• Customer is the Controller (or “Business” under applicable US privacy laws) of Personal Data processed via the Services.
• Processor is the Processor (or “Service Provider/Contractor”) processing Personal Data on Customer’s behalf.

Processor will process Personal Data only:

• to provide, secure, and maintain the Services;
• in accordance with Customer’s documented instructions (including configurations, API parameters, and written directions);
• as required by applicable law.

If Processor believes an instruction violates applicable law, Processor will notify Customer (unless prohibited by law).

Processor will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.

Processor will implement appropriate technical and organizational measures designed to protect Personal Data (see Annex B).

Customer provides general authorization for Processor to use subprocessors to deliver the Services (e.g., infrastructure, monitoring, email delivery, security logging). Processor will:

• impose data protection obligations on subprocessors consistent with this DPA; and
• provide a list of subprocessors upon request, or make it available through documentation if published.

Taking into account the nature of processing, Processor will provide reasonable assistance to Customer (as appropriate and technically feasible) to help Customer respond to data subject requests.

If Processor receives a request directly from an individual regarding Customer Personal Data, Processor will direct the individual to Customer unless legally required otherwise.

Processor will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably required for Customer’s compliance obligations.

If Personal Data is transferred internationally, Processor will use appropriate safeguards where required (e.g., contractual protections).

Upon termination of the Services, Processor will delete or return Customer Personal Data within a reasonable time, subject to:

• legally required retention; and
• limited backups retained for security/continuity and deleted per routine schedules.

Upon Customer’s reasonable request and subject to confidentiality and security constraints, Processor will provide information necessary to demonstrate compliance with this DPA (e.g., security summaries, questionnaires, and relevant attestations if available).

Any on-site audits require prior written agreement and must not unreasonably disrupt operations.

Processor will not:

• sell or share Customer Personal Data for cross-context behavioral advertising;
• retain, use, or disclose Customer Personal Data for any purpose other than providing the Services, except as permitted by applicable law.

Liability under this DPA will follow the limitation of liability provisions in the main Terms/contract between Customer and Processor, unless prohibited by law.

If there is a conflict between this DPA and the main agreement, this DPA governs solely with respect to Personal Data processing obligations.

A1) Subject matter

Provision of routing, gateway, and infrastructure services for Customer applications, including service telemetry and logs required for security and reliability.

A2) Duration

For the term of Customer’s use of the Services plus any applicable retention periods.

A3) Nature and purpose

• Provide, secure, and maintain the Services
• Route traffic and maintain availability
• Prevent abuse and respond to incidents
• Support and diagnostics

A4) Categories of data subjects

• Customer end users
• Customer personnel (admins/developers)
• Node operators (where applicable)

A5) Categories of Personal Data (typical)

• Identifiers: account IDs, API key identifiers (hashed), session tokens (as applicable)
• Service metadata: timestamps, region, latency, status/error codes, diagnostic logs
• Security logs: rate-limit events, abuse indicators
• Node telemetry: node IDs, uptime/heartbeat, integrity metrics
• Customer-provided content/payloads: may transit; may be encrypted depending on Customer implementation

Processor maintains measures such as:

• Access controls and least privilege; administrative access restrictions
• Encryption in transit; encryption at rest where applicable
• Monitoring, logging, rate limiting, abuse prevention controls
• Vulnerability management and patching practices
• Incident response procedures
• Retention controls and restricted access to logs