Data Processing Agreement
Effective date: 2026-05-01 · Version: v1.0-beta
This Data Processing Agreement ("DPA") forms part of the agreement between Novpix LLC ("Processor", "we") and the customer ("Controller", "you") for the use of the powapi service ("Service"). This DPA is offered to B2B customers handling personal data of EU/UK/EEA data subjects in the course of using the Service. It implements the requirements of GDPR Article 28 and equivalent UK provisions.
By accepting these Terms or by separate signature, you agree to this DPA.
1. Definitions
Terms not defined here have the meaning given in the GDPR.
- Customer Data means personal data submitted by you (or end users on your behalf) to the Service for processing.
- Sub-processor means a third party engaged by us to process Customer Data on our behalf.
- Standard Contractual Clauses (SCCs) means the standard contractual clauses adopted by the European Commission (Decision 2021/914) for the transfer of personal data to third countries.
2. Subject matter and duration
The subject matter of the processing is the operation of the Service. The processing continues for the term of the underlying agreement and any wind-down period required to delete or return Customer Data.
3. Nature, purpose, and categories
| Item | Detail |
|---|---|
| Nature | Forwarding API requests to upstream language-model providers; recording usage metrics |
| Purpose | Delivering the Service to the Controller |
| Categories of personal data | Whatever the Controller chooses to include in API request bodies; technical metadata (IP, user-agent) |
| Categories of data subjects | The Controller's own end users, employees, and any other individuals whose data is included in requests |
| Sensitive categories | None expected by default; Controller is responsible for ensuring no special-category data is sent unless explicitly necessary |
4. Processor obligations
We will:
- process Customer Data only on documented instructions from the Controller, including transfers to third countries;
- ensure that personnel authorised to process Customer Data are bound by confidentiality;
- implement appropriate technical and organisational measures (Annex A);
- assist the Controller in responding to data-subject requests, security incidents, and DPIAs;
- notify the Controller of a personal-data breach without undue delay (within 72 hours of awareness, where feasible);
- delete or return Customer Data at the end of the agreement, unless retention is required by law.
5. Sub-processors
The Controller authorises us to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Postmark | Transactional email | United States |
| Hetzner Online GmbH | Primary hosting | Germany |
| Anthropic, PBC | Language-model provider | United States |
| DeepSeek AI Ltd | Language-model provider | China / Singapore |
We give at least 30 days' prior notice of any new sub-processor. The Controller may object on reasonable data-protection grounds; if we cannot accommodate the objection, the Controller may terminate the affected portion of the Service.
6. International transfers
For transfers from the EU/EEA to a country without an adequacy decision, the SCCs (Module 2: Controller-to-Processor) are deemed incorporated into this DPA, with us as data importer. Annex II of the SCCs is set out in Annex A of this DPA.
7. Data-subject rights
We provide tooling within the panel to allow the Controller to access, rectify, and erase Customer Data. For requests we cannot fulfil through self-service, contact privacy@powapi.io.
8. Audit
The Controller may, no more than once per year and upon 30 days' notice, request a copy of our most recent third-party audit report or security questionnaire. On-site audits will be considered for material concerns subject to mutual agreement on scope, timing, and confidentiality.
9. Liability
The liability provisions of the underlying Terms of Service apply to this DPA, except where the GDPR mandates otherwise.
Annex A — Technical and organisational measures
- Encryption in transit: TLS 1.2+
- Encryption at rest: AES-256 for database and backups
- Access control: least-privilege RBAC; production access via SSO + hardware MFA; audited access logs
- Authentication: Argon2id password hashing; HMAC-SHA256 API key hashing
- Network: private VPC; managed firewalls; no public database exposure
- Monitoring: centralised logs with anomaly alerts; on-call rotation
- Backups: daily encrypted backups; 30-day retention; tested restore quarterly
- Personnel: background checks for production access; mandatory annual security training
- Incident response: documented runbook; 72-hour notification SLA
Annex B — List of sub-processors
See section 5 above.
Contact
DPA questions: privacy@powapi.io. Novpix LLC, 131 Continental Dr Suite 305, Newark, DE 19713, US.