Data Processing Agreement
Last updated: March 21, 2026
Why this DPA is different
CitrusGlaze processes all data locally on your machines. We never receive, store, or have access to your AI traffic, prompts, responses, secrets, or any data inspected by the software. This DPA exists because enterprise procurement requires one — but the short version is: we don't process your data at all.
1. Definitions
- "Customer" — The organization or individual using CitrusGlaze software
- "Customer Data" — All data processed by the CitrusGlaze software on Customer's machines, including AI prompts, responses, secrets detected, policy decisions, audit logs, and cost tracking data
- "Service Data" — Data collected by CitrusGlaze through the website or payment processing (email, billing info, anonymous analytics)
- "Processor" — Gourmand Labs LLC ("CitrusGlaze")
- "Sub-processor" — Third-party service providers used by CitrusGlaze
2. Scope of processing
2.1 Customer Data — Local processing only
CitrusGlaze software runs entirely on Customer's machines. All processing of Customer Data occurs locally. Gourmand Labs LLC:
- Does NOT receive Customer Data
- Does NOT store Customer Data on any server
- Does NOT have access to Customer Data
- Does NOT transmit Customer Data to any third party
- CANNOT access, view, or retrieve Customer Data
Customer Data is stored in a local SQLite database on Customer's machine(s). Customer has full control over this data, including the ability to export, back up, or delete it at any time.
2.2 Service Data — Minimal collection
Gourmand Labs LLC processes limited Service Data as described in our Privacy Policy:
| Data type | Purpose | Legal basis |
|---|---|---|
| Email address | Account management, communications | Contract / consent |
| Payment information | Subscription billing (via Stripe) | Contract |
| Anonymous analytics | Website improvement | Legitimate interest |
3. Data residency
Customer Data resides exclusively on Customer's machines, in the jurisdiction(s) where those machines are located. Gourmand Labs LLC has no data centers, no cloud storage for customer data, and no ability to control where Customer Data resides.
Service Data (email, payment) is processed in the United States by Cloudflare (hosting), Stripe (payments), and Resend (email).
4. Sub-processors
Gourmand Labs LLC uses the following sub-processors for Service Data only:
| Sub-processor | Purpose | Location | Data processed |
|---|---|---|---|
| Cloudflare, Inc. | Website hosting, D1 database | Global (US-based) | Anonymous analytics, email |
| Stripe, Inc. | Payment processing | United States | Name, email, payment details |
| Resend, Inc. | Email delivery | United States | Email address |
No sub-processors have access to Customer Data (AI traffic, prompts, secrets), because that data never leaves Customer's machines.
We will notify customers 30 days before adding new sub-processors. Customers may object by contacting [email protected].
5. Security measures
5.1 Software security
- The CitrusGlaze proxy uses locally-generated TLS certificates — no shared keys
- Local database is stored with filesystem-level permissions
- The scanner source code is open source and auditable
- 560+ automated tests across 17 Rust crates
- No outbound network connections from the security engine
5.2 Organizational security
- Access to Service Data systems is limited to authorized personnel
- Stripe handles PCI DSS Level 1 compliance for payment data
- All communications over TLS 1.2+
6. Data subject rights
For Customer Data: Because we have no access to Customer Data, data subject requests (access, deletion, portability) must be handled by Customer directly, using the local database tools provided by the software.
For Service Data: We will assist with data subject requests as described in our Privacy Policy. Contact [email protected].
7. Data breach notification
Because we have no access to Customer Data, a breach of Customer Data from CitrusGlaze's systems is not possible.
In the event of a breach of Service Data (email addresses, payment records), we will notify affected customers within 72 hours of discovery, consistent with GDPR Article 33.
8. Data deletion
Customer Data: Delete the local SQLite database at any time. Uninstalling the software removes all local data. We cannot perform deletion because we have no access.
Service Data: Upon request or account termination, we will delete your email and account data within 30 days, except where retention is required by law (e.g., tax records).
9. GDPR compliance
For the purposes of GDPR:
- Customer is the Controller of Customer Data
- Gourmand Labs LLC is NOT a Processor of Customer Data (we never receive it)
- Gourmand Labs LLC is a Processor of Service Data (email, payment, analytics)
- Standard Contractual Clauses are available upon request for international transfers of Service Data
10. HIPAA
CitrusGlaze software processes data locally and never transmits PHI to Gourmand Labs LLC. For organizations requiring a Business Associate Agreement (BAA), please contact [email protected] to discuss your specific requirements.
11. Audit rights
Customers may audit CitrusGlaze's compliance with this DPA by:
- Inspecting the open-source scanner code on GitHub
- Monitoring network traffic during software operation to verify no data exfiltration
- Requesting documentation of our security practices
12. Term and termination
This DPA is effective for the duration of the Customer's use of CitrusGlaze. Upon termination, all provisions regarding data handling survive to the extent they relate to data already processed.
13. Contact
DPA questions: [email protected]
Gourmand Labs LLC, a Delaware limited liability company.