logo
ModelStack

Data Processing Agreement

Last updated: February 5, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and ModelStack ("Processor") regarding the processing of personal data through our API services.

2. Definitions

For the purposes of this DPA:

  • "Personal Data" means any information relating to an identified or identifiable natural person
  • "Processing" means any operation performed on personal data
  • "Controller" means the Customer (you)
  • "Processor" means ModelStack
  • "Sub-processor" means any third party engaged by ModelStack to process data
  • "Data Subject" means the individual whose personal data is processed

3. Scope of Processing

3.1 Nature and Purpose

ModelStack processes personal data solely for the purpose of providing AI model API services as instructed by the Customer through API requests.

3.2 Types of Data

Data categories may include:

  • Customer account information (email, name)
  • API usage metadata (timestamps, model selections, token counts)
  • Any personal data included in API prompts by the Customer

3.3 Zero-Log Commitment

Important: API request and response content (prompts and completions) are NOT logged or stored by ModelStack. This data is processed in-memory only and immediately discarded after routing to upstream providers.

4. Customer Obligations

As the Controller, Customer shall:

  • Ensure lawful basis for processing personal data
  • Obtain necessary consents from data subjects
  • Provide required privacy notices to end users
  • Comply with applicable data protection laws (GDPR, CCPA, etc.)
  • Not process special categories of data without explicit agreement

5. ModelStack Obligations

As the Processor, ModelStack shall:

  • Process personal data only as instructed by Customer
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Customer with data subject rights requests
  • Delete or return personal data upon contract termination
  • Notify Customer of any data breaches without undue delay

6. Sub-processors

6.1 Authorized Sub-processors

Customer authorizes ModelStack to engage the following sub-processors:

  • Cloudflare: Infrastructure and edge routing
  • AI Model Providers: OpenAI, Anthropic, Google, etc. (per Customer's model selection)
  • Payment Processors: Stripe or equivalent for billing

6.2 Sub-processor Changes

We will notify Customer of any new sub-processors with 30 days notice. Customer may object for legitimate data protection reasons.

7. Security Measures

ModelStack implements:

  • Encryption in transit (TLS 1.3)
  • Encryption at rest for stored data
  • API key hashing and secure authentication
  • Access controls and audit logging
  • Regular security assessments
  • Incident response procedures

8. Data Subject Rights

ModelStack will assist Customer in responding to data subject requests (access, rectification, erasure, portability, restriction) within 14 days of Customer's request. Customer is responsible for verifying data subject identity.

9. Data Breach Notification

In the event of a personal data breach, ModelStack will notify Customer without undue delay and no later than 72 hours after becoming aware, providing available details about the nature, scope, and impact of the breach.

10. Data Transfers

Personal data may be transferred to and processed in regions where our sub-processors operate. For transfers outside the EEA, we rely on Standard Contractual Clauses or equivalent safeguards.

11. Audits

Customer may audit our compliance with this DPA once per year with reasonable notice. We will provide relevant documentation and certifications (SOC 2, ISO 27001, etc.) upon request.

12. Data Retention and Deletion

Upon termination or expiry of services, ModelStack will delete or return all personal data within 30 days unless required to retain by law. API request/response content is never stored and requires no deletion.

13. Liability and Indemnification

Each party's liability under this DPA is subject to the limitation of liability clause in the Terms of Service. Customer indemnifies ModelStack against claims arising from Customer's failure to comply with data protection laws.

14. Term and Termination

This DPA remains in effect for the duration of the Terms of Service and will automatically terminate upon termination of the services.

15. Contact

For data protection inquiries or to exercise DPA rights, contact our Data Protection Officer at dpo@modelstack.cc