Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Customer" or "Controller") and Mobile Paradigm Consultancy Ltdtrading as Frontendlabs ("GPUBox" or "Processor") for use of the Service. It applies whenever the Customer transmits personal data through the Service. Capitalised terms not defined here have the meaning given in our Terms of Service. Where this DPA conflicts with the Terms in respect of personal data, this DPA prevails.

1. Roles

For personal data the Customer (or its end users) submits to the Service:

• The Customer is the controller.
• GPUBox is the processor.
• GPUBox engages sub-processors as listed in Schedule 2.

2. Subject matter and duration

Subject matter: provision of AI inference, embedding, and speech-to-text services on UK-hosted infrastructure. Duration: the term of the underlying Terms of Service plus any retention period required by law.

3. Nature, purpose, and processing operations

• Nature: receiving inputs from the Customer's authenticated API calls, running them through AI models, returning outputs.
• Purpose: providing the Service the Customer subscribed to.
• Operations: collection (transient receipt), structuring, retrieval, use, transmission, deletion. No storage of inputs/outputs beyond the response lifecycle, except as the Customer explicitly opts in.

4. Categories of data and data subjects

The Customer determines the categories. They may include any data the Customer chooses to send, including ordinary business data, technical text, audio, and (if the Customer chooses to send it) personal data about its end users, employees, or contacts. The Customer must not send special categories of personal data (UK GDPR Art. 9), criminal-offence data(Art. 10), children's data, biometric data, or PCI cardholder data through the Service unless we have separately and expressly agreed to support that processing in writing.

5. Processor obligations

GPUBox will:

• process personal data only on the Customer's documented instructions, including with regard to international transfers; the Service interface (your API calls) constitutes documented instructions for routine processing;
• ensure persons with access are bound by confidentiality;
• implement appropriate technical and organisational measures (see Schedule 1);
• assist the Customer with rights requests, breach notifications, DPIAs, and prior consultations;
• notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of a personal-data breach affecting that Customer's data;
• on termination of the Service, delete personal data within 30 days unless retention is required by law (see Section 12);
• make available all information necessary to demonstrate compliance, and allow for audits as set out in Section 8.

6. Customer obligations

The Customer warrants that:

• it has a lawful basis for the processing it instructs GPUBox to carry out;
• it has provided all required notices to data subjects and obtained all required consents;
• it will not instruct GPUBox to process personal data unlawfully;
• it will keep its API keys secure and is responsible for activity on its tenant.

7. Sub-processors

The Customer authorises GPUBox to engage the sub-processors listed in Schedule 2. GPUBox imposes data protection obligations on each sub-processor that are no less protective than those in this DPA. GPUBox will notify the Customer at least 14 days before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds; if we cannot accommodate the objection we will work in good faith to find a solution, failing which the Customer may terminate the affected portion of the Service.

8. Audits

GPUBox will, on reasonable written notice and no more than once per 12 months (more frequently if a regulator or breach requires), respond to written audit questionnaires and make available documentation reasonably necessary to demonstrate compliance with this DPA. On-site audits are available to enterprise Customers under a separate written agreement.

9. International transfers

Inference takes place in the United Kingdom. Where personal data is transferred outside the UK to a sub-processor in a country without an adequacy decision, GPUBox relies on the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other lawful transfer mechanisms, plus appropriate supplementary measures. Schedule 2 identifies which sub-processors process data outside the UK.

10. Liability

Each party's liability under this DPA is governed by the liability provisions of the Terms of Service. Nothing in this DPA excludes or limits liability that cannot be excluded or limited under applicable law.

11. AI training and reuse

GPUBox does not use Customer-submitted personal data to train, fine-tune, or evaluate any AI model that GPUBox or any third party serves to another customer. Any future opt-in to such use will require a separate written agreement.

12. Return and deletion

On termination of the Service, or earlier on Customer instruction:

• GPUBox will delete API keys, tenant configuration, and any cached Customer Data within 30 days;
• GPUBox will retain billing records and the minimum audit log required by law (see Privacy Policy Section 5);
• GPUBox will provide a written confirmation of deletion on request.

13. Governing law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction set out in the Terms of Service.

Schedule 1 — Technical & organisational measures

• Encryption in transit: TLS 1.2+ for all client and inter-service traffic.
• Encryption at rest: at infrastructure-provider level on all persistent storage.
• Authentication: SHA-256-hashed API keys; plaintext is never stored.
• Access controls: least-privilege staff access; multi-factor authentication on admin systems.
• Audit logging: per-call audit log with tenant id, timestamp, model id, request id, status; retained for at least 30 days.
• Network isolation: internal services bind to localhost; only the gateway is publicly reachable, behind an authenticated tunnel.
• Backups: daily encrypted backups of state-plane data with documented restore procedures.
• Vulnerability management: dependency tracking, security review of code changes, regular updates.
• Incident response: documented breach-notification process; 72-hour Customer notification commitment.
• Personnel: confidentiality obligations on staff and contractors; named-subprocessor disclosure for any third-party processing.

Schedule 2 — Sub-processor list

For any DPA-related question, or to request a signed counterpart, email hello@gpubox.ai.