DRAFT — FOR ATTORNEY REVIEW ONLY.
This Data Processing Agreement ("DPA") is incorporated into the Terms of Service between Boundless Intelligence Labs, Inc. ("Processor" or "Boundless") and the customer ("Controller" or "Customer") when Customer uses the Service to process Personal Data.
1. Definitions
- Personal Data: Information relating to an identified or identifiable natural person
- Processing: Any operation on Personal Data (collection, storage, use, disclosure, deletion)
- Sub-processor: Third party engaged by Boundless to process Personal Data
- Service: Boundless API router and related services
- GDPR: EU General Data Protection Regulation
- CCPA/CPRA: California privacy laws
2. Scope and Roles
2.1 Controller vs Processor
- Customer is Controller for Personal Data in API prompts and account data
- Boundless is Processor when handling Personal Data on Customer's behalf to provide the Service
- Boundless is Controller for account, billing, and website analytics data (see Privacy Policy)
2.2 Processing Instructions
Boundless processes Personal Data only:
- As documented in the Service and this DPA
- Per Customer's documented instructions via API calls and account settings
- As required by applicable law
3. Details of Processing
| Element | Description |
|---|---|
| Subject matter | LLM API routing and inference |
| Duration | Term of the agreement + retention per policy |
| Nature | Transmission, transient processing, metadata logging |
| Purpose | Provide API service, billing, security |
| Data types | Prompts, completions (if opted in), account identifiers, usage metadata |
| Data subjects | Customer's end users and employees |
Default: Prompts/completions are not stored (ZDR). See Data Policy.
4. Customer Obligations
Customer will:
- Ensure lawful basis for processing
- Not submit special category data without appropriate safeguards
- Configure privacy settings appropriately
- Inform data subjects as required
- Comply with Model Provider terms
5. Boundless Obligations
Boundless will:
- Process only per documented instructions
- Ensure personnel confidentiality
- Implement appropriate security measures (Section 7)
- Engage Sub-processors per Section 6
- Assist with data subject requests (Section 8)
- Delete/return data on termination (Section 10)
- Provide information for DPIAs and audits (Section 9)
- Notify of breaches (Section 8)
6. Sub-processors
6.1 Authorization
Customer authorizes Boundless to engage Sub-processors listed in the Subprocessors List.
6.2 Changes
Boundless will notify Customer of new Sub-processors at least 30 days before engagement. Customer may object on reasonable grounds within 14 days.
6.3 Flow-Down
Boundless imposes data protection obligations on Sub-processors equivalent to this DPA.
7. Security Measures
Boundless implements:
- Encryption in transit (TLS 1.2+) and at rest
- Access controls and least privilege
- API key hashing
- Monitoring and intrusion detection
- Incident response procedures
- Regular security assessments
Details: Data Policy
8. Data Subject Rights & Breach Notification
8.1 Assistance
Boundless will assist Customer in responding to data subject requests (access, deletion, portability) within 30 days of request, using available technical measures.
8.2 Breach Notification
Boundless will notify Customer without undue delay and within 72 hours of becoming aware of a Personal Data breach affecting Customer data, including:
- Nature of the breach
- Categories and approximate number of records
- Likely consequences
- Measures taken or proposed
9. Audits
Customer may audit Boundless compliance once per year with 30 days notice, during business hours, subject to confidentiality. Boundless may provide SOC 2 report in lieu of on-site audit when available.
10. Data Return and Deletion
Upon termination:
- Customer may export data via API/dashboard (where available)
- Boundless deletes Customer Personal Data within 90 days, except where retention is required by law
- Metadata retained per Privacy Policy
11. International Transfers
Transfers outside EEA/UK use:
- EU Standard Contractual Clauses (2021/914)
- UK International Data Transfer Addendum where applicable
- Supplementary measures as needed
US data processing: Boundless Intelligence Labs, Inc., Delaware, USA.
12. CCPA
Boundless will not:
- Sell Personal Data
- Retain, use, or disclose Personal Data for purposes other than providing the Service
- Combine Personal Data with other sources except as permitted
Boundless certifies understanding of CCPA/CPRA service provider requirements.
13. Liability
Liability under this DPA is subject to limitations in the Terms of Service.
14. Term
This DPA remains in effect while Boundless processes Personal Data on behalf of Customer.
15. Contact
Data Protection: privacy@boundlessapi.com
Security incidents: security@boundlessapi.com
Boundless Intelligence Labs, Inc.
[Registered address — TBD]
Annex A: Sub-processors
See Subprocessors List.
Annex B: Standard Contractual Clauses
Available upon request for Enterprise customers.