Data Processing Addendum

Effective 2026-05-25 · Version 1.0 · Stub pending counsel review

What this document is. A starting-point DPA based on the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK ICO's International Data Transfer Addendum. Enterprise customers receive a signed PDF version that countersigns the Annexes for their specific data flows. To request a countersigned DPA, book a 15-minute call and bring your legal entity name and address.

1. Definitions

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Subprocessor”, “Supervisory Authority”, “Personal Data Breach” — have the meanings given in Regulation (EU) 2016/679 (GDPR) and, where applicable, the UK GDPR.
“Customer” — the legal entity that has entered into the Terms of Service or a Master Service Agreement with Amperes AI Inc. The Customer is the Controller for all Personal Data processed under this DPA.
“Amperes” — Amperes AI Inc., a Delaware corporation, acting as the Processor under this DPA.
“Customer Personal Data” — Personal Data contained in Customer Data (as defined in the Terms of Service) and processed by Amperes on behalf of the Customer.
“Applicable Data Protection Law” — the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other data protection law that applies to a party's processing of Customer Personal Data.

2. Roles and scope

The Customer is the Controller and Amperes is the Processor of Customer Personal Data. Amperes will process Customer Personal Data only on documented instructions from the Customer, which instructions include the Terms of Service, this DPA, and the configuration settings the Customer sets in the dashboard or via the API (such as allowed_providers, allowed_regions, store_full_prompts, log_retention_days, and the PII action). If Amperes is required by law to process Customer Personal Data otherwise, it will notify the Customer of that legal requirement before processing, unless prohibited from doing so.

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex I.

3. Confidentiality

Amperes will ensure that all personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and receive appropriate training on their data-protection responsibilities.

4. Security measures

Amperes will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to. The minimum measures are described in Annex II. Amperes may update these measures from time to time, provided that the updated measures are at least as protective as those replaced.

5. Subprocessors

The Customer authorizes Amperes to engage the Subprocessors listed in Annex III. Amperes will:

Enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA;
Remain liable for the acts and omissions of its Subprocessors to the same extent as for its own;
Give the Customer at least 30 days notice (by email to the Customer's primary contact) before adding or replacing a Subprocessor;
Permit the Customer to object to a new Subprocessor on reasonable data-protection grounds. If the parties cannot resolve the objection, the Customer may terminate the Terms of Service with a pro-rata refund of prepaid fees for the period after termination.

6. Personal Data Breach

Amperes will notify the Customer without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will describe:

The nature of the breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
The name and contact details of Amperes's data-protection point of contact;
The likely consequences of the breach;
The measures taken or proposed to address the breach, including mitigations.

If full information is not available within 72 hours, Amperes will provide an initial notice and follow up with additional information as it becomes available. Customer is responsible for any notifications to Data Subjects or Supervisory Authorities required by Applicable Data Protection Law; Amperes will provide reasonable assistance with those notifications.

7. Data subject requests and assistance

Amperes will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising Data Subject rights laid down in Chapter III of the GDPR. If Amperes receives a request directly from a Data Subject relating to Customer Personal Data, Amperes will forward the request to the Customer without undue delay and will not respond to the Data Subject directly except to confirm receipt.

8. Audits

Amperes will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, including the SOC 2 Type I report (once available, target Q3 2026) and the penetration test summary (once available, target Q4 2026). Customers with a signed MSA may, on at least 30 days written notice and no more than once per year (except after a Personal Data Breach), conduct an audit of Amperes's technical and organizational measures, at the Customer's expense, during normal business hours, in a manner that does not unreasonably interrupt Amperes's operations.

9. International transfers

The default Amperes deployment processes data in the United States (AWS us-east-2). To the extent Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision, the transfer is governed by:

The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module 2: Controller to Processor, which are hereby incorporated by reference as if set out in full, with the Annexes completed as set out in Annexes I, II, and III of this DPA;
The UK ICO's International Data Transfer Addendum, version B1.0, hereby incorporated by reference;
For Swiss data, the SCCs apply with references to the GDPR additionally read as references to the Swiss Federal Act on Data Protection.

The parties agree that the transfer impact assessment for these clauses is satisfied by the supplementary measures described in Annex II (TLS in transit, AES-256 at rest, access controls, audit logs) together with Amperes's commitment to challenge any unlawful access request from a public authority. EU-resident customers under enterprise tier may elect in-region processing in eu-west-1 (Ireland), which removes the need for SCCs for European data.

10. Return or deletion of Customer Personal Data

On termination of the Terms of Service or on the Customer's written request, Amperes will, at the Customer's choice, return all Customer Personal Data to the Customer or delete it, and certify the deletion in writing. Deletion occurs within 30 days, except for audit-log entries retained as required by Section 6 of the Privacy Policy, and except for data Amperes is legally required to retain (in which case Amperes continues to apply this DPA to that data).

11. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability in Section 10 of the Terms of Service. To the extent a Data Subject brings a claim under the SCCs that the SCCs require to be borne by Amperes notwithstanding the cap, the Terms of Service contractual cap does not apply to that specific claim — Amperes's liability is governed by the SCCs.

12. Term and termination

This DPA takes effect on the same date as the Terms of Service and continues until the Customer has stopped using the Service and Amperes has completed the return or deletion required by Section 10.

Annex I — Subject matter and duration

I.A — List of parties

Data exporter (Controller) — the Customer, as identified in the order form or MSA.
Data importer (Processor) — Amperes AI Inc., a Delaware corporation. Contact: book a 15-minute call.

I.B — Description of transfer

Categories of Data Subjects — end users of the Customer's applications and, depending on the Customer's use case, individuals referenced in the Customer's prompts.
Categories of Personal Data — whatever the Customer chooses to include in its prompts. Typically: text submitted by end users, the Customer's prompt context (which may include account identifiers, transcripts, or document excerpts), and the model's response. By default Amperes stores only the SHA-256 hash of the prompt plus routing metadata. Full prompt text is stored only if the Customer sets store_full_prompts = true.
Sensitive data — whatever the Customer chooses to include. The PII detector at the proxy (Section 2.10 of the documentation) detects and redacts the following categories if the Customer enables it: email, phone, US SSN, credit card number with Luhn validation, IP address, AWS access keys, generic API keys, US street address, date of birth, medical record number, plus one customer-defined regex slot. HIPAA mode routes only to Bedrock-hosted models with executed BAAs.
Frequency of transfer — continuous, as the Customer sends API requests.
Nature of the processing — classification, routing, governance enforcement (PII detection, region filtering, HIPAA mode), forwarding to Upstream Providers selected by the Customer's configuration, response logging, audit logging, dashboard rendering.
Purpose — providing the Service.
Retention — as configured by the Customer (log_retention_days, default 90 days). Audit logs retained for the term plus 90 days.

I.C — Supervisory Authority

For data exporters in the EU: the supervisory authority of the Member State in which the data exporter is established. For data exporters in the UK: the Information Commissioner's Office. For Swiss data: the Federal Data Protection and Information Commissioner.

Annex II — Technical and organizational security measures

II.A — Encryption

TLS 1.2+ on every customer-facing endpoint (api.amperes.pro, dashboard.amperes.pro, amperes.pro).
AES-256 at rest via AWS managed encryption on EBS volumes, S3 buckets, RDS instances, and SQLite snapshots.
Mutual TLS available for in-VPC deployments under enterprise tier.
API keys stored as bcrypt hashes; never logged or transmitted in plaintext.

II.B — Access control

AWS IAM with least-privilege scoping per role.
Multi-factor authentication enforced on all administrative accounts.
No shared credentials; per-person admin accounts.
Tenant isolation: every database query is scoped by customer_id and verified by repository-layer assertions.
Per-customer API rate limits enforced at the proxy.

II.C — Audit and monitoring

Append-only audit table for every administrative action, every routing decision, every governance event.
CloudWatch metric emission for cost, latency, error rate, drift detector status.
Optional S3 export of the audit log on a customer-configured cadence (default: daily).
Application logs scrubbed of API keys, full prompt text (unless explicitly opted in), and PII before persistence.

II.D — Resilience and backup

Encrypted automated daily backups of the proxy database, retained 30 days.
Disaster recovery runbook covering region failover, RPO (15 min), and RTO (4 h) targets.
Per-customer budget enforcement to prevent runaway spend.

II.E — Software development and change management

All code changes reviewed via pull request before merge to main.
CI runs the full test suite (273 tests at time of writing) plus linting and type-checking on every PR.
Dependencies pinned in pyproject.toml; Dependabot monitors for known vulnerabilities.
Production deploys gated on the customer's consent for major configuration changes; minor patches under the standard deploy runbook.

II.F — Vulnerability management and incident response

High-severity CVEs patched within 14 days; critical within 72 hours.
Annual third-party penetration test (target Q4 2026; not yet executed at time of writing).
Personal Data Breach notification within 72 hours per Section 6 of this DPA.
Designated security contact: book a call for urgent disclosure; we will move to a secure channel within 4 hours.

II.G — Personnel

All personnel sign NDA and complete data-protection training on onboarding.
Background checks for personnel with administrative access.
Access provisioning and de-provisioning logged.

Annex III — Authorized Subprocessors

This is the same list as Section 7 of the Privacy Policy. Subject to the Customer's allowed_providers configuration.

Subprocessor	Purpose	Region(s)
Amazon Web Services, Inc.	Infrastructure hosting (EC2, RDS, S3, CloudWatch, Route53), Bedrock model invocation when selected by the router	us-east-2 (default); customer-elected region for in-VPC; eu-west-1 for EU-resident enterprise customers
OpenAI, L.L.C.	GPT-family model invocation when selected by the router; embeddings for the complexity classifier	United States
Anthropic, PBC	Claude model invocation when selected by the router	United States
Google LLC (Gemini)	Pairwise eval judge (cross-family; not used for live routing)	United States
GitHub, Inc. (Microsoft)	Source code repository hosting	United States
Stripe, Inc.	Payment processing (only applicable to fee-paying customers)	United States

This list will be updated with at least 30 days notice before any addition or replacement. Book a call to subscribe to subprocessor change notifications.

Data ProcessingAddendum.