Data processing addendum (DPA)

For customers in the EU/UK/EEA, or anyone whose downstream customers are in those jurisdictions. This is the summary; the executable PDF version is at /legal/dpa.pdf (linked from the portal once you accept).

Who's who

• You = the controller: you decide what personal data your workloads handle.
• We = the processor: we run the infrastructure; we don't decide why or for whom.
• Your end-customers = data subjects: people whose personal data passes through your workload.

What we process on your behalf

Anything you put into your workloads, databases, or buckets. We have no editorial control over your payloads; we run them.

What we don't do

• We don't read your payloads. Inference prompts, response bodies, object-store bytes, JouleDB rows — we serve them; we don't look at them.
• We don't use your data to train any model.
• We don't share data with subprocessors beyond what they need to do their function (Stripe needs payment tokens; Cloudflare needs request metadata; etc.).

International transfers

We support data residency by region pinning. If you region-pin to eu-fi, data lives in Helsinki and never leaves unless you move it. If you don't pin, data sits in whatever region the carbon-aware scheduler picked for you (visible in the portal).

Cross-border transfers (e.g. EU → US backups) only happen when you opt in to a multi-region replication policy. If they happen, they're covered by the EU Commission's Standard Contractual Clauses (SCCs), or equivalent transfer mechanism, with the additional safeguards the Schrems II ruling requires.

Subprocessors

The current subprocessor list is on the Privacy policy page. You'll get 30 days' notice before we add a new subprocessor, and you can object — if your objection is reasonable we'll work with you to find a path; if we can't, you can terminate without penalty.

Security

The full security posture is on security & compliance. The DPA-relevant highlights:

• TLS 1.3 in transit; AES-256-GCM at rest
• ed25519 signed receipts for non-repudiation
• Scoped tokens, one-click rotation, no token expiry-by-default (set one if you want)
• Breach notification within 72 hours of confirmation
• SOC 2 Type 2 audit in flight; bridge letter on request

Audit rights

You may audit our security and compliance posture annually, OR you may accept the SOC 2 Type 2 attestation (when issued, Q4 2026) in lieu of an audit. For materially regulated workloads (HIPAA-BAA, etc.) we will negotiate stronger audit rights.

Sub-processing for AI / Inference

When your workload calls our Inference service with prompts containing personal data, we treat that prompt as personal data and process it under this DPA. Specifically:

• The prompt is not logged in any audit trail.
• The prompt may transit through any node in the mesh of your region-pin; if you pin eu-fi, it stays in Helsinki.
• Models we host (open-weight) run in-region. Models we license from third parties (Anthropic) follow the licensor's data terms; we'll only call them with your data if you've opted in to that model.

Data subject requests

If your data subject contacts us directly, we'll forward them to you (the controller) within 7 days. If you ask us to assist with a data subject request, we'll assist within the timelines required by your jurisdiction.

End of relationship

On termination, we delete or return your data per your instruction within 30 days (active stores) and 90 days (backups). Receipts are retained for 7 years for billing audit purposes.

Sign it

The executable PDF version is at /legal/dpa.pdf (link surfaces in the portal once you accept the terms). Email [email protected] for a countersigned copy.