Boundless API
  • Product
  • Models
  • Pricing
  • Status
  • Docs
EN中
Get $5 on signup

Data Processing Agreement (DPA)

Last updated: June 16, 2026
DRAFT — FOR ATTORNEY REVIEW ONLY.
On this page
  1. 1. Definitions
  2. 2. Scope and Roles
  3. 3. Details of Processing
  4. 4. Customer Obligations
  5. 5. Boundless Obligations
  6. 6. Sub-processors
  7. 7. Security Measures
  8. 8. Data Subject Rights & Breach Notification
  9. 9. Audits
  10. 10. Data Return and Deletion
  11. 11. International Transfers
  12. 12. CCPA
  13. 13. Liability
  14. 14. Term
  15. 15. Contact
  16. Annex A: Sub-processors
  17. Annex B: Standard Contractual Clauses
Live model IDs

Copy exactly — case-sensitive, no spaces. Details →

  • claude-sonnet-4-6
  • claude-opus-4-8
  • claude-opus-4-7
  • claude-haiku-4-5-20251001
  • gpt-5.5
  • gpt-5.4
Full catalog →

DRAFT — FOR ATTORNEY REVIEW ONLY.

This Data Processing Agreement ("DPA") is incorporated into the Terms of Service between Boundless Intelligence Labs, Inc. ("Processor" or "Boundless") and the customer ("Controller" or "Customer") when Customer uses the Service to process Personal Data.


1. Definitions

  • Personal Data: Information relating to an identified or identifiable natural person
  • Processing: Any operation on Personal Data (collection, storage, use, disclosure, deletion)
  • Sub-processor: Third party engaged by Boundless to process Personal Data
  • Service: Boundless API router and related services
  • GDPR: EU General Data Protection Regulation
  • CCPA/CPRA: California privacy laws

2. Scope and Roles

2.1 Controller vs Processor

  • Customer is Controller for Personal Data in API prompts and account data
  • Boundless is Processor when handling Personal Data on Customer's behalf to provide the Service
  • Boundless is Controller for account, billing, and website analytics data (see Privacy Policy)

2.2 Processing Instructions

Boundless processes Personal Data only:

  • As documented in the Service and this DPA
  • Per Customer's documented instructions via API calls and account settings
  • As required by applicable law

3. Details of Processing

Element Description
Subject matter LLM API routing and inference
Duration Term of the agreement + retention per policy
Nature Transmission, transient processing, metadata logging
Purpose Provide API service, billing, security
Data types Prompts, completions (if opted in), account identifiers, usage metadata
Data subjects Customer's end users and employees

Default: Prompts/completions are not stored (ZDR). See Data Policy.


4. Customer Obligations

Customer will:

  • Ensure lawful basis for processing
  • Not submit special category data without appropriate safeguards
  • Configure privacy settings appropriately
  • Inform data subjects as required
  • Comply with Model Provider terms

5. Boundless Obligations

Boundless will:

  • Process only per documented instructions
  • Ensure personnel confidentiality
  • Implement appropriate security measures (Section 7)
  • Engage Sub-processors per Section 6
  • Assist with data subject requests (Section 8)
  • Delete/return data on termination (Section 10)
  • Provide information for DPIAs and audits (Section 9)
  • Notify of breaches (Section 8)

6. Sub-processors

6.1 Authorization

Customer authorizes Boundless to engage Sub-processors listed in the Subprocessors List.

6.2 Changes

Boundless will notify Customer of new Sub-processors at least 30 days before engagement. Customer may object on reasonable grounds within 14 days.

6.3 Flow-Down

Boundless imposes data protection obligations on Sub-processors equivalent to this DPA.


7. Security Measures

Boundless implements:

  • Encryption in transit (TLS 1.2+) and at rest
  • Access controls and least privilege
  • API key hashing
  • Monitoring and intrusion detection
  • Incident response procedures
  • Regular security assessments

Details: Data Policy


8. Data Subject Rights & Breach Notification

8.1 Assistance

Boundless will assist Customer in responding to data subject requests (access, deletion, portability) within 30 days of request, using available technical measures.

8.2 Breach Notification

Boundless will notify Customer without undue delay and within 72 hours of becoming aware of a Personal Data breach affecting Customer data, including:

  • Nature of the breach
  • Categories and approximate number of records
  • Likely consequences
  • Measures taken or proposed

9. Audits

Customer may audit Boundless compliance once per year with 30 days notice, during business hours, subject to confidentiality. Boundless may provide SOC 2 report in lieu of on-site audit when available.


10. Data Return and Deletion

Upon termination:

  • Customer may export data via API/dashboard (where available)
  • Boundless deletes Customer Personal Data within 90 days, except where retention is required by law
  • Metadata retained per Privacy Policy

11. International Transfers

Transfers outside EEA/UK use:

  • EU Standard Contractual Clauses (2021/914)
  • UK International Data Transfer Addendum where applicable
  • Supplementary measures as needed

US data processing: Boundless Intelligence Labs, Inc., Delaware, USA.


12. CCPA

Boundless will not:

  • Sell Personal Data
  • Retain, use, or disclose Personal Data for purposes other than providing the Service
  • Combine Personal Data with other sources except as permitted

Boundless certifies understanding of CCPA/CPRA service provider requirements.


13. Liability

Liability under this DPA is subject to limitations in the Terms of Service.


14. Term

This DPA remains in effect while Boundless processes Personal Data on behalf of Customer.


15. Contact

Data Protection: privacy@boundlessapi.com
Security incidents: security@boundlessapi.com

Boundless Intelligence Labs, Inc.
[Registered address — TBD]


Annex A: Sub-processors

See Subprocessors List.

Annex B: Standard Contractual Clauses

Available upon request for Enterprise customers.

© 2026 Boundless API · Home · Privacy Policy · Terms