Last updated: April 10, 2026
For the purposes of this Data Processing Agreement:
This DPA applies where the Controller submits text containing Personal Data to the Service for processing. The Controller is the data controller and raipii is the data processor under applicable data protection law.
The Controller warrants that it has a lawful basis for submitting Personal Data to the Service and that doing so complies with applicable data protection law.
raipii processes Personal Data only on documented instructions from the Controller, as set out in this DPA and the Terms of Service. The primary instructions are:
raipii will not process Personal Data for any other purpose, including for training models, improving detection algorithms, or any commercial purpose beyond providing the Service.
If raipii is required by law to process Personal Data for another purpose, it will inform the Controller before doing so, unless prohibited by law.
raipii implements and maintains appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
raipii does not store the plaintext of submitted prompts or responses. Only session token maps (mappings from replacement tokens to original values) are stored, and only for the duration of the session TTL.
All Personal Data is encrypted at rest using industry-standard encryption. All data in transit is protected using TLS 1.2 or higher.
Access to Personal Data is restricted to personnel who require it to provide the Service. raipii maintains access logs and reviews access regularly.
Session data is automatically deleted on expiry (default 1 hour, maximum 24 hours). Audit log records contain no Personal Data values — only metadata (entity types, counts, timestamps). Controllers may request immediate deletion via the erasure API or by contacting privacy@raipii.com.
raipii maintains a security incident response procedure. In the event of a personal data breach, raipii will notify the Controller without undue delay and within 72 hours of becoming aware, providing information sufficient for the Controller to meet its own notification obligations under GDPR Article 33.
The Controller grants raipii general authorisation to engage sub-processors. raipii will inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. Current sub-processors engaged by raipii include infrastructure and compute providers operating under appropriate data processing terms.
raipii ensures that sub-processors are bound by data protection obligations equivalent to those in this DPA, and remains liable to the Controller for the performance of sub-processors' obligations.
To request the current list of sub-processors, contact privacy@raipii.com.
raipii will assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible given the nature of the Service. The Controller is responsible for identifying and responding to data subject requests.
The erasure API (DELETE /v1/me/data) and token purge API (POST /v1/me/purge) are provided to assist the Controller in fulfilling erasure and restriction requests.
By default, raipii processes data in the AWS us-east-1 (United States) region. EU data residency is available on the Business tier, restricting all processing to AWS eu-west-1 (Ireland).
Where Personal Data is transferred from the European Economic Area to a third country, raipii relies on Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism. Copies of applicable SCCs are available on request.
raipii ensures that all personnel authorised to process Personal Data are under an obligation of confidentiality with respect to that data, whether contractual or statutory.
raipii will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28. The Controller may conduct audits or inspections of raipii's data processing activities, at the Controller's expense, upon reasonable notice and no more than once per calendar year. In lieu of an on-site audit, raipii may provide relevant third-party audit reports or certifications.
Upon termination of the Services or at the Controller's request, raipii will delete or return all Personal Data in its possession, and delete existing copies, unless applicable law requires retention. A written confirmation of deletion will be provided on request.
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. raipii's liability for breaches of this DPA is limited to direct damages caused by raipii's failure to fulfil its obligations as processor.
For questions about this DPA, data protection enquiries, or to request a signed copy:
raipii Data Protection
privacy@raipii.com