This document explains how Boundless API handles your data technically. For legal privacy rights, see our Privacy Policy. For contractual processing terms, see our DPA.
1. What Boundless Is
Boundless is an API router — we sit between your application and upstream model providers. We are not the model creator. Your data flows:
Your App → Boundless API Gateway → Model Provider → Response → Your App
2. Default: Zero Data Retention (ZDR)
By default, Boundless does not store your prompts or completions.
- Requests are processed in memory and forwarded to providers
- After the response is delivered, prompt/completion content is not retained on Boundless systems
- This applies even when requests fail, unless you have opted in to logging
You can verify this in Dashboard → Settings → Privacy.
3. What We Do Collect (Metadata)
Even under ZDR, we collect request metadata for billing, reliability, and abuse prevention:
| Field | Purpose | Retention |
|---|---|---|
| Timestamp | Billing, debugging | Up to 13 months |
| Model ID | Routing, pricing | Up to 13 months |
| Token counts (prompt/completion) | Billing | Up to 13 months |
| Latency, status code | Status page, SLA | Up to 13 months |
| API key ID (not the key) | Attribution, limits | Up to 13 months |
| Error type | Support, reliability | Up to 13 months |
Metadata does not include prompt or completion text unless you opt in.
4. Opt-In Features
4.1 Request Logging
Dashboard → Settings → Observability → Request Logging
When enabled:
- Prompts and completions are stored encrypted
- Visible to you (and org admins) in the Activity log
- Used for debugging and cost analysis only
- Not used for model training unless separately consented
- Deletable via dashboard or privacy@boundlessapi.com
4.2 Playground History
Browser-local by default. If cloud sync is enabled, history is stored per your account settings.
5. Upstream Provider Data Practices
Each model is served by a Model Provider with its own data policy. Boundless routes to providers based on your privacy settings:
| Setting | Behavior |
|---|---|
| Strict privacy (default) | Route only to providers with no-training / no-logging policies where confirmed |
| Allow training providers | May route to providers that may log or train — you accept their terms |
Per-model provider policies are listed in our Model Provider Terms Index.
Important: Boundless cannot fully control provider behavior. Review provider terms for regulated workloads.
6. Data Residency & Routing
| User Region | Inference Routing | Billing Entity |
|---|---|---|
| United States | US-region endpoints (where available) | Boundless Intelligence Labs, Inc. (Delaware) |
| European Union | EU-region endpoints (enterprise; roadmap for self-serve) | Per DPA |
| Other | Nearest available region | Boundless Intelligence Labs, Inc. |
We do not route US customer API traffic through mainland China for inference.
Data does not return to China for storage or processing of US-region API requests.
7. Security Measures
| Control | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all API and dashboard traffic |
| Encryption at rest | API keys, opt-in logs, account data encrypted at rest |
| Access control | Role-based dashboard access; least-privilege internal access |
| Key handling | API keys shown once at creation; stored hashed |
| Monitoring | Anomaly detection, rate limiting, abuse prevention |
| Incident response | See internal runbook; customer notification per DPA |
SOC 2: We will display SOC 2 Type II status only after certification is complete. Do not claim compliance before audit completion.
8. Subprocessors
We use subprocessors to operate the Service. Current list: Subprocessors List. We notify customers of material changes.
9. Enterprise Options
Enterprise customers may request:
- Custom DPA and SCCs
- EU/US region locking
- Restricted provider allowlists
- Shorter metadata retention
- Security questionnaire support
Contact: support@boundlessapi.com
10. Your Responsibilities
- Do not send PCI, PHI, or credentials through the API unless under an enterprise agreement
- Rotate compromised API keys immediately
- Configure spend limits and model restrictions
- Review provider policies for your use case
11. Data Deletion
- Account deletion: Dashboard → Settings → Delete Account. Metadata deleted per retention schedule; billing records retained as required by law.
- Opt-in logs: Deletable on request or via dashboard.
- Privacy requests: privacy@boundlessapi.com
12. Contact
- Privacy: privacy@boundlessapi.com
- Security: security@boundlessapi.com
- Support: support@boundlessapi.com