This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Controller") and trAIce ("Processor") and applies whenever the Processor processes Personal Data on behalf of the Controller.
1. Definitions
"Personal Data", "Processing", "Controller", "Processor", and "Sub-processor" have the meanings given to them in the GDPR (EU 2016/679).
2. Scope of processing
- Subject matter:provision of trAIce's hosted analytics service.
- Duration: for the term of the underlying agreement.
- Nature and purpose: ingestion, storage, and analysis of LLM-call metadata; surfacing of cost and margin analytics.
- Categories of data subjects:end users of the Controller's applications whose identifiers (user ID, tenant ID) the Controller chooses to send.
- Categories of Personal Data: identifiers supplied by the Controller in event payloads. The Processor does not require any directly identifying information and recommends sending opaque IDs.
3. Processor obligations
The Processor will:
- Process Personal Data only on documented instructions from the Controller
- Ensure persons authorized to process Personal Data are bound to confidentiality
- Implement appropriate technical and organizational security measures (encryption in transit, database encryption at rest provided by the hosting provider, and least-privilege access)
- Assist the Controller with data-subject requests within reasonable timeframes
- Notify the Controller without undue delay of any Personal Data breach
- On termination, delete or return Personal Data according to the service's then-current export and deletion functionality, unless retention is required for security, abuse prevention, backups, or legal reasons
4. Sub-processors
The Controller authorizes the Processor to use the following sub-processors:
- Vercel Inc.: application hosting (United States)
- Supabase Inc.: database hosting (region selected by Processor)
- Sentry: error monitoring (United States)
- Upstash: rate-limiting infrastructure
- Brevo: transactional email
- GitHub: OAuth identity provider
The Processor will notify the Controller of any intended changes to sub-processors and give a reasonable opportunity to object.
5. International transfers
Personal Data may be processed in the regions where the sub-processors operate. If a customer requires a specific transfer mechanism for EU/UK Personal Data, that mechanism should be agreed in writing before regulated production use.
6. Audit
The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA. trAIce is not yet SOC 2 certified; customers may request a written security questionnaire once per year.
7. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.
8. Contact
Data protection contact: privacy@runtraice.com
This DPA is a beta template and should be reviewed by counsel before executing with customers.