Data Processing Agreement

1. Scope & Purpose

This DPA applies when CloudAct Inc. processes personal data on behalf of the Customer through the NemoRouter platform. CloudAct Inc. acts as a Data Processor under Article 28 of the General Data Protection Regulation (GDPR).

The purpose of processing is to provide the NemoRouter managed LLM gateway service, including routing API requests, applying guardrails, tracking usage, and managing billing.

2. Categories of Data Processed

• LLM request content: prompts and completions submitted through the API
• Request metadata: model name, token counts, cost, latency, timestamps
• Guardrail logs: PII detection results, content filtering outcomes
• End-user identifiers: if included by the Customer in API request metadata

3. Processor Obligations

CloudAct Inc. shall:

• Process personal data only on documented instructions from the Customer
• Ensure that persons authorized to process personal data have committed to confidentiality
• Implement appropriate technical and organizational security measures (see Section 6)
• Not engage another processor without prior written authorization from the Customer
• Assist the Customer with data subject requests (access, erasure, portability)
• Delete or return all personal data upon termination, subject to legal retention obligations
• Make available all information necessary to demonstrate compliance and allow audits

4. Sub-Processors

The Customer authorizes CloudAct Inc. to engage the following sub-processors:

CloudAct Inc. will notify the Customer of any intended changes to sub-processors, giving the Customer the opportunity to object.

5. International Data Transfers

For transfers of personal data outside the EEA, CloudAct Inc. relies on:

• EU-US Data Privacy Framework (DPF) for certified sub-processors
• Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914
• Supplementary technical measures including encryption in transit and at rest

6. Security Measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-Level Security (RLS) for tenant data isolation
• API key hashing (SHA-256) — full keys shown once at creation only
• JWT-based authentication via Supabase Auth
• SOC 2 Type II annual audit
• Advisory locks for atomic credit operations
• Content Security Policy (CSP) and HSTS headers

7. Data Breach Notification

CloudAct Inc. will notify the Customer without undue delay (and no later than 72 hours) after becoming aware of a personal data breach. The notification will include:

• Nature of the breach and categories of data affected
• Approximate number of data subjects and records concerned
• Likely consequences of the breach
• Measures taken or proposed to address the breach

8. Data Retention & Deletion

Upon termination of the service agreement, CloudAct Inc. will delete all Customer personal data within 30 days, except where retention is required by law (e.g., financial records for 7 years). The Customer may configure data retention policies (zero logging, metadata only, full logging, PII-redacted) from organization settings.

9. Term & Termination

This DPA remains in effect for the duration of the Customer's use of NemoRouter. It survives termination of the Terms of Service to the extent CloudAct Inc. continues to process personal data on behalf of the Customer.

10. Contact

To request a signed copy of this DPA, email legal@nemorouter.ai. See also our Privacy Policy and Terms of Service.