Template. This is HostYourAI's published Data Processing Agreement template, version 1.0 (2026-06-10). For a signed, counter-party-named copy, email legal@hostyourai.com with your company name, KvK/VAT number, and DPO contact. Standard template returned countersigned within 2 business days; bespoke negotiation possible for enterprise contracts.
Parties
Processor: HostYourAI B.V., a private company with limited liability incorporated under Dutch law, having its registered office in the Netherlands ("Processor" or "HostYourAI").
Controller: The customer entity named in the underlying service agreement with HostYourAI ("Controller" or "Customer").
Together: the "Parties". This DPA forms an integral part of the underlying service agreement (the "Main Agreement") and applies whenever HostYourAI processes Personal Data on behalf of the Customer.
1. Definitions
Capitalised terms have the meaning given in the GDPR (Regulation (EU) 2016/679). "Personal Data", "Processing", "Controller", "Processor", "Sub-processor", "Data Subject" and "Personal Data Breach" carry their GDPR meaning.
2. Subject matter, nature, purpose, duration
- Subject matter: Processing of Personal Data submitted by Customer (or its end users) to HostYourAI's LLM inference, routing, knowledge-base and agent services.
- Nature & purpose: Receiving prompts and context, executing inference on GPU compute, returning responses, and providing related platform functions (key management, billing, audit logging). HostYourAI does not Process Personal Data for its own purposes and never trains models on Customer data.
- Duration: For as long as the Main Agreement is in force, plus any retention period required by law.
- Categories of Data Subjects: Customer's employees, agents, and end users.
- Categories of Personal Data: Identifiers (account, email), free-text content submitted in prompts and responses (only retained if Customer enables transcripting), uploaded knowledge-base content, technical metadata (IP, timestamps, model usage), payment metadata (via Stripe). No special category data unless explicitly contracted.
3. Roles
Customer is the Controller (or Processor acting on behalf of its own controller(s)). HostYourAI Processes Personal Data as Processor (or Sub-processor) solely on Customer's documented instructions, including those set out in the Main Agreement and this DPA.
4. Processor obligations
- Documented instructions only. HostYourAI Processes Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by Union or Member State law (in which case HostYourAI shall inform Customer unless the law prohibits doing so).
- Confidentiality. HostYourAI ensures that personnel authorised to Process Personal Data are bound by confidentiality.
- Security (Art. 32). HostYourAI implements appropriate technical and organisational measures, including those listed in Annex II, having regard to the state of the art, the costs of implementation, and the risks to Data Subjects.
- Sub-processors. Customer grants general written authorisation to HostYourAI to engage Sub-processors. The current list is maintained at /legal/subprocessors. HostYourAI notifies Customer at least 30 days in advance of any intended addition or replacement of Sub-processors, giving Customer the opportunity to object on reasonable grounds. If Customer reasonably objects, the Parties shall negotiate in good faith; if no resolution is reached within 30 days, either Party may terminate the affected Services without penalty.
- Sub-processor obligations. HostYourAI imposes on each Sub-processor data protection obligations substantively equivalent to those in this DPA. HostYourAI remains fully liable to Customer for the Sub-processor's compliance.
- Data Subject requests. HostYourAI assists Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests (Art. 12–22 GDPR).
- Personal Data Breach notification. HostYourAI notifies Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer's Personal Data, providing all information reasonably available.
- DPIA assistance. HostYourAI provides reasonable assistance to Customer with data-protection impact assessments and prior consultations (Art. 35–36 GDPR), taking into account the nature of Processing and information available.
- Deletion / return on termination. Within 30 days of termination of the Main Agreement, and at Customer's choice, HostYourAI shall either delete or return all Personal Data, and delete existing copies, unless retention is required by law. On Customer's written request at any time during the term, HostYourAI shall delete identified Personal Data within 14 days, subject to legal retention requirements (e.g. invoicing data under Dutch tax law).
- Audits. HostYourAI makes available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR. Customer (or an independent auditor mandated by Customer) may audit HostYourAI no more than once per calendar year, on at least 30 days' written notice, during business hours, at Customer's cost, and subject to confidentiality. Findings of independent third-party audits (e.g. ISO 27001, SOC 2) provided by HostYourAI will be deemed to satisfy this obligation insofar as they cover the audited subject matter.
- No training. HostYourAI shall not use any Personal Data Processed under this DPA to train, fine-tune, evaluate or otherwise improve machine-learning models, whether its own or those of any Sub-processor, beyond the immediate execution of the requested inference. This obligation applies to prompts, responses, knowledge-base content, operational logs, and any derived data.
5. International transfers
Where Processing under this DPA involves a transfer of Personal Data to a country outside the EEA without an EU adequacy decision, the Parties shall implement appropriate safeguards as required by Art. 46 GDPR, including the European Commission's Standard Contractual Clauses (Decision 2021/914), which shall apply between the Parties or between HostYourAI and the relevant Sub-processor. The relevant SCC module is Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Sub-processor), as applicable.
Customers who require no transfers outside the EEA may enable Sovereignty Mode on their account; in that mode, HostYourAI routes Processing exclusively to Sub-processors with an EU establishment and EU-only Processing locations.
6. Liability
The liability provisions of the Main Agreement apply to this DPA. Nothing in this DPA limits liability for breaches of the GDPR to the extent such limitation is prohibited by applicable law.
7. Term and termination
This DPA enters into force on the effective date of the Main Agreement and remains in force as long as HostYourAI Processes Personal Data for Customer.
8. Governing law and jurisdiction
This DPA is governed by the laws of the Netherlands. Disputes shall be submitted to the competent court in Amsterdam, without prejudice to any mandatory dispute-resolution mechanism under the GDPR or to the jurisdiction of supervisory authorities.
9. Order of precedence
In the event of any conflict, this DPA prevails over the Main Agreement on matters concerning the Processing of Personal Data. The SCCs (where applicable) prevail over this DPA on the matters they cover.
Annex I — Description of Processing
| Item | Detail |
|---|---|
| Subject matter | LLM inference, routing, knowledge-base and agent services as described in the Main Agreement. |
| Duration | Term of the Main Agreement plus any legally required retention. |
| Nature and purpose | Receiving prompts, executing inference on GPU compute, returning responses, supporting platform functions (auth, billing, audit, knowledge base). |
| Categories of Data Subjects | Customer's employees and end users. |
| Categories of Personal Data | Identifiers; free-text content (only retained if Customer enables transcripting); knowledge-base content; technical metadata (IP, timestamps, model usage); payment metadata. |
| Special categories | None unless contractually agreed. If contracted, additional safeguards under Annex II will be applied. |
| Frequency of transfer | Continuous, on a per-request basis. |
| Storage period | See /security. Prompts/responses: 0 days by default. Metadata: 90 days default, configurable 30–365. |
Annex II — Technical and Organisational Measures (TOMs)
- Encryption in transit: TLS 1.3 end-to-end.
- Encryption at rest: provider-native disk encryption on all storage; secrets encrypted with per-row keys (Laravel Crypt).
- Access control: least-privilege staff access; Sanctum hashed tokens for customer API auth; OAuth + optional Google SSO for web; admin actions logged.
- Pseudonymisation: API keys are hashed; customer identifiers are decoupled from prompt content (prompt content is not retained by default).
- Network: dedicated routing layer in front of GPU compute; per-request authentication; rate limiting and abuse detection.
- Backups: daily encrypted backups of application database; 30-day rolling retention.
- Monitoring & logging: append-only audit log (key creation, deletion, admin actions); metadata-only inference logs; alerting on anomalous usage.
- Incident response: documented runbook; 72-hour breach notification commitment; security contact at security@hostyourai.com.
- Personnel: confidentiality undertakings for all staff; security awareness training.
- Sub-processor management: published list, prior-notice obligation, equivalent-obligations requirement.
- Business continuity: multi-provider GPU strategy reduces single-vendor risk.
- Restoration: customer-controlled deletion and data export available via API.
Annex III — Sub-processors
The authoritative list is maintained at /legal/subprocessors. The list at the time of contract signing is incorporated by reference into this DPA.
Annex IV — Signatures
This template page is unsigned. Once requested via legal@hostyourai.com, the signed PDF will include both Parties' names, titles, and date of signing, and supersede this published template for the contractual relationship.