Compliance with the General Data Protection Regulation (GDPR)

Eyre AI Limited is committed to ensuring the privacy, security, and lawful processing of personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679.

Our services are designed to meet the principles of data protection by design and default, ensuring that personal data is collected, processed, stored, and transferred in accordance with GDPR requirements.

This section outlines our commitment to GDPR compliance, including data retention, access controls, breach notification policies, and user rights.

Data Collection & Lawful Processing

We collect and process personal data only for legitimate, specific, and lawful purposes in compliance with Article 6 of GDPR. We ensure that data processing is fair, transparent, and limited to what is necessary for service delivery.

Where applicable, we obtain explicit consent before processing personal data or rely on contractual necessity, legal obligations, or legitimate interests as a lawful basis.

Personal data will never be shared with third parties without legal justification, user consent, or contractual necessity.

Data Retention & Secure Disposal

• Retention Period: Personal data is retained only for as long as necessary to fulfill the original processing purpose or to comply with legal obligations.
• Data Minimization: We regularly review and delete unnecessary personal data to comply with GDPR’s data minimization principle.
• Right to Erasure (“Right to be Forgotten”): Users have the right to request deletion of their personal data under Article 17 of GDPR, unless legal or regulatory requirements necessitate its retention.
• Secure Disposal: When personal data is no longer required, it is permanently deleted or securely anonymized in compliance with ISO 27001 and NIST 800-88 standards for data sanitization.

Customers acknowledge their responsibility to ensure GDPR compliance when transferring, storing, or processing personal data within Eyre AI Limited platform.

Data Access Controls & Security Measures

• Role-Based Access Control (RBAC): Personal data is accessible only to authorized personnel on a need-to-know basis.
• Multi-Factor Authentication (MFA): Strong authentication mechanisms are enforced to prevent unauthorized access.
• Encryption Standards: All personal data is encrypted in transit and at rest using AES-256 and TLS 1.2+ encryption protocols.
• Data Anonymization & Pseudonymization: Where possible, we apply data anonymization or pseudonymization techniques to enhance data security.
• Security Audits & Monitoring: We conduct regular security audits, vulnerability assessments, and penetration testing to ensure compliance with Article 32 of GDPR.

Customers are responsible for configuring appropriate access controls within their own accounts and ensuring that their employees and third-party providers follow GDPR security best practices.

Breach Notification & Incident Response

Under Articles 33 and 34 of GDPR, Eyre AI Limited maintains a structured Data Breach Response Plan to detect, report, and mitigate security incidents involving personal data. In the event of a personal data breach, Eyre AI Limited will:

• Assess & Contain the Incident: Identify the breach, prevent further exposure, and initiate forensic investigations.
• Notify Data Controllers & Supervisory Authorities: If the breach poses a risk to data subjects, we will notify the appropriate Data Protection Authority (DPA) within 72 hours, as required by GDPR.
• Notify Affected Individuals: If the breach is likely to result in a high risk to individuals’ rights and freedoms, affected users will be informed without undue delay.
• Implement Corrective Measures: Post-incident security reviews, technical remediation, and updates to security policies will be conducted to prevent future breaches.

Customers acknowledge their responsibility to promptly report any suspected data breaches involving personal data processed through Eyre AI Limited’s services.

User Rights & Data Subject Requests (DSRs)

Under Chapter 3 of GDPR, users have the right to:
✔ Access their personal data (Article 15) – Users can request a copy of their stored data.
✔ Rectify inaccurate data (Article 16) – Users can request corrections to incorrect or outdated data.
✔ Erasure of data (Article 17) – Users can request deletion of personal data unless legal obligations prevent it.
✔ Restrict processing (Article 18) – Users can request temporary restriction of processing under certain conditions.
✔ Data portability (Article 20) – Users can request to transfer their data to another provider.
✔ Object to processing (Article 21) – Users can opt out of direct marketing and automated decision-making.

Requests should be submitted through our Data Protection Officer (DPO) at dpo@eyre.ai. We will respond to all valid requests within one month, in compliance with GDPR timelines.

Data Transfers & Cross-Border Compliance

European Data Residency: Personal data of EU residents is processed within the European Economic Area (EEA) unless explicitly authorized by the user. All data processed and stored by Eyre AI Limited is stored on servers located in the United Kingdom, Switzerland, and European Union.

Standard Contractual Clauses (SCCs): If data must be transferred outside the EEA, we ensure compliance through legally binding SCCs or other GDPR-approved transfer mechanisms.

Cloud Data Protection: If third-party cloud services are used for data storage, they must meet GDPR-compliant security standards and data residency requirements.

Customers are responsible for ensuring that their own data processing practices comply with GDPR, including the use of third-party integrations and external data transfers.

Legal Liability & Indemnification

Customers agree to indemnify, defend, and hold harmless Eyre AI Limited, its officers, employees, and partners from any claims, fines, or penalties arising from:

• Customer’s non-compliance with GDPR while using Eyre AI Limited services.
• Improper data processing practices or failure to obtain lawful consent from data subjects.
• Customer negligence, mismanagement, or unauthorized disclosure of personal data.

Limited Liability

While we implement industry-leading security measures, customers acknowledge that no system is entirely immune to cyber threats. Eyre AI Limited shall not be held liable for indirect, incidental, or consequential damages resulting from data breaches, loss of data, or non-compliance by third-party providers.

Eyre AI Limited’s total liability for any GDPR-related claims shall not exceed the total fees paid by the customer in the 12 months preceding the claim.

Regulatory Fines & Compliance Responsibilities

Customers acknowledge that GDPR violations may result in significant fines, up to €20 million or 4% of annual global turnover, imposed by the European Data Protection Authorities. If a fine is issued due to the customer’s non-compliance, Eyre AI Limited will not be responsible for covering such penalties. If a regulatory fine is directly caused by Eyre AI Limited security failure, we will take full responsibility as outlined in our Data Processing Agreement (DPA).

Ongoing Compliance and Security Audits

Eyre AI Limited regularly reviews, updates, and audits its GDPR compliance framework, including:

• Annual GDPR audits and security risk assessments.
• Employee training on data protection best practices.
• Third-party vendor risk assessments to ensure compliance across the data supply chain.

By using our services, customers acknowledge their responsibilities under GDPR and agree to adhere to all applicable data protection laws.

GDPR compliance isn’t just about legal obligations—it’s about building trust with users and ensuring responsible data stewardship. Eyre AI Limited is committed to transparency, security, and user rights, helping businesses process personal data in a lawful, ethical, and compliant manner.

Compliance with the Health Insurance Portability and Accountability Act (HIPAA)

Eyre AI Limited is committed to ensuring the privacy, security, and integrity of Protected Health Information (PHI) in accordance with the Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations, including the Privacy Rule, Security Rule, and Breach Notification Rule.

Our services are designed to support HIPAA-compliant data handling, access controls, retention policies, and incident response to safeguard sensitive health information against unauthorized access, disclosure, or misuse.

Data Security & Access Controls

Eyre AI Limited implements strict access controls and security measures to ensure that PHI is only accessed, processed, and stored by authorized personnel and entities in accordance with HIPAA guidelines. Security controls include:

• Role-Based Access Controls (RBAC): User access is limited based on job function and necessity following the principle of least privilege.
• Multi-Factor Authentication (MFA): All users accessing PHI must authenticate using multiple layers of verification to prevent unauthorized access.
• End-to-End Encryption: All PHI is encrypted in transit and at rest using HIPAA-compliant encryption protocols (AES-256, TLS 1.2+).
• Audit Logs & Monitoring: System activity logs track all access, modifications, and transfers of PHI, ensuring compliance with HIPAA auditing requirements.

Customers acknowledge that they are responsible for maintaining internal policies and procedures to ensure that their employees and users comply with HIPAA regulations when accessing or processing PHI using [Company Name]’s services.

Data Retention and Storage Policies

Eyre AI Limited maintains PHI only as long as necessary to fulfil its contractual and legal obligations. Our data retention policies include:

• Minimum Retention Period: PHI is stored for the minimum required time to comply with federal and state healthcare regulations or as agreed upon in a Business Associate Agreement (BAA).
• Secure Data Disposal: When PHI is no longer required, it is permanently deleted or securely destroyed in compliance with NIST 800-88 Guidelines for Media Sanitization.
• Customer Data Control: Customers may request data deletion, anonymization, or export of their PHI in accordance with HIPAA’s Right of Access requirements.

Customers are responsible for setting their own data retention periods within the platform and ensuring compliance with state-specific healthcare regulations that may require longer retention periods.

Breach Notification and Incident Response

Eyre AI Limited follows HIPAA’s Breach Notification Rule (45 CFR §§ 164.400-164.414), which requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and, in certain cases, the media in the event of a data breach involving PHI. In the event of a security breach affecting PHI, Eyre AI Limited will:

• Investigate & Contain the Incident: We will immediately identify, assess, and mitigate any unauthorized access or security event.
• Notify Affected Parties: If a breach involving PHI occurs, affected customers will be notified within the HIPAA-mandated 60-day timeframe (or earlier, if required by law).
• Submit Regulatory Reports: If the breach affects 500 or more individuals, we will file the required reports with HHS and applicable state regulators as per HIPAA regulations.
• Remediation & Preventative Measures: Following an incident, we will implement corrective measures, security enhancements, and staff training to prevent recurrence.

Customers acknowledge that they are responsible for reporting any suspected security incidents related to PHI within their organization and following their internal breach notification policies in accordance with HIPAA requirements.

Indemnification & Legal Liability

Customers agree to indemnify, defend, and hold harmless Eyre AI Limited, its officers, directors, employees, and agents from and against any claims, losses, liabilities, fines, penalties, costs, and expenses (including legal fees) arising from:

• Customer’s failure to comply with HIPAA regulations while using Eyre AI Limited services.
• Unauthorized disclosure, misuse, or mismanagement of PHI by the customer or their employees, agents, or third-party service providers.
• Security incidents caused by customer-configured settings, third-party integrations, or unauthorized access resulting from customer negligence.

This indemnification includes costs associated with regulatory penalties, breach investigations, and legal proceedings related to PHI security incidents attributable to the customer.

Limited Liability

While Eyre AI Limited employs industry-standard security measures to protect PHI, customers acknowledge that:

• No system is entirely immune to cybersecurity threats, and Eyre AI Limited cannot guarantee absolute security.
• Eyre AI Limited shall not be held liable for indirect, incidental, or consequential damages arising from data breaches, system downtimes, or unauthorized PHI disclosures beyond its control.
• Eyre AI Limited total liability for any claims related to HIPAA compliance shall not exceed the total fees paid by the customer in the 12 months preceding the incident.

Regulatory Fines & Penalties

Customers acknowledge that HIPAA violations may result in significant financial penalties imposed by the U.S. Department of Health and Human Services (HHS). If a HIPAA-related fine is levied due to customer negligence or failure to comply with security best practices, Eyre AI Limited shall not be responsible for covering such penalties.

If a regulatory fine is directly attributable to a security lapse on Eyre AI Limited part, we will assume responsibility in accordance with the terms of the executed BAA.

Ongoing Compliance and Audits

Eyre AI Limited continuously monitors HIPAA regulatory updates and conducts regular internal audits, risk assessments, and security reviews to maintain compliance. We:

• Conduct annual HIPAA security audits and risk assessments.
• Provide ongoing compliance training for employees handling PHI.
• Ensure third-party vendors meet HIPAA security standards when applicable.

By using our services, customers acknowledge their responsibility to implement HIPAA-compliant policies and controls within their organization and agree to adhere to all applicable data protection laws.

Business Associate Agreement (BAA)

If Eyre AI Limited processes PHI on behalf of a Covered Entity under HIPAA, a Business Associate Agreement (BAA) is required to define responsibilities related to PHI security, compliance, and liability.

Customers processing PHI must execute a BAA with Eyre AI Limited before using our services to store, process, or transmit health data.

Customer Responsibilities

While Eyre AI Limited provides HIPAA-compliant infrastructure and security measures, customers are responsible for:

• Ensuring that only authorized personnel access PHI through our platform.
• Configuring and enforcing internal compliance policies aligned with HIPAA.
• Implementing additional safeguards required for their specific healthcare workflows.

Failure to adhere to HIPAA regulations, internal data handling procedures, or agreed-upon BAAs may result in service suspension or termination to maintain regulatory compliance.

Ongoing Compliance & Security Updates

Eyre AI Limited continuously monitors HIPAA regulatory updates and applies best practices for healthcare data protection. We conduct regular security assessments, audits, and compliance reviews to ensure our platform remains aligned with evolving privacy laws and standards.

By using our services, customers acknowledge their obligations under HIPAA and agree to comply with all applicable laws governing PHI protection and security.

Compliance with the Federal Information Security Management Act (FISMA)

Eyre AI Limited is committed to ensuring the security and protection of federal data in accordance with the Federal Information Security Management Act (FISMA) and its governing frameworks, including the National Institute of Standards and Technology (NIST) Special Publication 800-53 and related guidelines.

Our services are designed to comply with the security and risk management controls required for federal agencies and contractors, ensuring the confidentiality, integrity, and availability of sensitive government data.

Security Controls & Risk Management

We implement comprehensive security measures based on federal cybersecurity standards, including but not limited to:

• Access Controls: Role-based access, multi-factor authentication (MFA), and least-privilege principles.
• Encryption: Data encryption in transit and at rest using FIPS 140-2 validated cryptographic modules.
• Continuous Monitoring: Real-time security event tracking, automated vulnerability scanning, and periodic risk assessments.
• Incident Detection & Prevention: AI-driven anomaly detection, intrusion prevention systems (IPS), and endpoint security controls.
• Personnel & Training: Security awareness training for employees handling government-sensitive data.

Incident Response & Breach Notification

Eyre AI Limited maintains a structured Incident Response Plan (IRP) to ensure rapid identification, containment, and mitigation of security threats, in compliance with FISMA and NIST 800-61 (Incident Handling Guide). In the event of a security incident or data breach, we will:

• Assess and contain the breach to prevent further exposure of federal data.
• Notify affected federal agencies in accordance with regulatory timelines and reporting obligations.
• Conduct forensic investigations to determine the scope and cause of the incident.
• Remediate vulnerabilities and strengthen security controls based on post-incident findings.

All security incidents are documented, reviewed, and reported as required under FISMA, NIST, and relevant federal cybersecurity directives.

Reporting Obligations & Authority to Operate (ATO)

For federal agencies utilizing our services, we support compliance with FISMA-mandated security assessments, audits, and certification processes, including:

• System Security Plans (SSP): Providing documentation of security controls and risk management strategies.
• Security Authorization & ATO Support: Assisting agencies in meeting Authority to Operate (ATO) requirements through security assessments, penetration testing, and compliance audits.
• FedRAMP Compliance (If Applicable): Ensuring cloud-based services align with Federal Risk and Authorization Management Program (FedRAMP) Moderate/High Impact Levels, where required.
• Annual FISMA Audits & Compliance Reviews: Supporting agencies in fulfilling annual reporting obligations to the Office of Management and Budget (OMB) and Department of Homeland Security (DHS).

Customer Acknowledgment & Compliance Responsibility

By using our services, customers acknowledge that FISMA compliance requirements apply when handling federal data, and they may be required to implement additional controls or reporting obligations to maintain security compliance. Eyre AI Limited is dedicated to continuous security enhancements, ensuring our systems align with the latest federal cybersecurity policies and risk management frameworks.