Parties
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between:
- Data Processor: CloudAct Inc., operating Nemo Router (nemorouter.ai)
- Data Controller: The organization (“Customer”) that entered into the Terms of Service
CloudAct Inc.
100 S Murphy Ave
STE 200 PMB4013
Sunnyvale, CA 94086
United States
1. Scope & Purpose
This DPA applies when CloudAct Inc. processes personal data on behalf of the Customer through the Nemo Router platform. CloudAct Inc. acts as a Data Processor under Article 28 of the General Data Protection Regulation (GDPR).
The purpose of processing is to provide the Nemo Router managed LLM gateway service, including routing API requests, applying guardrails, tracking usage, and managing billing.
2. Categories of Data Processed
- LLM request content: prompts and completions submitted through the API
- Request metadata: model name, token counts, cost, latency, timestamps
- Guardrail logs: PII detection results, content filtering outcomes
- End-user identifiers: if included by the Customer in API request metadata
3. Processor Obligations
CloudAct Inc. shall:
- Process personal data only on documented instructions from the Customer
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures (see Section 6)
- Not engage another processor without prior written authorization from the Customer
- Assist the Customer with data subject requests (access, erasure, portability)
- Delete or return all personal data upon termination, subject to legal retention obligations
- Make available all information necessary to demonstrate compliance and allow audits
4. Sub-Processors
The Customer authorizes CloudAct Inc. to engage the following sub-processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | US (Oregon) |
| Google Cloud (Cloud Run) | Application hosting & compute | US (us-central1) |
| Datadog | Monitoring & logging (no request content) | US |
| Stripe | Payment processing | US |
| OpenAI | LLM inference | US |
| Anthropic | LLM inference | US |
| Google (Vertex AI) | LLM inference | US/EU |
| SendGrid | Transactional email | US |
| Google (Analytics) | Website analytics (consent-based) | US |
CloudAct Inc. will notify the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object.
5. International Data Transfers
For transfers of personal data outside the EEA, CloudAct Inc. relies on:
- EU-US Data Privacy Framework (DPF) for certified sub-processors
- Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
- Supplementary technical measures including encryption in transit and at rest
6. Security Measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-Level Security (RLS) for tenant data isolation
- API key hashing (SHA-256, one-way) — full keys shown once at creation only; CloudAct Inc. stores no plaintext copy and cannot recover or decrypt a customer API key after creation
- JWT-based authentication via Supabase Auth
- SOC 2-aligned controls (Type II audit in progress, target Q3 2026)
- Atomic credit operations
- Content Security Policy (CSP) and HSTS headers
7. Data Breach Notification
CloudAct Inc. will notify the Customer without undue delay (and no later than 72 hours) after becoming aware of a personal data breach. The notification will include:
- Nature of the breach and categories of data affected
- Approximate number of data subjects and records concerned
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Data Retention & Deletion
Upon termination of the service agreement, CloudAct Inc. will delete all Customer personal data within 30 days, except where retention is required by law (e.g., financial records for 7 years). The Customer may configure data retention policies (zero logging, metadata only, full logging, PII-redacted) from organization settings.
9. Term & Termination
This DPA remains in effect for the duration of the Customer's use of Nemo Router. It survives termination of the Terms of Service to the extent CloudAct Inc. continues to process personal data on behalf of the Customer.
10. Liability & Customer Responsibilities
The Customer is solely responsible for: (a) the lawfulness of the personal data it submits through the platform and of its processing instructions; (b) obtaining all consents and providing all notices required to transmit personal data to CloudAct Inc. and, through it, to the upstream model providers the Customer selects; (c) selecting a data retention policy and guardrail configuration appropriate to its regulatory obligations; (d) the custody and security of its own API keys, which are stored by CloudAct Inc. only as one-way hashes that CloudAct Inc. cannot reverse or decrypt; and (e) the content of all prompts and completions. CloudAct Inc.processes data strictly as a processor on the Customer's documented instructions and, to the maximum extent permitted by law, has no liability arising from the Customer's instructions, data, key custody, or failure to meet its controller obligations.
Each party's aggregate liability arising out of or related to this DPA is subject to the exclusions and limitation of liability set out in the Terms of Service, which apply cumulatively across the Terms and this DPA, except to the extent such a limitation is prohibited by applicable data protection law.
11. Contact
CloudAct Inc.
100 S Murphy Ave
STE 200 PMB4013
Sunnyvale, CA 94086
United States
DPA requests: legal@nemorouter.ai
Data Protection Officer: privacy@nemorouter.ai
To request a signed copy of this DPA, email legal@nemorouter.ai. See also our Privacy Policy and Terms of Service.