Effective date: 12 May 2026 · Last updated: 12 May 2026 · Version: 1.0
This document is the public disclosure of the third-party AI providers used in RYSTAT's artificial intelligence features (AI Site Builder, AI Assistant, AI content generation). The disclosure complies with KVKK Article 9, GDPR Articles 28 and 49, and complements the Sub-processor Framework.
1. AI Provider Table
The following table summarises the four third-party providers with which RYSTAT works to deliver AI features, along with their jurisdictions, transfer mechanisms and statuses:
| Provider | Jurisdiction | Adequacy Decision | SCC Status | No-Train Guarantee | DPA Status |
|---|---|---|---|---|---|
| Hangzhou DeepSeek AI Co., Ltd. | PRC (China) | NO — no EU adequacy decision | Limited (local supplementary safeguards) | Requested (provider response pending) | Pending |
| Anthropic, PBC | United States | EU-US DPF (conditional) | Yes (EU SCC + DPF) | Yes (contractually under DPA) | Active |
| OpenAI, LLC | United States | EU-US DPF (conditional) | Yes (EU SCC + DPF) | Yes (zero-retention available) | Active |
| Mistral AI SAS | France (intra-EU) | N/A (intra-EU) | Yes (not required — intra-EU) | Yes | Active |
Abbreviations: SCC = Standard Contractual Clauses; DPA = Data Processing Agreement; DPF = Data Privacy Framework; PRC = People's Republic of China.
2. Data Flow
The path of prompt and parameter data submitted by the user to AI features is as follows:
- User (panel or AI Builder UI) — While the AI features toggle is active (explicit consent given), the user submits a free-text prompt and configuration parameters.
- RYSTAT (Hong Kong, Unifics Limited) — The prompt data is received by the RYSTAT Hong Kong legal entity, an audit trail is recorded, and the data is transmitted over TLS 1.2+ to the selected AI provider.
- AI provider (DeepSeek / Anthropic / OpenAI / Mistral) — Processes the prompt and generates a response. Where the provider policy is "no-train", the prompt is not used in training data; where "zero-retention" is available, the data is deleted immediately.
- Response (provider to RYSTAT) — The generated output returns to RYSTAT via an encrypted TLS channel; the audit trail is recorded.
- RYSTAT to user — The response is delivered to the user's panel for review, acceptance or editing.
2.1 Categories of Data Transferred
- User's free-text prompt (content instruction, query, description)
- Configuration parameters: language, tone, target audience, sector, brand name (if any)
- Generation context: page description, content template category, output format preference
2.2 Categories of Data NOT Transferred
- Panel account information (email, name, billing address, payment details)
- Server credentials (cPanel/WHM logins, SSH keys)
- Customer hosted content in full (only snippets manually added by the user to the prompt are transmitted)
- Transactional data (invoices, payment history, support tickets)
3. Schrems II Risk Notice — DeepSeek (PRC)
RYSTAT's primary AI provider, Hangzhou DeepSeek AI Co., Ltd., is established in the jurisdiction of the People's Republic of China. Data transfers to this provider require a special risk assessment in light of the CJEU decision in C-311/18 (Schrems II — 16 July 2020).
3.1 PRC State Access — Legal Framework
- National Intelligence Law (2017) Article 7: "All organisations and citizens shall support, assist and cooperate with national intelligence work." This provision imposes a duty to comply with formal state requests on all Chinese organisations, including DeepSeek.
- Data Security Law (2021): The state may request data from organisations on grounds of "national security".
- Personal Information Protection Law (PIPL, 2021): Regulates data subject rights in general, but the intelligence and security exceptions are broad.
- Independent judicial review: No effective EU-equivalent judicial remedy is available to data subjects against state access requests.
3.2 "Essential Equivalence" Test
Under CJEU C-311/18, the recipient third country's data protection level must be "essentially equivalent" to that in the EU. The PRC framework does not meet this test; consequently, transfers to DeepSeek may only be made under the GDPR Article 49 derogation (explicit consent), after the user has been specifically informed.
3.3 Risk Mitigation Measures
- Data minimisation: Only the prompt + parameters required for AI generation are transferred; users are responsible for not including PII (Terms 13.4.4).
- Encryption: Transfers are conducted over TLS 1.2+.
- Explicit consent: No transfer takes place unless the user has manually enabled the AI toggle on /panel/profile (Privacy tab).
- Withdrawal: Disabling the toggle immediately stops future transfers.
- Alternatives: The user has the option of choosing intra-EU (Mistral SAS) or US (Anthropic / OpenAI under DPF) providers.
For a detailed Transfer Impact Assessment (TIA), please contact legal@rystat.com. The TIA is updated annually using the EDPB Recommendation 01/2020 methodology.
4. User Rights
4.1 Withdrawing Explicit Consent
The user may withdraw explicit consent at any time:
- Via the panel: Disable the "AI Features" toggle on /panel/profile (Privacy tab). Withdrawal is effective immediately.
- By email: Send an email to privacy@rystat.com with the subject "Withdrawal of AI consent". RYSTAT will complete the process and provide confirmation within 30 days.
- Effect: Prospective — does not invalidate transfers already performed (KVKK Art. 7; GDPR Art. 7(3)).
4.2 TIA and Document Requests
Transfer Impact Assessments and other relevant documents are provided upon request:
- DeepSeek (PRC) TIA:
docs/legal/tia-deepseek-2026.md(available on request) - AI provider DPA summaries (full text under enterprise customer contracts)
- Contact: legal@rystat.com
4.3 Data Subject Rights
The rights set out in KVKK Article 11 and GDPR Articles 15–22 apply to all AI providers: access, rectification, erasure, restriction, portability, objection. Requests are submitted to privacy@rystat.com and RYSTAT forwards them to the relevant provider.
5. Provider Change Notification
When RYSTAT updates the current AI provider list, the following notification procedure applies:
- Addition of a new provider: Because this represents a new data recipient, a re-consent (renewed explicit consent) is triggered under KVKK Article 9 and GDPR Article 49(1)(a). Users see a panel notification and the existing AI toggle is automatically set to inactive until the user approves the new list.
- Removal of an existing provider: Users are notified for informational purposes only; no further consent is required. RYSTAT redirects activity to an alternative provider.
- Provider policy change: If a provider changes its no-train / SCC / DPA status, affected users are notified and, where necessary, re-consent is triggered.
- Notification channels: Panel notification + registered email + "Last updated" date on this page.
This page provides public information only. The specific enterprise customer DPA, together with the provider list annex, is shared on request.
6. Contact
For AI provider disclosure, explicit consent management, TIA requests and data subject rights:
- General compliance / legal queries: legal@rystat.com
- Privacy / KVKK / GDPR rights: privacy@rystat.com
- Data controller: Unifics Limited (Hong Kong) — RYSTAT brand