusively cryptographic hashes – no personal data | Decentralised |
4. Transfers to Third Countries
(1) Primary data processing (PII detection, pseudonymisation, encryption, storage) takes place exclusively on servers located in Germany (Hetzner Online GmbH, Nuremberg).
(2) Transfer of pseudonymised data to AI providers in third countries (in particular the USA) only occurs where the Customer configures and actively uses a corresponding provider. The transmitted data contains no personal data in plaintext – exclusively pseudonymised texts.
(3) For payment processing via Stripe, the EU–US Data Privacy Framework (DPF) applies; where DPF coverage is unavailable, Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR apply.
5. Envisaged Erasure Periods
| Data Category | Erasure Period | Legal Basis |
|---|---|---|
| Chat messages (Free plan) | 7 days after creation | Contractual agreement |
| Chat messages (Pro/Business) | Until erasure by user or account deletion | Contractual agreement |
| Audit logs | According to selected plan (7 days to unlimited) | Art. 5(2) GDPR (accountability) |
| Account data | Without undue delay following account deletion | Art. 17 GDPR |
| Billing data | 10 years following the end of the financial year | Section 147 AO (statutory retention obligation) |
| Pseudonymisation mapping table | Held only in volatile memory during the active session – not stored persistently | Privacy by Design (Art. 25 GDPR) |
6. Technical and Organisational Measures (Art. 32 GDPR)
The following measures are implemented to safeguard the personal data processed:
Confidentiality
- AES-256 encryption (Fernet) of all stored data with user-specific keys
- Password-based key derivation using Argon2id (256-bit)
- Encryption keys reside solely in volatile memory (RAM), never in the database
- TLS 1.3 for all connections
- Role-based access control (RBAC)
Integrity
- Hybrid cryptographic signatures (Ed25519 + ML-DSA-65) for audit entries
- SHA-256 hash chain for tamper-evident audit logs
- Daily blockchain anchoring on Polygon PoS
- Automated integrity verification
Availability & Resilience
- Daily automated backups (PostgreSQL pg_dump)
- Autoheal containers for automatic service recovery
- Rate limiting and DDoS protection
- Monitoring via SIEM (Wazuh, Grafana, Loki)
- Target availability: 99.5% annual average
Procedures for Regular Review
- Automated PII-detection tests (golden tests)
- Regular vulnerability scans (Trivy)
- CrowdSec & Fail2Ban for intrusion prevention
- Safe-deploy procedures with pre-deploy backup and automatic rollback
7. Transparency Notice
During active processing (pseudonymisation of a user input), the proxy server has brief technical access to the plaintext data in volatile memory. The plaintext data is not persistently stored and is removed from volatile memory once pseudonymisation is complete. Only pseudonymised texts are transmitted to the AI provider.
8. Contact for Data Protection Enquiries
For questions regarding these records of processing activities or data protection at KI-Shield, please contact:
Email: datenschutz@ki-shield.de
Phone: +49 175 648 66 34
9. Sub-Processors
The following sub-processors are engaged under current Data Processing Agreements (Art. 28(4) GDPR):
| Sub-Processor | Service | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting, Storage Box | Germany | DPA pursuant to Art. 28 GDPR |
| Stripe Payments Europe Ltd. | Payment processing | IE / US | EU–US DPF, SCCs, Stripe DPA |
| OpenAI L.L.C. | AI inference (default provider) | USA | EU–US DPF (certified); under BYOK the Customer is the Controller |
| Anthropic PBC | AI inference | USA | EU–US DPF |
| Mistral AI SAS | AI inference, EU-internal | France | Direct EU GDPR application |
| Groq Inc. | AI inference | USA | SCCs + TIA |
| Google LLC (OAuth) | Optional login | USA | EU–US DPF |
| Cohere Inc. | AI inference (optional) | Canada | SCCs |
| DeepSeek | AI inference (only on active selection) | China | SCCs + extended TIA; no adequacy decision |
| Telegram FZ-LLC | System alerting (metadata only, no PII) | UAE / UK | System alerts only |
Changes to the sub-processor list are notified to customers via the account with a 30-day prior notice; customers retain a right to object.