Data Processing Agreement

TokenBridge — AI API Gateway · v1.0 · Last updated: 26 May 2025

⚠️ This is v1.0. Review with your DPO before signing.

Need a machine-readable copy for your procurement team?

Between

The Customer ("Controller") — as identified in the order form or account agreement

AND

Polsia Inc. ("Processor"), registered in Delaware, United States, with registered office at 548 Market Street, San Francisco, CA 94104

1. Subject Matter and Duration

This Data Processing Agreement ("DPA") governs the processing of Personal Data by Processor on behalf of Controller in connection with the TokenBridge AI API gateway service ("Service").

The processing shall commence on the Effective Date and continue for the duration of the Service agreement.

2. Nature and Purpose of Processing

Processor processes Personal Data solely for the purpose of providing the TokenBridge Service — routing AI API requests to upstream providers, returning responses, and maintaining operational telemetry.

Processor acts as a sub-processor in relation to the upstream provider's own processing activities. Controller remains responsible for its obligations as data controller, including determining the purposes and means of processing prompts it submits via the Service.

3. Types of Personal Data and Categories of Data Subjects

Personal Data: Text input submitted by Controller or Controller's end users via the Service API ("Prompt Content"). Unless Controller redacts, Prompt Content may include personal data of Controller's end users.

Data Subjects: End users of Controller's application whose data is embedded in prompts submitted via the Service.

Special category data: Processor does not routinely process special category data. Controller must not submit special category data (racial origin, political opinions, religious beliefs, health data, biometric data, sexual orientation) via the Service without prior written notice and a data protection impact assessment.

4. Processor Obligations

Processor shall:

(a) Process Personal Data only on documented instructions from Controller, unless required to do otherwise by applicable law;
(b) Ensure that personnel authorised to process Personal Data are subject to binding confidentiality obligations;
(c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including: encryption in transit (TLS 1.2+), access controls, and regular security reviews;
(d) Not engage any sub-processor without Controller's prior written authorisation (general written authorisation is granted per the sub-processor list in Section 6);
(e) Assist Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) within 30 days of receiving notice;
(f) Notify Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Personal Data Breach;
(g) Upon termination of the Service, delete or return all Personal Data (at Controller's election) within 30 days, and certify compliance in writing if requested;
(h) Make available to Controller all information necessary to demonstrate compliance with this DPA, and permit and contribute to audits, including inspections, conducted by Controller or an independent auditor mandated by Controller, with reasonable notice and during business hours.

5. Controller Obligations

(a) Ensure that its instructions for processing via the Service comply with applicable data protection law, including the GDPR;
(b) Conduct and document a Transfer Impact Assessment (TIA) prior to submitting prompts containing personal data, having regard to the laws of the upstream provider's country of establishment;
(c) Redact or pseudonymise personal data in Prompt Content before submission where required to do so by applicable law or its own data protection obligations;
(d) Notify Processor promptly if Processor is processing data in a manner that infringes GDPR or other applicable data protection law.

6. Sub-processors

Controller grants general written authorisation for Processor to engage the following sub-processors:

Sub-processor	Country	Purpose	Website
DeepSeek (Hangzhou DeepSeek Intelligence Innovation Technology Co., Ltd.)	China	Upstream AI model provider (primary)	deepseek.com
Alibaba Qwen (Alibaba Group Holding Ltd.)	China	Upstream AI model provider (future)	qwen.ai
ByteDance Doubao (ByteDance Ltd.)	China	Upstream AI model provider (future)	doubao.com

Processor shall notify Controller at least 30 days before engaging any new sub-processor. Controller may object in writing within 15 days; Processor will make reasonable efforts to address the objection or terminate the sub-processor engagement.

Processor shall impose data protection obligations on sub-processors equivalent to those in this DPA, and remains liable to Controller for the performance of its sub-processors.

7. International Data Transfers

Transfers from the EEA to sub-processors in China are subject to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the "EU SCCs"), Module Two (Controller to Processor), incorporated herein by reference.

In light of Chinese data surveillance laws (PIPL, DSL, CSL), the following supplementary measures are implemented:

Data minimisation: Controller is responsible for redacting personal data from Prompt Content before submission. The Service does not require personal data to function.
No PII required: The Service processes tokens, not identities. Personal data is incidental and Controller controls what is included.
Pseudonymisation before transmission: Controller is encouraged to replace personal data with tokens or placeholders in Prompt Content.
No persistence by Processor: Processor logs metadata only (request timestamp, model, token count, error codes). Prompt Content and completion content are not stored after the response is returned.
Contractual protections: Sub-processor agreements include obligations equivalent to the EU SCCs.

If supplementary measures prove insufficient due to changes in Chinese law or practice, Processor will notify Controller and the parties will cooperate in good faith to identify alternative safeguards or suspend the affected transfer.

For transfers subject to UK GDPR, the EU SCCs apply with the UK Addendum (Version B1.0) incorporated herein.

8. Security Measures

Processor implements the following technical and organisational measures:

Measure	Detail
Encryption in transit	All API calls use TLS 1.2 or higher
Encryption at rest	Database and backups are encrypted
Access control	Role-based access, MFA for internal systems, least-privilege principle
Logging	Metadata-only logging (no prompt/completion body storage)
Monitoring	Intrusion detection, uptime monitoring, error rate alerting
Incident response	Documented breach response procedure with 72h notification commitment
Vendor assessment	Sub-processors evaluated for security and GDPR compliance before engagement

Certifications: No SOC 2 Type II or ISO 27001 certification is claimed as of the date of this DPA. Controller may request evidence of security measures or commission an audit per Section 4(h).

9. Audit Rights

Controller may audit Processor's compliance with this DPA no more than once per calendar year, upon 30 days written notice, during business hours, and at Controller's expense. Processor shall cooperate and provide evidence of compliance, including a summary of security controls and relevant policies.

Where Processor holds a current SOC 2 Type II report or equivalent certification, Controller may rely on that report in lieu of a dedicated audit, upon request.

10. Breach Notification

Processor shall notify Controller by email at the address associated with Controller's account (or as otherwise notified in writing) within 72 hours of becoming aware of a Personal Data Breach.

The notification shall include: (a) nature and likely consequences of the breach; (b) categories and approximate number of data subjects affected; (c) categories and approximate number of personal data records affected; (d) measures taken or proposed to address the breach; (e) name and contact details of the data protection contact (if applicable).

11. Liability

Processor's total aggregate liability arising from or in connection with this DPA, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, shall not exceed the fees paid by Controller in the 12 months preceding the event giving rise to the claim.

Neither party limits or excludes liability for: death or personal injury caused by negligence; fraud or fraudulent misrepresentation; breach of obligations implied by law; or unlawful processing of personal data where liability cannot be limited under applicable law.

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of England and Wales, without prejudice to any mandatory consumer protection laws in Controller's jurisdiction.

Disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales, unless a data subject brings proceedings in the courts of the Member State where they have their habitual residence.

13. General Provisions

This DPA forms part of the TokenBridge Service Agreement. In the event of conflict, this DPA prevails with respect to data protection matters.

Processor may update this DPA to reflect changes in applicable law or its sub-processor list, with 30 days notice.

The Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module Two) are incorporated herein by reference and form part of this DPA.