Legal
Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Controller”) and Metis (“Processor”) for the provision of KeyForge, and governs our processing of personal data on your behalf.
Effective date: July 6, 2026·Last updated: July 6, 2026
1. Roles and scope
To the extent we process personal data contained in Customer Data on your behalf, you are the controller (or processor acting for another controller) and we are the processor (or subprocessor). This DPA applies to that processing and is incorporated into our Terms of Service. For personal data we handle as a controller, our Privacy Policy applies.
2. Processing details
- Subject matter: provision of the AI gateway Service.
- Duration: for the term of your use of the Service and any post-termination export period.
- Nature and purpose: routing, budgeting, rate limiting, logging, security, and support.
- Types of data: account identifiers and any personal data contained in your requests, content, and metadata.
- Data subjects: your users, personnel, and any individuals referenced in your Customer Data.
3. Processing instructions
We process personal data only on your documented instructions, including as set out in the agreement and this DPA, and as necessary to provide and secure the Service, unless required to act otherwise by law (in which case we will inform you where legally permitted). We do not use your prompts, inputs, or outputs to train foundation models.
4. Confidentiality
We ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations and process personal data only as needed to perform their duties.
5. Security
We implement and maintain appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, taking into account the state of the art and the risks of processing. These include encryption in transit and at rest, access controls, virtual keys that avoid raw-credential exposure, and tamper-evident audit logging.
6. Subprocessors
You provide general authorization for us to engage subprocessors to process personal data. Our current subprocessors, their processing purpose, and location are published on our subprocessor page. We impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and we remain responsible for their performance.
We will provide notice before adding or replacing a subprocessor (by updating the subprocessor page and, on request, via a notification mechanism). You may object on reasonable data-protection grounds within the notice period; if we cannot reasonably accommodate your objection, you may terminate the affected Service.
7. Assistance and data-subject requests
Taking into account the nature of processing, we will provide reasonable assistance to help you respond to data-subject requests and to meet your obligations regarding security, breach notification, data protection impact assessments, and consultation with authorities. If we receive a data-subject request directed at your Customer Data, we will refer the individual to you where appropriate.
8. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting your Customer Data and provide information reasonably available to help you meet your notification obligations.
9. Return and deletion
On termination and after any export period, we will delete or return Customer Data as described in the agreement, except where retention is required by law or, for audit records, to the extent necessary to preserve the integrity of the tamper-evident audit chain (with personal identifiers removed or anonymized where feasible), as described in our Privacy Policy.
10. International transfers
Where processing involves transferring personal data across borders, we rely on appropriate safeguards, including the Standard Contractual Clauses and equivalent mechanisms, which are incorporated by reference where applicable.
11. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable prior notice and subject to confidentiality, allow for audits limited in scope and frequency, which may be satisfied through third-party reports or certifications where available.
12. Liability and contact
Each party’s liability under this DPA is subject to the limitations of liability in the agreement. For data protection matters under this DPA, contact [email protected] or [email protected].