Legal · Data Processing & Security

Data Processing & Security – DPA Overview

Last updated: 19 November 2025

This page explains in plain language how AI Tuning (Sandrex Group EOOD) organises data processing and security for client projects and for the operation of aituning.io. It is an overview only and does not replace the formal Data Processing Agreement (DPA) that we sign with clients under Article 28 GDPR.

For paid projects, we provide a separate written DPA and security annex. This page summarises the main principles so you can quickly understand our approach before entering into a contract.

1. Roles Under GDPR

Depending on the context, we act as:

  • Controller for data relating to the operation of aituning.io (website analytics, enquiry forms, own marketing, Zoho e-mail, etc.).
  • Processor when we handle data provided by clients for fine-tuning, evaluation, hosting or support of models.

In processor scenarios, the detailed obligations, technical and organisational measures, and sub-processors are governed by the DPA signed between Sandrex Group EOOD and the client.

2. Core Infrastructure & Data Locations

Web & analytics
WordPress and self-hosted Matomo run on our own infrastructure in Varna, Bulgaria. All standard website analytics data stays on our EU servers unless we explicitly export it.
E-mail & collaboration
Business e-mail (e.g. [email protected]) is handled via Zoho.eu, which stores data in EU data centres (Amsterdam/Dublin) for EU customers.
CDN & security
We use Cloudflare as a content delivery network and security layer. Traffic is usually routed via the Sofia POP, while some metadata can be processed in other Cloudflare data centres, including outside the EU, under Standard Contractual Clauses and the Data Privacy Framework.
Marketing pixels
Where used, LinkedIn Insight Tag and Meta Pixel only run if you give consent in our cookie banner. They are clearly classified as “Marketing” cookies and belong to the respective providers’ own infrastructures and DPAs.
AI training & hosting
For client projects we primarily use:
  • Our own GPU nodes in the EU (e.g. Varna, Bulgaria); and
  • EU-based cloud GPU providers (e.g. Germany, Finland, Iceland) where explicitly agreed.
The exact locations and providers are listed in the client-specific DPA annex.

3. Data We Process on Behalf of Clients

Typical categories of data we process as a processor include:

  • Text corpora and documents for training (contracts, tickets, FAQs, knowledge bases, internal procedures).
  • Evaluation datasets and prompts, including expected outputs for benchmarking and quality checks.
  • Limited technical logs generated during training and inference (e.g. error logs, performance metrics, anonymised prompts).

By default we expect clients to avoid special categories of personal data (Art. 9 GDPR) unless a specific project requires it (e.g. medical summaries). Such projects are handled with additional safeguards and clearly documented in the DPA and order form.

4. Technical and Organisational Security Measures

We apply a combination of technical and organisational measures tailored to the sensitivity of the data and the project. Key measures include:

  • Restricted access to servers and repositories (need-to-know only).
  • Strong authentication for administrator access (unique accounts, 2FA where supported).
  • Encryption in transit (HTTPS / SSH / VPN) for data transfers.
  • Segregation of client projects at data and file-system level.
  • Regular security patches and updates for operating systems and key software.
  • Logging and monitoring for suspicious access or abuse.
  • Documented incident-response procedure and client notification obligations.

For especially sensitive projects (e.g. legal, public sector, medical), we can work fully offline or air-gapped on hardware controlled by the client or within a dedicated environment described in the order form.

5. Sub-processors

To deliver our services we use carefully selected sub-processors such as hosting providers, GPU cloud operators, e-mail and collaboration tools, and security/CDN services. All sub-processors are bound by written agreements that provide data-protection obligations equivalent to those in our DPA.

A current list of sub-processors and the countries where they operate is available on request and, for clients, as an annex to the DPA. We inform clients of material changes in accordance with the notification procedure in the DPA.

6. International Data Transfers

Our goal is to keep all personal data within the European Economic Area (EEA). Where a specific service requires transfers to a country without an adequacy decision (for example some Cloudflare or pixel processing), we rely on:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission; and
  • Additional technical and organisational measures (encryption, data minimisation) where appropriate.

Details of such transfers for client projects are set out in the DPA and order form.

7. Retention and Deletion of Client Data

For data we process as a processor, the retention periods are governed by the DPA and project agreement. In general:

  • Training datasets and raw inputs are kept only for the duration of the project and any agreed support period.
  • At the end of the project, and upon the client’s written request, we delete or return the data and derived artefacts (excluding models and logs that must be retained for legal or security reasons).
  • Backups containing client data are rotated and deleted according to our backup policy and any retention requirements agreed in the DPA.

8. Cooperation on Data Subject Rights & DPIA

When we act as a processor, we support our clients in fulfilling their GDPR obligations by:

  • Assisting with responses to data-subject requests where our systems are involved.
  • Providing information on our processing activities and security measures for DPIAs.
  • Enabling audits or inspections as described in the DPA (typically via documentation and remote sessions).

9. Requesting Our Full Data Processing Agreement

If you are considering a project with AI Tuning and need to assess our compliance in detail, we can provide:

  • A copy of our standard Data Processing Agreement (DPA) for review;
  • A list of sub-processors and hosting locations relevant to your use case;
  • A high-level security overview aligned with your internal compliance requirements.
To request the full DPA and security annex, please contact us at [email protected] or mention it during your initial consultation. We are happy to sign client-specific DPAs where needed.

For information on how we process personal data as a controller (for example when you visit our website or contact us), please refer to our Privacy Policy and Cookie Policy.