GDPR & security
Everything about how Custos AI processes your data, the legal framework, and the technical security measures we apply.
Our role under the GDPR
Custos AI acts as a data processor. You — the customer — are the data controller. We process personal data only on your documented instructions and in accordance with our Data Processing Agreement (DPA), which is included in our Terms of Service.
Data Processing Agreement (DPA)
Our DPA is Article 28 GDPR-compliant and covers all processing activities. It is automatically accepted when you accept our Terms of Service. You can download the current version at any time.
What data we process
| Category | Examples | Retention |
|---|---|---|
| Account data | Name, email, hashed password, language | Duration of account + 12 months |
| Chat data | Conversation history, model used | 365 days rolling, configurable |
| Uploaded files | PDF, DOCX, images | 30 days from upload (configurable) |
| Usage data | Token counts, cost estimates | 12 months rolling |
| Audit logs | IP address, timestamps | 365 days |
| Billing records | Stripe references, plan info | 7 years (tax law) |
LLM providers and the BYOK model
Under the BYOK model, you maintain a direct relationship with each LLM provider through your own API keys. LLM providers are not sub-processors of Custos AI — they are independent controllers or processors that you engage directly. You are responsible for ensuring appropriate legal basis and data processing agreements with each provider you use.
The four LLM providers currently supported in Custos AI — OpenAI, Anthropic, Google, and Mistral — all offer their own GDPR-compliant terms and DPAs which you agree to when creating an account with them.
Sub-processors
Full list: custosai.eu/sub-processors
Security measures
Our privacy team responds within 2 business days.