Aegis Terms of Service — Gitogi Srl

This document is drafted in Italian, which constitutes the official and legally binding version. Any translations into other languages are provided for informational purposes only. In the event of a discrepancy, the Italian version shall prevail.

Last updated: 12 April 2026

Effective date: 12 April 2026

1. Preamble

These General Terms of Service (hereinafter "Aegis Terms") govern access to and use of the Aegis platform, available at aegis.gitogi.com, provided by Gitogi Srl (hereinafter "Gitogi"), with registered office at Piazza IV Novembre 4, 20124 Milan, Italy, VAT No. IT14288420962.

Aegis is a Privacy & Compliance Shield Layer designed for agentic SaaS applications: it sits between users and large language model (LLM) providers, protecting personal data through detection, pseudonymisation, policy enforcement, and audit logging.

These Aegis Terms supplement and do not replace the General Terms of Service of gitogi.com, which apply to the extent not expressly derogated by this document. In the event of a conflict between the Aegis Terms and the General Terms, the Aegis Terms shall prevail to the extent relating to use of the Aegis platform.

2. Definitions

"Client": the legal entity that subscribes to Aegis and acts as the Data Controller of the personal data processed through the platform.
"Authorised User": any natural person authorised by the Client to access the Aegis platform under the subscribed licence.
"Platform": the Aegis software system, including all its components (PII Detection Engine, Token Vault, LLM Gateway, Policy Engine, Academy, DPO Workbench, audit modules), accessible via web and API.
"Service": the set of functionalities offered by the Platform, including PII detection, pseudonymisation, LLM routing, policy enforcement, AI Literacy training, regulatory intelligence, and audit logging.
"Protected Data": personal data and confidential information that the Client or Authorised Users input into the Platform and that are processed by Aegis.
"Lane" (Protection Lane): one of the three protection configurations offered by the Platform (Lane A, B, or C), each with specific levels of protection, data residency, and compliance requirements.
"Token Vault": the Platform's cryptographic pseudonymisation system, which replaces identifiable personal data with tokens that are reversible only by the system, enabling interaction with LLM models without exposing real data.
"Processing Pipeline": the complete data processing flow within the Platform, from ingestion to return, including detection, pseudonymisation, routing, de-pseudonymisation, and audit logging.

3. Service description

The Aegis Platform provides the following core functionalities:

3-layer PII detection — automatic identification of personal data in input text using three complementary engines (regex, NER, contextual) with an aggregated confidence score.
Token Vault (pseudonymisation) — replacement of identified personal data with pseudonymous tokens using envelope encryption (DEK/KEK), with de-pseudonymisation performed exclusively by the system upon return to the Client.
LLM Gateway with EU/extra-EU routing — intelligent proxy to LLM providers, with routing based on the selected Lane and required protection level. EU-resident models are used as a priority.
Policy Engine (OPA) — Open Policy Agent-based engine for granular enforcement of access rules, content filtering, and compliance constraints defined by the Client.
Academy (AI Literacy) — integrated training module for compliance with AI literacy requirements under Regulation (EU) 2024/1689 (AI Act), with progress tracking and competency certification.
Immutable audit logging — complete and tamper-proof recording of every operation performed by the Platform, with timestamps, user identification, and event classification, accessible via the DPO Workbench.

4. Data processing roles

For the purposes of Regulation (EU) 2016/679 (GDPR), the Client acts as Data Controller of the Protected Data input into the Platform. Gitogi acts as Data Processor under Article 28 GDPR, processing Protected Data exclusively on behalf of and on the documented instructions of the Client.

The terms and conditions of data processing are governed by the Data Processing Agreement (DPA), available at the page Data Processing Agreement.

Gitogi does not process Protected Data for its own purposes, does not use it for training artificial intelligence models, and does not share it with third parties except to the extent strictly necessary for Service delivery and in accordance with the Client's instructions.

5. Protection Lanes

The Platform offers three Protection Lanes, each designed to meet specific compliance requirements and risk appetite of the Client:

5.1 Lane A — EU-only

Lane A ensures that all data, whether in original or pseudonymised form, remains exclusively within the European Economic Area.

Data residency: EU only (Aruba Cloud infrastructure, Italian data centres).
LLM models: EU-resident models only. No extra-EU transfer.
Data sent to models: original or pseudonymised data, depending on Client configuration.

5.2 Lane B — De-identified

Lane B allows the use of extra-EU models, but exclusively with de-identified data.

Data sent to models: de-identified data only (irreversible removal of PII). The Token Vault is not used.
LLM models: may include extra-EU models, subject to SCC (Standard Contractual Clauses), TIA (Transfer Impact Assessment), and explicit risk acceptance by the Client.
Requirement: the Client must provide documented acceptance of the residual risk before activation.

5.3 Lane C — Pseudonymised (maximum protection)

Lane C represents the most restrictive protection level, combining mandatory pseudonymisation with training requirements.

Data sent to models: exclusively pseudonymised data via Token Vault. No personal data in clear text is transmitted to LLM models.
Academy requirement: all Authorised Users must achieve a minimum score of 80% in the Academy AI Literacy module before being able to use Lane C.
LLM models: EU-resident models only. Fail-close architecture: if EU models become unavailable, the service stops rather than falling back to extra-EU models.

6. Client obligations

The Client undertakes to:

Act as a lawful Data Controller — the Client warrants that it has a valid legal basis for the processing of Protected Data input into the Platform, and that it has fulfilled all information obligations towards data subjects.
Inform data subjects — the Client is responsible for informing its own users, clients, and employees whose data is processed through Aegis, in compliance with Articles 13 and 14 GDPR.
Maintain the necessary contractual agreements — the Client must execute the DPA with Gitogi and keep up to date any agreements with its own sub-processors.
Ensure AI Literacy compliance — the Client ensures that all Authorised Users complete the training required by the Platform (in particular for Lane C) and meet the AI literacy requirements under Article 4 of Regulation (EU) 2024/1689.
Not input prohibited data — the Client undertakes not to use the Platform to process special categories of data (Article 9 GDPR) without express written authorisation, nor for purposes prohibited under Article 5 of Regulation (EU) 2024/1689 (AI Act).

7. Gitogi obligations

Gitogi undertakes to:

Process data only on the Client's documented instructions — Gitogi does not process Protected Data for purposes other than those specified in the DPA and these Aegis Terms.
Maintain appropriate security measures — Gitogi implements and maintains appropriate technical and organisational measures, as described on the page Security Measures
Notify breaches within 48 hours — in the event of a personal data breach, Gitogi shall notify the Client without undue delay and in any event within 48 hours of discovery, providing all information required under Article 33 GDPR.
Maintain complete audit logs — the Platform records every operation immutably and makes the logs available to the Client via the DPO Workbench for the entire duration of the contract and for 12 months following termination.
Provide DSAR assistance — Gitogi assists the Client in responding to data subject access requests (access, rectification, erasure, portability, objection) within the timeframes required by law.

8. Service levels (SLA)

Gitogi commits to the following service levels for the Aegis Platform:

Metric	Target
Platform availability (uptime)	99.5% on a monthly basis, excluding planned maintenance
Support response time — Critical severity	Within 4 business hours
Support response time — Normal severity	Within 1 business day

Planned maintenance is communicated at least 72 hours in advance via email to the Client's technical contact. Ordinary maintenance windows are scheduled on Saturdays between 02:00 and 06:00 CET.

9. Security

The Aegis Platform implements the following security measures:

Encryption at rest — all persistent data is encrypted with AES-256.
Encryption in transit — all communications use TLS 1.3.
Token Vault with envelope encryption — the pseudonymisation system uses data encryption keys (DEK) protected by master keys (KEK), with periodic rotation.
Row-Level Security (RLS) — strict per-tenant data isolation on all database tables.
Immutable audit logs — operation records are tamper-proof and protected against manipulation.
Fail-close architecture — if a critical component fails or becomes unavailable, the system halts processing rather than proceeding in a degraded security state. ClamAV malware scanning on all uploaded files.

For a complete description of technical and organisational measures, please refer to the page Security Measures.

10. Intellectual property

The Aegis Platform, including its software, architecture, algorithms, interfaces, documentation, and trademarks, is the exclusive property of Gitogi Srl. Subscription grants the Client a limited, non-exclusive, non-transferable, and non-sub-licensable right of use for the duration of the contract.

Protected Data input by the Client into the Platform remains the exclusive property of the Client. Gitogi acquires no rights over Protected Data, nor does it use it for training its own or third-party artificial intelligence models.

Pseudonymous tokens generated by the Token Vault constitute derived data functional to the Service and are not considered Client original data. Upon contract termination, tokens are deleted together with the Protected Data.

11. Limitation of liability

Gitogi's total liability arising from or in connection with this contract is limited to an amount equal to the fees actually paid by the Client in the 12 months preceding the event giving rise to the claim.

Gitogi shall not be liable for indirect, incidental, consequential, or punitive damages, or for loss of profits, data, or business opportunities, except as required by mandatory provisions of law.

The limitations in this article do not apply in the event of wilful misconduct or gross negligence by Gitogi, nor in the event of a breach of personal data protection obligations arising from wilful or grossly negligent conduct.

In the event of force majeure (including, but not limited to, natural disasters, third-party service outages, acts of public authority, and exceptional cyberattacks), Gitogi shall not be liable for failure or delay in performing its obligations for the duration of the force majeure event.

12. Term and termination

The contract has the term specified in the subscription order. Unless terminated in writing with at least 30 days' notice before expiry, the contract renews automatically for periods of equal duration.

Either party may terminate the contract with immediate effect in the event of a material breach by the other party not remedied within 30 days of written notice, or in the event of insolvency proceedings.

Upon termination of the contract, for any reason, Gitogi shall return to the Client all Protected Data in a structured, machine-readable format within 30 days of request. After that period, and in any event within 60 days of termination, all Protected Data and associated tokens are irreversibly deleted from Gitogi's systems, except where retention is required by law.

13. Sub-processors

The current list of sub-processors used for the delivery of the Aegis Service is available on the page Sub-processors.

The Client grants general authorisation for the appointment of sub-processors under Article 28(2) GDPR. Gitogi undertakes to notify the Client of any changes to the sub-processor list with at least 30 days' notice. The Client may object in writing within the period specified in the notification; if the objection is not resolved, the Client may terminate the contract without penalty.

14. Governing law and jurisdiction

These Aegis Terms and any dispute arising from or in connection with this contract are governed by Italian law.

The courts of Milan, Italy, shall have exclusive jurisdiction over any dispute relating to the interpretation, performance, or termination of these Aegis Terms.

15. Contact

For communications regarding these Aegis Terms:

Privacy and data protection: privacy@gitogi.com
Legal and contractual matters: legal@gitogi.com
PEC: pec@pec.gitogi.com

1. Preamble

2. Definitions

"Client": the legal entity that subscribes to Aegis and acts as the Data Controller of the personal data processed through the platform.
"Authorised User": any natural person authorised by the Client to access the Aegis platform under the subscribed licence.
"Platform": the Aegis software system, including all its components (PII Detection Engine, Token Vault, LLM Gateway, Policy Engine, Academy, DPO Workbench, audit modules), accessible via web and API.
"Service": the set of functionalities offered by the Platform, including PII detection, pseudonymisation, LLM routing, policy enforcement, AI Literacy training, regulatory intelligence, and audit logging.
"Protected Data": personal data and confidential information that the Client or Authorised Users input into the Platform and that are processed by Aegis.
"Lane" (Protection Lane): one of the three protection configurations offered by the Platform (Lane A, B, or C), each with specific levels of protection, data residency, and compliance requirements.
"Token Vault": the Platform's cryptographic pseudonymisation system, which replaces identifiable personal data with tokens that are reversible only by the system, enabling interaction with LLM models without exposing real data.
"Processing Pipeline": the complete data processing flow within the Platform, from ingestion to return, including detection, pseudonymisation, routing, de-pseudonymisation, and audit logging.

3. Service description

The Aegis Platform provides the following core functionalities:

3-layer PII detection — automatic identification of personal data in input text using three complementary engines (regex, NER, contextual) with an aggregated confidence score.
Token Vault (pseudonymisation) — replacement of identified personal data with pseudonymous tokens using envelope encryption (DEK/KEK), with de-pseudonymisation performed exclusively by the system upon return to the Client.
LLM Gateway with EU/extra-EU routing — intelligent proxy to LLM providers, with routing based on the selected Lane and required protection level. EU-resident models are used as a priority.
Policy Engine (OPA) — Open Policy Agent-based engine for granular enforcement of access rules, content filtering, and compliance constraints defined by the Client.
Academy (AI Literacy) — integrated training module for compliance with AI literacy requirements under Regulation (EU) 2024/1689 (AI Act), with progress tracking and competency certification.
Immutable audit logging — complete and tamper-proof recording of every operation performed by the Platform, with timestamps, user identification, and event classification, accessible via the DPO Workbench.

4. Data processing roles

The terms and conditions of data processing are governed by the Data Processing Agreement (DPA), available at the page Data Processing Agreement.

5. Protection Lanes

The Platform offers three Protection Lanes, each designed to meet specific compliance requirements and risk appetite of the Client:

5.1 Lane A — EU-only

Lane A ensures that all data, whether in original or pseudonymised form, remains exclusively within the European Economic Area.

Data residency: EU only (Aruba Cloud infrastructure, Italian data centres).
LLM models: EU-resident models only. No extra-EU transfer.
Data sent to models: original or pseudonymised data, depending on Client configuration.

5.2 Lane B — De-identified

Lane B allows the use of extra-EU models, but exclusively with de-identified data.

Data sent to models: de-identified data only (irreversible removal of PII). The Token Vault is not used.
LLM models: may include extra-EU models, subject to SCC (Standard Contractual Clauses), TIA (Transfer Impact Assessment), and explicit risk acceptance by the Client.
Requirement: the Client must provide documented acceptance of the residual risk before activation.

5.3 Lane C — Pseudonymised (maximum protection)

Lane C represents the most restrictive protection level, combining mandatory pseudonymisation with training requirements.

Data sent to models: exclusively pseudonymised data via Token Vault. No personal data in clear text is transmitted to LLM models.
Academy requirement: all Authorised Users must achieve a minimum score of 80% in the Academy AI Literacy module before being able to use Lane C.
LLM models: EU-resident models only. Fail-close architecture: if EU models become unavailable, the service stops rather than falling back to extra-EU models.

6. Client obligations

The Client undertakes to:

Act as a lawful Data Controller — the Client warrants that it has a valid legal basis for the processing of Protected Data input into the Platform, and that it has fulfilled all information obligations towards data subjects.
Inform data subjects — the Client is responsible for informing its own users, clients, and employees whose data is processed through Aegis, in compliance with Articles 13 and 14 GDPR.
Maintain the necessary contractual agreements — the Client must execute the DPA with Gitogi and keep up to date any agreements with its own sub-processors.
Ensure AI Literacy compliance — the Client ensures that all Authorised Users complete the training required by the Platform (in particular for Lane C) and meet the AI literacy requirements under Article 4 of Regulation (EU) 2024/1689.
Not input prohibited data — the Client undertakes not to use the Platform to process special categories of data (Article 9 GDPR) without express written authorisation, nor for purposes prohibited under Article 5 of Regulation (EU) 2024/1689 (AI Act).

7. Gitogi obligations

Gitogi undertakes to:

Process data only on the Client's documented instructions — Gitogi does not process Protected Data for purposes other than those specified in the DPA and these Aegis Terms.
Maintain appropriate security measures — Gitogi implements and maintains appropriate technical and organisational measures, as described on the page Security Measures
Notify breaches within 48 hours — in the event of a personal data breach, Gitogi shall notify the Client without undue delay and in any event within 48 hours of discovery, providing all information required under Article 33 GDPR.
Maintain complete audit logs — the Platform records every operation immutably and makes the logs available to the Client via the DPO Workbench for the entire duration of the contract and for 12 months following termination.
Provide DSAR assistance — Gitogi assists the Client in responding to data subject access requests (access, rectification, erasure, portability, objection) within the timeframes required by law.

8. Service levels (SLA)

Gitogi commits to the following service levels for the Aegis Platform:

Metric	Target
Platform availability (uptime)	99.5% on a monthly basis, excluding planned maintenance
Support response time — Critical severity	Within 4 business hours
Support response time — Normal severity	Within 1 business day

Planned maintenance is communicated at least 72 hours in advance via email to the Client's technical contact. Ordinary maintenance windows are scheduled on Saturdays between 02:00 and 06:00 CET.

9. Security

The Aegis Platform implements the following security measures:

Encryption at rest — all persistent data is encrypted with AES-256.
Encryption in transit — all communications use TLS 1.3.
Token Vault with envelope encryption — the pseudonymisation system uses data encryption keys (DEK) protected by master keys (KEK), with periodic rotation.
Row-Level Security (RLS) — strict per-tenant data isolation on all database tables.
Immutable audit logs — operation records are tamper-proof and protected against manipulation.
Fail-close architecture — if a critical component fails or becomes unavailable, the system halts processing rather than proceeding in a degraded security state. ClamAV malware scanning on all uploaded files.

For a complete description of technical and organisational measures, please refer to the page Security Measures.

10. Intellectual property

11. Limitation of liability

Gitogi shall not be liable for indirect, incidental, consequential, or punitive damages, or for loss of profits, data, or business opportunities, except as required by mandatory provisions of law.

12. Term and termination

13. Sub-processors

The current list of sub-processors used for the delivery of the Aegis Service is available on the page Sub-processors.

14. Governing law and jurisdiction

These Aegis Terms and any dispute arising from or in connection with this contract are governed by Italian law.

The courts of Milan, Italy, shall have exclusive jurisdiction over any dispute relating to the interpretation, performance, or termination of these Aegis Terms.

15. Contact

For communications regarding these Aegis Terms:

Privacy and data protection: privacy@gitogi.com
Legal and contractual matters: legal@gitogi.com
PEC: pec@pec.gitogi.com

Terms of Service — Aegis

1. Preamble

2. Definitions

3. Service description

4. Data processing roles

5. Protection Lanes

5.1 Lane A — EU-only

5.2 Lane B — De-identified

5.3 Lane C — Pseudonymised (maximum protection)

6. Client obligations

7. Gitogi obligations

8. Service levels (SLA)

9. Security

10. Intellectual property

11. Limitation of liability

12. Term and termination

13. Sub-processors

14. Governing law and jurisdiction

15. Contact

Terms of Service — Aegis

1. Preamble

2. Definitions

3. Service description

4. Data processing roles

5. Protection Lanes

5.1 Lane A — EU-only

5.2 Lane B — De-identified

5.3 Lane C — Pseudonymised (maximum protection)

6. Client obligations

7. Gitogi obligations

8. Service levels (SLA)

9. Security

10. Intellectual property

11. Limitation of liability

12. Term and termination

13. Sub-processors

14. Governing law and jurisdiction

15. Contact