Data Processing Addendum (DPA)

Last Updated: [Insert Date]

This Data Processing Addendum ("DPA") forms part of the Terms of Service or other written or electronic agreement (the "Agreement") between Neuronic AI, ("Processor", "we", "us", "our") and the entity or individual accepting this DPA ("Customer", "Controller"). This DPA governs Processor’s Processing of Personal Data on behalf of Customer.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR, CCPA/CPRA, or other applicable data protection laws.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, or deletion.

"Sub-processor" means any third party engaged by Processor to assist in Processing Personal Data.

"Services" means the APIpie / Neuronic AI platform, model orchestration system, search services, memory services, vector services, and related tools used by Customer.

"Applicable Data Protection Laws" include GDPR, CCPA/CPRA, and any similar laws.

2. Roles of the Parties

Customer is the Controller of Personal Data. Processor acts as Customer’s Processor and will process Personal Data only to provide the Services and according to Customer’s documented instructions.

Processor may engage approved Sub-processors as listed in Section 10.

3. Nature and Purpose of Processing

Processor processes Personal Data for the following purposes:

Executing Customer API requests across supported LLM providers.
Routing, transforming, and enriching data as instructed by Customer.
Providing optional memory, RAG, vector, and stateful conversation features.
Performing search, scrape, and internet augmentation when requested by Customer.
Maintaining service logs required for operational integrity, billing, usage analytics, and security.
Supporting Customer-managed long-term collections for RAGTune or bot knowledge bases.

Processor will not use Personal Data for training machine learning models unless explicitly documented by a Sub-processor and only when Customer intentionally selects such a model.

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

May include Customer’s end-users, employees, clients, partners, or any individuals whose data Customer submits.

4.2 Types of Personal Data

Personal Data processed may include:

Text or documents submitted by Customer
User identifiers for authentication
Prompt content submitted by Customer
Optional long-term memory content

Processor does not retain prompt bodies for stateless API calls.

5. Processor Obligations

Processor shall:

Process Personal Data only as instructed by Customer.
Maintain industry-standard security controls, encryption, and isolation.
Ensure data is encrypted in transit and at rest.
Restrict access to authorized personnel trained in data protection.
Delete Personal Data according to retention rules defined in Section 8.
Provide reasonable assistance with Data Subject Requests.
Notify Customer of any confirmed Personal Data breach without undue delay.
Maintain a record of Processing activities as required by law.

6. Customer Obligations

Customer shall:

Ensure it has a lawful basis for Processing Personal Data via the Services.
Not submit unlawful or prohibited data categories without proper authorization.
Configure retention settings and model selection responsibly.
Avoid uploading unnecessary or excessive Personal Data.
Identify and disclose to Processor any special regulatory requirements.

7. Security Measures

Processor implements:

Kubernetes-based isolated runtime using ephemeral compute.
In-memory Redis state storage (non-persistent) for short-lived conversation state.
Private Qdrant vector database under Processor’s full control for Customer memory and RAGTune.
Optional Pinecone vector database as a Sub-processor.
Routine deletion jobs to purge expired memory vectors.
Strict no-logging for prompt bodies.
Search anonymization (via Presidio) when Customer enables it.

8. Data Retention and Deletion

8.1 Stateless API Requests

No prompt bodies are retained.
Only usage metadata (model, token count, latency, cost) is retained.
Sub-processors may retain data for up to 30 days solely for abuse detection.

8.2 Optional Memory Services

When memory is enabled, Processor stores:

Conversation state (up to 24 hours unless Customer sets shorter expiry)
Long-term memory vectors (expiry configurable by Customer)

Redis state is in-memory only. Vectors are stored only on Processor-controlled encrypted disks.

8.3 RAGTune Document Collections

Documents uploaded for persistent retrieval are stored until Customer deletes them.
Intended for support bots, knowledge bases, and enterprise content.

8.4 Deletion Requests

Customer may delete data at any time via API or request.
Processor runs scheduled deletion jobs ensuring expired data is removed.

9. International Data Transfers

Processor and Sub-processors may transfer data internationally.

Where required, Processor relies on:

Standard Contractual Clauses (SCCs)
Adequacy decisions
Other legal transfer mechanisms

Customer may request the current list of regions and mechanisms.

10. Sub-processors

Processor uses the following Sub-processors:

10.1 Primary LLM Providers

OpenAI
Anthropic
DeepSeek
OpenRouter
Together AI
DeepInfra
Eden AI

10.2 Vector & Memory Providers

Private Qdrant deployment (Processor-controlled)
Pinecone (optional, only if Customer enables)

10.3 Search & Scrape Providers

Google (search)
BrightData (search/scrape)
Valyu AI (primary internet agent)

All Sub-processors operate under no-training, restricted retention, and security compliance as publicly documented.

Processor will update Customer of material changes to Sub-processors.

11. Data Subject Rights

Processor will assist Customer in responding to:

Access requests
Correction requests
Deletion requests
Objections
Data portability requests

All such actions require Customer validation and instruction.

12. Audits and Compliance

Customer may request information about Processor’s security measures. Formal audits may be conducted subject to reasonable controls to protect Processor’s platform and other customers.

13. Liability

Each party’s liability under this DPA shall follow the limitations set forth in the Agreement. Processor is not liable for Customer’s use of non-compliant model providers or Customer’s failure to configure data retention or privacy settings appropriately.

14. Termination

This DPA remains in effect as long as Processor processes Personal Data on behalf of Customer. Upon termination, Processor will delete or return all Personal Data except where retention is required by law.

15. Governing Law

This DPA is governed by the same jurisdiction and governing law specified in the Agreement.

16. Acceptance

By signing up for APIpie / Neuronic AI Services or continuing to use them, Customer agrees to the terms of this DPA.

END OF DPA

1. Definitions​

2. Roles of the Parties​

3. Nature and Purpose of Processing​

4. Categories of Data Subjects and Personal Data​

4.1 Data Subjects​

4.2 Types of Personal Data​

5. Processor Obligations​

6. Customer Obligations​

7. Security Measures​

8. Data Retention and Deletion​

8.1 Stateless API Requests​

8.2 Optional Memory Services​

8.3 RAGTune Document Collections​

8.4 Deletion Requests​

9. International Data Transfers​

10. Sub-processors​

10.1 Primary LLM Providers​

10.2 Vector & Memory Providers​

10.3 Search & Scrape Providers​

11. Data Subject Rights​

12. Audits and Compliance​

13. Liability​

14. Termination​

15. Governing Law​

16. Acceptance​