trAIce
Template. This is a draft document provided as a starting point. Review with counsel before relying on it.

Data Processing Addendum

Effective: 2026-05-26

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Controller") and trAIce ("Processor") and applies whenever the Processor processes Personal Data on behalf of the Controller.

1. Definitions

"Personal Data", "Processing", "Controller", "Processor", and "Sub-processor" have the meanings given to them in the GDPR (EU 2016/679).

2. Scope of processing

  • Subject matter:provision of trAIce's hosted analytics service.
  • Duration: for the term of the underlying agreement.
  • Nature and purpose: ingestion, storage, and analysis of LLM-call metadata; surfacing of cost and margin analytics.
  • Categories of data subjects:end users of the Controller's applications whose identifiers (user ID, tenant ID) the Controller chooses to send.
  • Categories of Personal Data: identifiers supplied by the Controller in event payloads. The Processor does not require any directly identifying information and recommends sending opaque IDs.

3. Processor obligations

The Processor will:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure persons authorized to process Personal Data are bound to confidentiality
  • Implement appropriate technical and organizational security measures (encryption in transit and at rest, least-privilege access, audit logging)
  • Assist the Controller with data-subject requests within reasonable timeframes
  • Notify the Controller without undue delay of any Personal Data breach
  • On termination, delete or return all Personal Data within 30 days, unless retention is required by law

4. Sub-processors

The Controller authorizes the Processor to use the following sub-processors:

  • Vercel Inc. — application hosting (United States)
  • Supabase Inc. — database hosting (region selected by Processor)
  • Sentry — error monitoring (United States)
  • Upstash — rate-limiting infrastructure
  • Resend — transactional email (United States)

The Processor will notify the Controller of any intended changes to sub-processors and give a reasonable opportunity to object.

5. International transfers

Where Personal Data is transferred outside the EU/UK to a country without an adequacy decision, the parties rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as supplemental safeguards.

6. Audit

The Processor will make available to the Controller information necessary to demonstrate compliance with this DPA. The Controller may request a SOC 2 report (once available) or a written security questionnaire once per year.

7. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

8. Contact

Data protection contact: privacy@runtraice.com

This DPA is a template. Replace bracketed jurisdiction items, finalize the sub-processor list against your actual deployment, and have counsel review before executing with customers.