Legal

Data processing addendum

Last updated: April 22, 2026 · Effective: April 22, 2026

This Data Processing Addendum (“DPA”) applies when you (the Controller) process personal data through the AIgateway and AI Gateway services (the Service) operated by Roushan, Inc., a Delaware corporation with its principal office in Dover, Delaware (the Processor). This DPA is incorporated by reference into our Terms of Service and applies to the extent you process personal data subject to GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, or any substantially similar data-protection law through the Service. Download a signed PDF copy from the dashboard, or email legal@aigateway.sh.

1. Subject-matter + duration

We process personal data only to deliver the Service described at aigateway.sh, for as long as your account is active plus 30 days for billing reconciliation (and 7 years for invoice records where required by tax law).

2. Nature + purpose

We receive your API requests, relay them to the upstream model provider you selected, return the response, log metadata (not content) for billing, and archive request/response bodies only if you explicitly opt in by enabling the replay primitive or the logs feature.

3. Categories of data subjects

Your end users (if you are a B2B2C product), your employees who query the API, and any individuals named or described inside the prompts you send.

4. Categories of personal data

Account data (email, billing). API metadata (timestamps, model slugs, token counts, cost). API content (only if replay or logs is enabled by you). No special-category data is collected by us unless you voluntarily send it inside a prompt.

5. Processor obligations

Process personal data only on your documented instructions, including regarding transfers, unless required to do otherwise by law.
Ensure that personnel authorized to process personal data are bound by confidentiality.
Implement the technical and organizational measures described in §8.
Assist you with your obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation) to the extent reasonably required.
At your choice, delete or return personal data at the end of the Service, subject to §10.
Make available all information necessary to demonstrate compliance and allow for audits per §9.

6. Sub-processors

You authorize us to engage the sub-processors listed below. We notify customers 30 days before adding or replacing a sub-processor via email and via the changelog. If you reasonably object, you may terminate the affected portion of the Service for the remainder of the current billing cycle.

Sub-processor	Purpose	Location
Cloudflare, Inc.	Edge compute (Workers), storage (D1, KV, R2, Vectorize, Durable Objects, Queues), DNS, CDN, transactional email, and cookieless web analytics — the entire serving infrastructure	Global (primary US)
Upstream model providers (selected by you per request)	Model inference	Varies by provider
Stripe, Inc.	Billing + payments	US
Google LLC (Google Workspace)	Corporate email + docs	US

7. International transfers

For EU/EEA/UK/Swiss personal data transferred to the United States or any other country without an adequacy decision, we rely on the EU Standard Contractual Clauses (Commission Decision 2021/914), the UK International Data Transfer Addendum (IDTA), and the Swiss FDPIC-approved SCCs. The Clauses are incorporated by reference; Module 2 (Controller to Processor) applies between you and us, and Module 3 (Processor to Sub-processor) applies between us and our sub-processors. A signed copy is attached to the executed DPA.

8. Security measures

TLS 1.3 in transit, HSTS on all subdomains.
AES-256-GCM at rest for every stored key, log, and file.
MFA on all production access; centralized identity; SCIM provisioning for Enterprise.
Audit logging of every admin, key create/revoke, login, and guardrail action.
Annual third-party penetration test; continuous secret scanning.
SOC 2 Type I attested; Type II target 2026 Q3; ISO 27001 planned 2027 Q1.
Vendor-risk review before onboarding any sub-processor.
Role-based least-privilege access; background checks on personnel with production access.
Secure SDLC with code review, dependency scanning, and pre-production vulnerability checks.

9. Audit rights

You may audit our compliance with this DPA by (a) reviewing the most recent SOC 2 report, (b) requesting our completed security questionnaire and pen-test summary, and (c) once per year, at your cost and on 30 days' notice, conducting an on-site or remote audit limited in scope to our obligations under this DPA and subject to confidentiality. Audits must be conducted during business hours and must not disrupt the Service.

10. Deletion + return

Within 30 days of termination of the Service we delete or return all personal data we hold on your behalf. Aggregated, non-identifying metrics may be retained. Invoices and other records required by tax law are retained for 7 years in accordance with our Privacy Policy.

11. Assistance with data-subject requests

Most data-subject requests can be self-served via the dashboard or API. For the rest, email privacy@aigateway.sh; we will assist without undue delay and consistent with the timelines required by applicable law.

12. Breach notification

We notify you of a confirmed personal-data breach affecting your data without undue delay and in any event within 72 hours of our confirmation, including the information required by Article 33(3) GDPR to the extent we have it.

13. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service, except where a stricter standard is mandated by applicable data-protection law.

14. Order of precedence

Where there is a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data. Where there is a conflict between this DPA and the SCCs, the SCCs prevail.

15. Contact

Legal: legal@aigateway.sh
Privacy: privacy@aigateway.sh
Mailing address: Roushan, Inc., 1111b S Governors Ave, STE 55131, Dover, DE 19904, USA.