Legal Documents

Data Processing Addendum

Last updated: 1 March 2026  ·  Effective: 1 March 2026
1. Scope

This Data Processing Addendum ("DPA") forms part of the agreement between you ("Controller") and CloudSigma AG ("Processor") and governs the processing of personal data submitted through the TaaS API Service.

This DPA applies where your use of the Service involves sending personal data (e.g. names, email addresses, identifiers) in API request payloads.

2. Roles
  • You (Controller): determine the purposes and means of processing personal data in your applications.
  • CloudSigma AG (Processor): processes personal data only on your documented instructions (i.e. to route and fulfil your API requests).
3. Processing Activities
  • Subject matter: AI inference — text, image, or audio data submitted in API requests.
  • Duration: for the term of your account, plus retention periods set out in the Privacy Policy.
  • Nature: transmission, temporary in-memory processing, logging of metadata (not content).
  • Categories of data subjects: end users of your applications (as determined by you).
  • Categories of data: any personal data included in API payloads — we do not specify or restrict this; you are responsible for minimising personal data in prompts.
4. Processor Obligations
  • Process personal data only on your documented instructions.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (see Security page).
  • Assist you in responding to data subject rights requests where technically feasible.
  • Notify you of personal data breaches without undue delay (within 72 hours of becoming aware).
  • Delete or return personal data upon termination of the agreement.
5. Sub-processors

We engage the sub-processors listed on our Security & Subprocessors page. We will notify you of material changes to sub-processors with at least 14 days' notice, giving you the opportunity to object.

6. International Transfers

Where we transfer personal data outside the EEA/UK to sub-processors, we rely on Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), as applicable. Copies available on request.

7. Audits

You may request audit information (questionnaires, certifications) once per calendar year. On-site audits require 30 days' notice and reasonable cost reimbursement.

8. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service.

9. Contact

Data protection enquiries: dpa@cloudsigma.com

Terms  ·  Privacy  ·  Cookies  ·  Acceptable Use  ·  © 2026 CloudSigma AG. All rights reserved.