This Data Processing Agreement (“DPA”) may form a part of and be incorporated into any agreement (“Agreement”), including in a form of the Terms of Use, between LLM API Inc. or another legal entity within the group of companies (collectively, “Company”) and the applicable customer entity (“Customer”) (each a “Party” and together the “Parties”) that governs Customer’s use of Company’s services as defined below. This DPA is effective as of the effective date of the Agreement (the “Effective Date”).

1.1. For the purposes of this DPA, Company shall act as a Data Processor, the Customer shall be a Data Controller. The Parties understand and agree that as part of the provision of services under the Agreement, the Data Controller may provide the Data Processor with Personal Data of other Data Controllers for which they act as a Data Processor. Based on this, the Parties acknowledge that their roles can be shifted according to the following principle: “Data Controller” >> “Data Processor”: “Data Processor” >> “Sub-Processor”, respectively. Regardless of the operations where such a change of roles is provided for, Processor must process the data in accordance with the terms of this DPA and the instructions given by Data Controller hereunder.

1.2.  The Customer acknowledges that Company may process certain Personal Data as an independent Data Controller for its own legitimate business purposes and legal grounds, including billing, invoicing, account management, fraud detection and prevention, security monitoring and service improvement. Such processing is carried out in accordance with the Privacy Notice and is not governed by this DPA.  

2.1.   Company provides an AI model gateway service (the “Service”) that routes API requests from customers to third-party large language model (LLM) providers, returns the resulting outputs, and maintains request metadata for billing and analytics purposes. 

2.2.  In the course of providing the Service, Company may process Personal Data on behalf of the Customer. The parties therefore enter into this DPA to govern processing in accordance with Applicable Data Protection Law.

2.3.  The parties acknowledge that the legal landscape for AI-assisted processing continues to evolve and agree to cooperate in good faith to maintain compliance with applicable law.

3.1. The definitions in the Agreement shall be complemented or replaced with the following expressions used in this DPA:

“All Data Mode” shall mean an optional feature of the Service that the Customer may activate through their account settings, under which prompt inputs and model outputs are retained by Company for up to 90 days to enable additional functionality such as prompt analytics, semantic caching, and debugging. Activation of All Data Mode constitutes a documented processing instruction by the Customer to Company and transfers to the Customer sole responsibility for ensuring that such retention is lawful under Applicable Data Protection Law, including the identification of a valid legal basis and the provision of appropriate notice to Data Subjects. All Data Mode is disabled by default and may be deactivated, and retained content deleted, by the Customer at any time via the account dashboard.

“Applicable Data Protection Laws” shall mean all laws and regulations governing the processing of Personal Data applicable to either party, including (without limitation): EU GDPR (Regulation (EU) 2016/679); UK GDPR; the California Consumer Privacy Act (CCPA) as amended by CPRA; and other applicable US state privacy laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and equivalents).

“Controller Personal Data” means any Personal Data provided to the Processor in connection with the Services under the Agreement;

“Data Controller”, “Data Processor”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processes”, “Sub-Processor”, and “Supervisory Authority” shall have the same meaning as given to them under the EU GDPR;

“Restricted Transfer” means each case where a transfer of Controller Personal Data would be prohibited by Applicable Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions) in the absence of an adequacy decision issued by the EU Commission as referred to in Article 45(1) of the EU GDPR, the competent UK authority (as applicable), or of the EU SCCs and/or UK Addendum (as applicable) to be established under Section 15 below;

“Request” means a request from a Data Subject to exercise the rights under the Applicable Data Protection Laws in respect of Controller Personal Data;

“Sub-processor” means any person (including any third party but excluding an employee of Processor) appointed by or on behalf of the Processor to Process Controller Personal Data in connection with the Agreement, including third-party game suppliers (if applicable according to the Agreement) whose content is provided to the Controller.

“EU SCCs” means the Standard Contractual Clauses in accordance with the EU Commission Implementing Decision (EU) June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, or any other standard contractual clauses issued by the EU Commission which replace such clauses from time to time; and

“UK Addendum” means the International Data Transfer Addendum to the EU SCCs (version B1.0, in force from 21 March 2022) issued by the UK Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.

4.1.  Company shall (a) comply with its obligations under all Applicable Data Protection Laws in the Processing of Controller Personal Data; (b) process the Controller Personal Data only on behalf of the Customer and in compliance with Customer’s documented instructions, the Agreement, and/or this DPA unless Processing is required by Applicable Data Protection Laws to which Company is subject, in which case the Company shall to the extent permitted by the Applicable Data Protection Laws inform the Customer of that legal requirement before the relevant Processing of Controller Personal Data; (c) immediately inform the Customer if, in its opinion, their instructions infringe the Applicable Data Protection Laws.

4.2. Company processes Controller Personal Data only to the extent necessary to provide the Service. By default, the Service operates on a zero-content-retention basis: prompt inputs and model outputs are transmitted to the applicable AI model provider and returned to you without being stored on Company’s systems beyond the time required to complete the transaction. Any information and data provided by the Customer to Company within the performance of this DPA shall remain at all times the property of the Data Controller.

4.3. The details of the scope, purpose, and duration of the Controller Personal Data and Processing covered by this DPA are set out in Annex I of the DPA.

5.1.  The Customer is responsible for the use of the Services and the Personal Data submitted. By entering into this DPA, Customer confirms that they as a Data Controller: (a) has, and will maintain, a valid legal basis under Applicable Data Protection Law for each category of Personal Data submitted to the Service; (b) Data Subjects have been provided with appropriate privacy notices that disclose the use of AI-assisted processing; (c) will not submit special category Personal Data (including data revealing racial or ethnic origin, health, biometric data, or similar) or Personal Data relating to minors under the age of 16 without entering into a separate written agreement with Company; (d) where required, Controller has conducted or will conduct a Data Protection Impact Assessment in relation to the use of the Service; (e) maintain an up-to-date record of processing activities as required by applicable law; (f) is and will be solely responsible for ensuring that Personal Data submitted to the Service is adequate, relevant, and limited to what is necessary (data minimisation); (g) if Controller is a Business under the CCPA, it will not direct Company to sell or share Personal Information as those terms are defined under the CCPA.

6.1.  Company will process Controller Personal Data only on documented instructions, as set out in this DPA and the Terms of Use, unless required to do otherwise by applicable law. Where a legal requirement exists, Company will inform Customer before processing unless prohibited by law.

6.2.  Company will ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations and receive adequate data protection training.

6.3.  Company will not use Controller Personal Data, prompt inputs, or model outputs processed under this DPA to train, fine-tune, evaluate, benchmark, or otherwise improve any AI or machine learning model, whether operated by Company, a sub-processor, or any third party.

6.4.  Acting as a Service Provider under the CCPA and as a Processor under EU/UK GDPR, Company will not: (a) sell or share Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than providing the Service; or (c) combine your Personal Data with data from other customers or external sources, except as permitted by Applicable Data Protection Law.

6.5.  Company will, taking into account the nature of the processing and the information available to it, provide reasonable assistance to enable Data Controller to: respond to Data Subject rights requests; implement appropriate security measures; carry out Data Protection Impact Assessments; and notify supervisory authorities and Data Subjects of Security Incidents, as required by Applicable Data Protection Law.

7.1.  Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights of Data Subjects, Company shall in relation to the Controller Personal Data implement and maintain appropriate technical and organizational measures in relation to its Processing of Controller Personal Data so as to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the EU GDPR.

7.2.  To the extent required under the Agreement and this DPA, Company shall implement security measures as set forth in Annex II of this DPA.

7.3.  The Customer may request evidence of Company’s security posture at any time by contacting [email protected]. Company may satisfy such requests by providing a current SOC 2 Type II report, ISO/IEC 27001 certification, or a completed security questionnaire.

8.1. By entering into this DPA, the Customer as a Data Controller gives general authorisation to Company to engage Sub-processors without any additional notification. The up-to-date list of already engaged sub-processors may be presented upon the Customer’s request and\or in Annex III of this DPA.

8.2. With respect to each Sub-processor, Company shall (a)  carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for the Controller Personal Data required by this DPA; (b) ensure that the arrangement between the Processor and the Sub-processor is governed by a written contract including terms that offer no less onerous level of protection for the Controller Personal Data as one set out in this DPA; and (c) if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement between the Processor and the Sub-processor.

8.3. Notwithstanding any authorization by the Data Controller within the meaning of the preceding sections, Company shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.

8.4. The Customer may reasonably object to the engagement of the respective Sub-processor at any time by sending the respective letter to the email enshrined herein. Company shall review objections within 30 (thirty) days and, if possible, change the Sub-processor. If the objection cannot be resolved, Company should notify the Customer without undue delay. 

9.1. AI Providers are independent third parties whose large language model inference services are made accessible through the Service. AI Providers are not Sub-processors of Company. Company does not control, direct, or take responsibility for the data processing operations of any AI Provider. Depending on the applicable AI Provider’s own terms of service, the AI Provider may act as an independent Controller in its own right, or as a processor engaged directly by the Customer.

9.2. By selecting an AI Provider through the Service, the Customer accepts sole responsibility for: (a) reviewing and agreeing to the AI Provider’s own terms of service, acceptable use policy, and data processing or privacy terms before transmitting any Personal Data; (b) entering into any data processing agreement or equivalent instrument directly with the AI Provider where required by Applicable Data Protection Law; (c) ensuring that the transmission of Personal Data to the AI Provider is lawful, including the identification of an appropriate legal basis and, where required, the implementation of a valid international transfer mechanism; (d) handling all Data Subject rights requests relating to Personal Data that has been transmitted to and processed by an AI Provider; and (e) assessing the AI Provider’s security, retention, and compliance posture independently of Company.

9.3. In relation to AI Providers, Company acts exclusively as a technical routing layer. Company transmits the Customer’s API request to the selected AI Provider and returns the resulting output to the Customer. Company does not inspect, modify, or retain the content of those requests or outputs beyond what is strictly necessary for transmission, except where the Customer has enabled All Data Mode.

9.4. Company makes no representations or warranties regarding any AI Provider’s compliance with Applicable Data Protection Law, data retention or deletion practices, security measures, sub-processing arrangements, or ability to honour Data Subject rights. To the maximum extent permitted by applicable law, Company shall have no liability to the Customer or to any Data Subject for any loss, damage, or regulatory consequence arising from the processing of Personal Data by an AI Provider, including any Data Breach, unauthorised disclosure, unlawful retention, or failure to comply with a Data Subject rights request occurring at the level of the AI Provider. 

9.5.  A list of the AI Providers currently accessible through the Service, together with links to their respective data processing terms and privacy policies, is maintained at https://llmapi.ai/models/ . Company will update this list when AI Providers are added or removed and will notify the Customer by changing the “Last updated” date. 

10.1. Company will assist you in fulfilling requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection, and opt-out of sale under the CCPA), taking into account the nature of the processing and the information available to Company.

10.2. If a Data Subject contacts Company directly to exercise a right, Company will forward the request to the Customer within five (5) business days and will not respond to the Data Subject directly without prior authorisation.

10.3. The Customer hereby acknowledges that Company’s ability to assist may be limited once Personal Data has been transmitted to a third-party AI model provider. In that case, the Customer is responsible for coordinating with the relevant provider directly.

10.4. To submit a data subject rights request or to request deletion of data held under All Data Mode, please contact: [email protected] 

11.1. Company shall notify the Customer immediately (and in any event within forty-eight (48) hours) if it or Sub-processor becomes aware of any unauthorized or unlawful Processing of, loss of, damage to, or destruction or corruption of Controller Personal Data, providing the Customer with sufficient information to allow the Controller to meet any obligations to report to competent authorities or inform Data Subjects. Such information shall as a minimum: (a) describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; (b) communicate the name and contact details of the Data Processor’s data protection officer or another relevant contact from whom more information may be obtained; (c) describe the likely consequences of the Personal Data Breach; (d) describe the measures taken or proposed to be taken by the Data Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

11.2. Company will cooperate with the Customer and take such reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.

12.1. Both Parties shall cooperate and assist the other Party in the event of any measures or investigations taken by the Supervisory Authority related to any activities conducted under this DPA, including promptly notifying the other Party of the threat and commencement of such measures. The Parties shall take all reasonable measures necessary to limit the potential damage incurred to either of the Parties due to such event.

13.1. Upon termination of the Agreement or written request, Company will within 30 days: (a) cease all processing of Controller Personal Data; (b)  at Controller’s election, securely delete or return all Personal Data (including copies held by sub-processors, to the extent technically feasible); and (c) provide written confirmation of deletion within 14 days of completion. 

13.2. Notwithstanding what is stated above, Company shall be entitled to retain Controller Personal Data to the extent required by Applicable Data Protection Laws and/or regulatory requirements and only to the extent and for such period as required and always provided that the confidentiality of all such Controller Personal Data is ensured.

14.1. Company shall make available to the Customer on request in a timely manner such information as is reasonably required by the Data Controller to demonstrate Data Processor’s compliance with its obligations under Applicable Data Protection Laws and this DPA.

14.2.  This shall be subject to the Customer giving the Company reasonable prior notice, but no way later than 30 days in advance of such audit and/or inspection and ensuring that any auditor is subject to binding obligations of confidentiality and that such audit or inspection is undertaken so as to cause minimal disruption to Company’s business and in the narrowest applicable extent. 

14.3. Company cannot be obliged to give access to its documents and records for the purposes of such an audit or inspection: (a) to any individual unless he or she produces reasonable evidence of identity and authority; (b) outside normal business hours, unless the audit or inspection needs to be conducted on an emergency basis and the Data Controller has given notice to the Data Processor that this is the case before attendance outside those hours begins.

14.4.  Company may satisfy audit requests by providing a current SOC 2 Type II report, ISO/IEC 27001 certification, or completion of a reasonable security questionnaire, where these cover the relevant processing activities.

15.1. RESTRICTED TRANSFER. The Parties agree that when the transfer of Controller Personal data from the Customer (as “data exporter”) to Company (as “data importer”) is a Restricted Transfer and Data Protection Laws require that appropriate safeguards are put in place, the transfer will be subject to the EU SCCs, which are deemed incorporated into and form a part of this DPA, as follows:

1. In relation to transfers of Controller Personal Data protected by the EU GDPR, the EU SCCs will apply, completed as follows:

• Module Two will apply;
• in Clause 7, the optional docking clause will apply;
• in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set out in Clause 8.4 of this DPA;
• in Clause 11, the option will not apply;
• in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
• in Clause 18(b), disputes will be resolved before the courts of Ireland;
• Annex I of the EU SCCs is deemed completed with the information set out in Annex I to this DPA, and the competent supervisory authority will be determined in accordance with the EU GDPR and Clause 13 of the EU SCCs;
• subject to Section 7 of this DPA, Annex II of the EU SCCs is deemed completed with the information set out in Annex II to this DPA;
• subject to section 8 of this DPA, Annex III of the EU SCCs is deemed completed with the information set out in Annex III to this DPA; and
• Annex IV (if applicable) to this DPA provides additional safeguards agreed upon between the Parties as supplementary measures to the EU SCCs.

1. In relation to transfers of Personal Data protected by UK Data Protection Laws, the EU SCCs: (i) apply as completed in accordance with Clauses 15.1 above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the Parties and incorporated into and form an integral part of this DPA. In addition, Tables 1 to 3 in Part 1 of the UK Addendum are deemed completed respectively with the information set out in Sections 7, 8, and 15 of this DPA, as well as Annex I, Annex II, and Annex III of this DPA; Table 4 in Part 1 is deemed completed by selecting “neither party”. Any conflict between the terms of the EU SCCs and the UK Addendum will be resolved in accordance with Sections 10 and 11 of the UK Addendum.

15.2. US TRANSFER. Where the Customer is a Business under the CCPA or subject to equivalent US state privacy laws, the following terms apply in addition to the main DPA:

• Company acts as Service Provider under the CCPA and certifies it understands and will comply with the applicable Service Provider restrictions.
• Company will not sell, share, retain, use, or disclose Personal Information outside the direct business relationship or for any purpose other than those specified in Annex I.
• Company will not combine Personal Information received from the Customer with Personal Information from other sources except as permitted by applicable law.
• Company will assist the Customer in responding to verifiable consumer requests (access, deletion, correction, opt-out of sale/sharing, limit use of sensitive personal information) within CCPA-required timeframes.
• The Customer hereby retains the right to take reasonable steps to ensure Company uses Personal Information consistently with your obligations, and to notify Company if you believe it is no longer able to meet its CCPA obligations.
• For Virginia CDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and equivalent laws: Company agrees to act as a Processor, process data only on your instructions, maintain appropriate security, assist with consumer rights requests, delete or return data on your request, and provide information necessary for data protection assessments.

16.1  This DPA takes effect when the Customer first accepts the Terms of Use and continues for as long as Company processes Personal Data on the behalf of the Customer. This DPA terminates automatically upon termination of the Agreement.

16.2.  Company may update this DPA by posting a revised version at the website by changing the version and “Last updated” date. Material changes to this DPA shall be communicated to the Customer in writing in advance. 

17.1. Each party is liable for its own breach of this DPA and Applicable Data Protection Law.

17.2  Company’s aggregate liability under this DPA is subject to the limitations and exclusions set out in the Terms of Use, except where mandatory applicable law prohibits such limitation.

17.3  Nothing in this DPA excludes or limits either party’s liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; or (c) any other liability that cannot be excluded or limited by law.

18.1. Except as otherwise required by the Section 15 of this DPA shall be governed by the governing law set out in the Agreement.

18.2. If any provision is found invalid or unenforceable, the remainder continues in full force, and the parties will replace the invalid provision with a valid one that achieves the original intent.

18.3. In the event of conflict, the order of precedence is: (1) mandatory Applicable Data Protection Law; (2) the SCCs or UK Addendum (where applicable); (3) this DPA; (4) the Terms of Use.

18.4. For all data protection enquiries, please contact: [email protected] 

ANNEX I

DETAILS OF THE PROCESSING OF CONTROLLER PERSONAL DATA

ANNEX II

SECURITY MEASURES

Company maintains a comprehensive written information security program designed to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. This program includes the following safeguards:

ANNEX III

LIST OF SUBPROCESSORS