Question 1

What service features are affected if we object to a new subprocessor addition?

Accepted Answer

Objection rights are available for all subprocessor changes with 30 or 90 days notice depending on location. Duale AI will specify which features depend on that subprocessor and the operational impact if you maintain your objection. Contact contact+legal@mail.duale.ai to discuss whether alternative implementations or additional safeguards are possible.

Question 2

How does Duale AI ensure our prompts in contextual memory are isolated from other customers?

Accepted Answer

Customer data is strictly isolated—never reused across contexts, never used for training, and never shared in statistics. Data is stored on Hetzner's EU infrastructure with multi-datacenter redundancy. Contact contact+privacy@mail.duale.ai for technical details on isolation architecture and access controls.

Question 3

If our chosen LLM provider isn't fully GDPR compliant under EDPB Opinion 28/2024, who is responsible?

Accepted Answer

You are responsible for verifying your LLM provider's GDPR compliance before enabling integration. Duale AI processes data only for routing and contextual memory—it does not control the model provider's data handling. You must conduct due diligence on your chosen provider referencing EDPB Opinion 28/2024.

Question 4

What encryption standards does Duale AI use for data at rest and in transit?

Accepted Answer

Specific encryption algorithms and standards are covered in the Data Processing Agreement, not in this public documentation. Request technical encryption specifications from contact+dpa@mail.duale.ai to verify they meet your organization's security requirements.

Question 5

How long are prompts and contextual memory retained, and can we delete them?

Accepted Answer

Retention periods are defined in the Data Processing Agreement. Contextual memory is retained for the lifetime of the associated service; deletion policies and retention schedules should be requested from contact+dpa@mail.duale.ai to ensure compliance with GDPR Article 5 (storage limitation).

Question 6

How do we access Transfer Impact Assessments for our compliance audits?

Accepted Answer

TIAs are documented for each US subprocessor to demonstrate compliance with EDPB Recommendations 01/2020. Request TIA copies via contact+dpa@mail.duale.ai to include in your audit file and provide evidence of adequate safeguards for international transfers.

Subprocessor	Function	Data Processed	Location	Transfer Safeguards
Hetzner Online GmbH	Infrastructure hosting	All platform data	Germany	N/A (EU)
GitHub, Inc.	Website hosting	Access logs (IP, UA)	USA	SCCs + DPF
Cloudflare, Inc.	CDN, DDoS protection	Navigation data, IP	USA / EU	SCCs + DPF

Subprocessor	Function	Data Processed	Location	Transfer Safeguards
Auth0 (Okta)	Authentication, SSO	Email, name, credentials	USA	SCCs + DPF
Cloudflare, Inc.	WAF, attack protection	Connection logs, IP	USA / EU	SCCs + DPF

Subprocessor	Function	Data Processed	Location	Transfer Safeguards
Duale AI	Routing, contextual memory	Prompts, results, metadata	EU	N/A (EU)
Variable	LLM inference	Prompts, results	Variable	Per chosen provider

Acronym	Meaning
BYOK	Bring Your Own Key (API key provided by Customer)
CJEU	Court of Justice of the European Union
DPA	Data Processing Agreement
DPF	Data Privacy Framework (EU-USA, adequacy decision 2023)
EDPB	European Data Protection Board
GDPR	General Data Protection Regulation
SCCs	Standard Contractual Clauses (transfers outside EU)
TIA	Transfer Impact Assessment
N/A (EU)	No transfer outside EU

List of Subprocessors

Introduction

Changes

International Transfers

Infrastructure and Hosting

Authentication and Security

AI Services

Payment and Billing

Communication and Support

Analytics and Monitoring

EU AI Act Compliance

Glossary

Contact