1 Definitions
- "Controller" means the entity that determines the purposes and means of processing Personal Data. In the context of this DPA, the Controller is the Customer who uses GovernLayer's services.
- "Processor" means the entity that processes Personal Data on behalf of the Controller. GovernLayer acts as the Processor when handling data submitted through its platform.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed. This may include the Controller's employees, end-users, or other individuals whose data is referenced in AI governance workflows.
- "Personal Data" means any information relating to a Data Subject, as defined in Article 4(1) of the GDPR. In GovernLayer's context, this primarily includes metadata attached to governance decisions rather than direct end-user PII.
- "Processing" means any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
2 Scope of Processing
GovernLayer processes data strictly in the context of AI governance operations. The categories of data processed include:
- AI decision logs — Records of automated decisions made by AI agents under governance, including model identifiers, input summaries, and output classifications.
- Reasoning traces — Chain-of-thought or reasoning outputs produced during compliance audits and drift detection analyses.
- Risk scores — Deterministic 6-dimension risk assessments computed from boolean policy inputs. These scores do not contain PII.
- Audit records — SHA-256 hash-chained ledger entries documenting governance actions, timestamps, and associated compliance frameworks.
GovernLayer does not directly process end-user PII. The platform operates on AI system metadata and governance telemetry. If a Controller submits data containing PII (e.g., in policy descriptions or audit notes), GovernLayer processes it solely to deliver the requested governance service and does not use it for any other purpose.
3 Processor Obligations
GovernLayer, as Processor, shall:
- Process data only on documented instructions from the Controller, unless required by applicable law. GovernLayer will not process Personal Data for any purpose other than delivering the contracted governance services.
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data at rest (AES-256) and in transit (TLS 1.2+)
- bcrypt password hashing with per-user salt
- SHA-256 hash-chained immutable audit ledger
- Redis-backed rate limiting per organization
- Scoped API key authentication with rotation support
- HSTS enforcement with 2-year max-age and preload
- Security headers on all responses (CSP, X-Frame-Options, Permissions-Policy)
- Notify the Controller of a data breach without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach. Notification shall include the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
- Ensure personnel are bound by confidentiality obligations. All GovernLayer employees and contractors with access to Customer data have signed confidentiality agreements.
- Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessments, and prior consultation).
- Delete or return all Personal Data upon termination of the service, at the Controller's election, unless retention is required by applicable law.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits and inspections conducted by the Controller or an authorized auditor.
4 Data Subject Rights
GovernLayer shall assist the Controller in fulfilling its obligations to respond to Data Subject requests under Chapter III of the GDPR, including:
- Right of Access (Article 15) — Data Subjects may request confirmation of whether their Personal Data is being processed and, if so, access to that data. GovernLayer provides API endpoints and dashboard tools enabling Controllers to export all governance records associated with a given subject.
- Right to Rectification (Article 16) — Data Subjects may request correction of inaccurate Personal Data. Controllers can update records through the GovernLayer API. Note: hash-chained audit ledger entries are immutable by design; corrections are recorded as new ledger entries referencing the original.
- Right to Erasure (Article 17) — Data Subjects may request deletion of their Personal Data. GovernLayer supports organization-level data deletion on request. Deletion is permanent and irreversible, covering audit records, API keys, usage history, and account information.
- Right to Data Portability (Article 20) — Data Subjects may request their data in a structured, commonly used, machine-readable format. GovernLayer supports JSON export of all governance records via the API.
Requests should be directed to the Controller. If GovernLayer receives a request directly from a Data Subject, it will promptly notify the Controller and will not respond to the request without the Controller's authorization, unless legally required to do so.
5 International Transfers
GovernLayer's primary infrastructure is hosted within the United States via Railway (SOC 2 Type II compliant hosting). Where Personal Data originating from the European Economic Area (EEA), United Kingdom, or Switzerland is transferred to a country outside those regions, GovernLayer ensures adequate safeguards are in place:
- Standard Contractual Clauses (SCCs) — GovernLayer enters into the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) with Controllers located in the EEA, as approved by Commission Implementing Decision (EU) 2021/914.
- UK International Data Transfer Addendum — For transfers from the UK, GovernLayer supplements the SCCs with the UK International Data Transfer Addendum as issued by the Information Commissioner's Office.
- Supplementary measures — In addition to SCCs, GovernLayer implements encryption in transit and at rest, access controls, and audit logging as supplementary technical measures.
Controllers who require data residency within the EEA may deploy GovernLayer's self-hosted option with local Ollama inference, ensuring no data leaves the Controller's infrastructure.
6 Data Retention
GovernLayer retains data according to the following principles:
- Audit records are retained for the duration of the Controller's subscription and for a period of 90 days following termination, to allow for data export. After this retention period, records are permanently deleted.
- Risk scores and drift detection results are retained as part of the audit ledger for the same period as audit records.
- Account data (organization name, billing information, API keys) is retained for the duration of the subscription and deleted upon account closure, subject to any legal retention obligations.
- Usage metrics (request counts, latency data) are retained in aggregate form for up to 12 months for service improvement. These metrics do not contain Personal Data.
Controllers may request early deletion of all their data at any time by contacting dpo@governlayer.ai. GovernLayer will process deletion requests within 30 days and provide written confirmation upon completion.
7 Sub-Processors
GovernLayer engages the following sub-processors to deliver its services. The Controller authorizes GovernLayer to engage these sub-processors, subject to the conditions set out in this section.
| Sub-Processor |
Purpose |
Location |
| Railway |
Application hosting, compute, and deployment infrastructure |
United States |
| PostgreSQL (Railway-managed) |
Primary database storage for audit records, governance data, and account information |
United States |
| Redis (Railway-managed) |
Caching, session management, and rate limiting |
United States |
| Stripe |
Payment processing and subscription billing |
United States |
GovernLayer will notify the Controller at least 30 days in advance of adding or replacing a sub-processor by updating this page and notifying Controllers via their registered email address. If the Controller objects to a new sub-processor, the Controller may terminate the affected services within 30 days of the notification.
GovernLayer ensures that all sub-processors are bound by data protection obligations no less protective than those set out in this DPA.
Effective date: April 2026 · Last updated: April 7, 2026