Data Processing Agreement
Last updated: February 11, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller," "you") and AmbientMeta ("Processor," "we," "us") for the provision of the AmbientMeta Privacy Gateway service ("Service"). This DPA governs the processing of Customer Data (as defined in our Privacy Policy) by AmbientMeta on behalf of the Customer, in compliance with the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection legislation.
1. Definitions
- "Customer Data" means any personal data submitted by the Controller to the Service for PII detection, sanitization, or redaction.
- "Processing" means any operation performed on Customer Data, including detection, tokenization, temporary caching, and deletion.
- "Sub-processor" means any third party engaged by AmbientMeta to process Customer Data.
- "Detection Metadata" means anonymized data generated during processing (entity types, confidence scores, context hashes) that cannot be used to identify individuals.
- "Data Protection Laws" means GDPR, UK GDPR, CCPA/CPRA, and any other applicable data protection legislation.
2. Scope and Purpose of Processing
AmbientMeta processes Customer Data solely to provide the Service: detecting personally identifiable information in text, replacing it with safe placeholder tokens, and optionally restoring original values via rehydration. The categories of personal data processed depend on the text submitted by the Controller and may include names, email addresses, phone numbers, government identifiers (SSN, credit card numbers), locations, and other PII types.
Processing Details
| Attribute | Detail |
|---|---|
| Nature of processing | Automated PII detection, tokenization, temporary caching, and deletion |
| Purpose | PII detection and sanitization as requested by Controller |
| Categories of data subjects | Individuals whose personal data appears in text submitted by Controller |
| Categories of personal data | As determined by Controller's submitted text (names, emails, phone numbers, SSNs, credit card numbers, locations, and other PII) |
| Duration | For the term of the subscription agreement, plus 30 days for account data deletion |
3. Controller Instructions
AmbientMeta processes Customer Data only on documented instructions from the Controller. The Controller's instructions are defined by:
- The API requests submitted by the Controller (endpoint, parameters, entity types, mode)
- The configuration specified in API calls (e.g.,
config.entities,config.storage_overrides,mode) - This DPA and the Terms of Service
AmbientMeta will not process Customer Data for any purpose other than providing the Service unless required by applicable law. If required by law to process Customer Data for another purpose, AmbientMeta will inform the Controller before processing (unless prohibited from doing so by law).
4. Sub-Processors
The Controller authorizes AmbientMeta to engage the sub-processors listed at /legal/sub-processors. AmbientMeta will:
- Notify the Controller at least 30 days before engaging any new sub-processor or replacing an existing one
- Provide notification via email to the account owner and update the sub-processor page
- Ensure each sub-processor is bound by data protection obligations no less protective than those in this DPA
Objection procedure: If the Controller objects to a new sub-processor, the Controller may notify AmbientMeta in writing within 14 days of receiving notice. AmbientMeta will make reasonable efforts to provide an alternative or allow the Controller to terminate the affected Service component without penalty.
5. Security Measures
AmbientMeta implements and maintains appropriate technical and organizational measures to protect Customer Data, including:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ on all API communications |
| Encryption at rest | AES-256 for database and cache storage |
| Access controls | API key authentication with bcrypt hashing; JWT session tokens |
| Data minimization | PII values cached for maximum 24 hours, then permanently deleted. In redaction mode, no caching occurs. |
| Storage tier classification | Toxic identifiers (SSN, credit card) are never written to persistent storage. Contextual identifiers have type-to-span mappings randomized. |
| Automated deletion | Redis TTL-based session expiration; hourly log retention cleanup |
6. Data Subject Rights
AmbientMeta will assist the Controller in fulfilling data subject requests under Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection. AmbientMeta will:
- Promptly forward any data subject request received directly to the Controller
- Provide reasonable technical assistance to enable the Controller to respond to requests
- Not independently respond to data subject requests unless authorized by the Controller
7. Breach Notification
In the event of a personal data breach affecting Customer Data, AmbientMeta will:
- Notify the Controller within 48-72 hours of becoming aware of the breach
- Provide details of the breach: nature, categories of data affected, approximate number of data subjects, likely consequences, and measures taken or proposed
- Cooperate with the Controller's investigation and notification obligations
- Document the breach and remediation steps taken
8. Data Deletion
Upon termination of the Service agreement or upon the Controller's written request:
- Session data: Automatically expires within 24 hours (no action required)
- Account data: Deleted within 30 days of termination or deletion request
- Detection metadata: Purged upon written request. Raw events are subject to 30-day automated retention; aggregated insights are deleted upon request.
- Request logs: Subject to 30-day automated retention cleanup
AmbientMeta will confirm deletion in writing upon the Controller's request.
9. Audit Rights
The Controller may request that AmbientMeta provide documentation demonstrating compliance with this DPA and applicable Data Protection Laws. AmbientMeta will:
- Make available all information necessary to demonstrate compliance
- Allow and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations
- Provide a summary of any relevant third-party audit reports (e.g., SOC 2 when available)
10. Liability
Each party's aggregate liability arising from or related to this DPA shall not exceed the total fees paid by the Controller to AmbientMeta in the 12 months preceding the event giving rise to liability. This limitation does not apply to: (a) liability arising from a party's willful misconduct or gross negligence, (b) AmbientMeta's indemnification obligations for data protection breaches caused by its failure to comply with this DPA, or (c) liability that cannot be limited by applicable law.
11. International Transfers
AmbientMeta's services are hosted in the United States. For transfers of Customer Data from the EEA, UK, or Switzerland to the US, AmbientMeta relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Decision 2021/914). The SCCs are incorporated into this DPA by reference.
Self-hosted deployments: For self-hosted customers, all Customer Data processing occurs on the customer's own infrastructure. No Customer Data is transferred to AmbientMeta. This DPA applies only to Account Data in self-hosted scenarios.
12. Term and Termination
This DPA is effective for the duration of the Service agreement between the parties. The data protection obligations in this DPA survive termination of the Service agreement to the extent necessary to fulfill AmbientMeta's data deletion obligations (Section 8) and ongoing legal requirements.
13. Governing Law
This DPA is governed by the laws that govern the Service agreement between the parties. For EU/EEA customers, this DPA shall be interpreted in accordance with GDPR requirements regardless of the governing law of the Service agreement.
14. Contact
For questions about this DPA or to exercise rights under it:
- Email: legal@ambientmeta.com
- Data Protection Officer: dpo@ambientmeta.com