Data Processing Addendum

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person that Retanu processes on your behalf in connection with the Service.

"Processing"

Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.

"Data Protection Laws"

All applicable laws relating to the processing of Personal Data, including (where applicable) the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, and any other applicable privacy or data-protection legislation.

"Subprocessor"

Any third party engaged by Retanu to process Personal Data on behalf of the Controller.

"Security Incident"

A confirmed unauthorized access to, or unauthorized disclosure, alteration, or destruction of, Personal Data processed by Retanu.

2. Roles and scope

Controller and Processor. You are the Controller of the Personal Data you submit to or generate through the Service. Retanu acts as the Processor, processing Personal Data solely on your behalf and in accordance with your documented instructions.

Scope of processing. Retanu processes Personal Data only as necessary to provide the Service described in the Agreement, including:

• Routing inference requests to the providers you configure.
• Enforcing spend caps, rate limits, and budget controls per workspace.
• Metering usage and generating cost-attribution reports.
• Storing workspace configuration and provider credentials (encrypted).
• Generating audit and usage logs (excluding inference content by default).

3. Categories of data and data subjects

4. Controller obligations

You are responsible for:

• Ensuring that you have a lawful basis to provide Personal Data to Retanu and to instruct its processing.
• Providing all necessary notices to, and obtaining all necessary consents from, data subjects whose Personal Data is processed through the Service.
• Ensuring that inference content you send through the Service complies with applicable laws, including restrictions on sensitive or special-category data.
• Determining which workspaces, if any, should have content logging enabled, and accepting responsibility for the data retained as a result.

5. Processor obligations

Retanu will:

• Process Personal Data only on your documented instructions, unless required by applicable law. If we are required to process Personal Data for a purpose other than your instructions, we will inform you before doing so (unless prohibited by law).
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
• Implement and maintain the technical and organizational security measures described in Section 6.
• Not transfer Personal Data outside the jurisdictions described in Section 8 without appropriate safeguards.
• Assist you, at your cost, in responding to data-subject rights requests to the extent the request relates to Personal Data processed by Retanu.
• Assist you, at your cost, in meeting your obligations under Data Protection Laws with respect to security, breach notification, data-protection impact assessments, and prior consultations with supervisory authorities.
• Upon termination of the Agreement, delete or return all Personal Data within 30 days, unless retention is required by applicable law.

6. Security measures

Retanu implements the following technical and organizational measures to protect Personal Data:

Organization isolation

Row-level security (RLS) policies on all data tables ensure that each organization's data is isolated at the database level. The application connects with a restricted database role that cannot bypass these policies. Verified by 16 automated cross-organization isolation tests.

Encryption in transit

All connections to the console, gateway, and admin API are encrypted using TLS.

Credential protection

Provider API keys are stored encrypted. Keys are never written to application logs. An automatic scrubber removes patterns matching API keys, tokens, and credentials from all log output.

Access control

Authentication is required for all console and API access. Each workspace receives its own API key and endpoint, scoped to that workspace only.

Zero-retention default

Inference request and response content is not stored by default. Only routing metadata is retained. Content logging must be explicitly enabled per workspace.

Fail-closed controls

Budget checks and rate limits are evaluated before any inference call is made. If the check system is unavailable, the request is rejected rather than allowed through.

Logging and monitoring

Structured JSON logs capture routing metadata (never inference content or API keys) for security monitoring and incident response.

Personnel

Access to production systems is limited to authorized personnel with a business need. All personnel are bound by confidentiality obligations.

7. Subprocessors

You authorize Retanu to engage the following categories of Subprocessors to assist in providing the Service:

Notification of changes. We will notify you at least 14 days before engaging a new Subprocessor or materially changing an existing one. If you object to a new Subprocessor, you may notify us within 14 days of receiving notice, and we will work with you to find an alternative. If no resolution is reached, you may terminate the affected Service with 30 days' notice.

Subprocessor obligations. Retanu imposes data-protection obligations on each Subprocessor that are materially equivalent to those in this DPA. Retanu remains liable for the acts and omissions of its Subprocessors.

8. International data transfers

Personal Data may be transferred to and processed in jurisdictions other than where the Controller is located. Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision, Retanu will ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor), incorporated into this DPA by reference.
• The UK International Data Transfer Addendum to the SCCs, where UK GDPR applies.
• Any supplementary measures reasonably necessary to ensure an essentially equivalent level of protection.

You may request a copy of the applicable SCCs and supplementary measures by contacting privacy@retanu.com.

9. Security incidents

Notification. If Retanu becomes aware of a Security Incident affecting your Personal Data, we will notify you without undue delay and in any event within 72 hours of confirmation. Notification will include:

• A description of the nature of the incident, including the categories and approximate number of data subjects and records affected.
• The name and contact details of our data-protection point of contact.
• A description of the likely consequences of the incident.
• A description of the measures taken or proposed to address the incident, including measures to mitigate its effects.

Cooperation. Retanu will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident. Notification of a Security Incident is not an acknowledgment of fault or liability.

10. Data-subject rights

If Retanu receives a request from a data subject to exercise their rights under Data Protection Laws (access, rectification, erasure, restriction, portability, or objection), we will promptly notify you and will not respond to the request directly unless instructed by you or required by law.

Retanu will provide reasonable assistance to enable you to respond to data-subject requests, including by providing relevant data exports or deleting data on your instruction, to the extent technically feasible.

11. Audits

Retanu will make available to you, on reasonable request and no more than once per year, information necessary to demonstrate compliance with this DPA. This may include:

• A summary of current security measures and their implementation status.
• Results of relevant third-party audits or certifications (when available).
• Results of the automated isolation test suite.

If you require an on-site audit or inspection, Retanu will cooperate on mutually agreed terms, including reasonable advance notice, scope limitations, and confidentiality obligations. The audit must not disrupt normal operations or compromise the security of other customers' data.

12. Data retention and deletion

Upon termination of the Agreement, or upon your written request, Retanu will delete all Personal Data within 30 days, unless retention is required by applicable law. Provider credentials are deleted immediately upon removal from the console or upon account closure.

During the term of the Agreement, data retention follows the periods described in our Privacy Policy:

• Account data: retained while account is active; deleted within 30 days of closure.
• Usage metadata: retained for 24 months, then aggregated and de-identified.
• Inference content (if enabled): retained for the period you configure; defaults to 0 days (not stored).
• Log data: retained for up to 90 days.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent that such limitation is not permitted by applicable law.

14. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

15. Contact

Questions about this DPA or data-protection matters can be directed to: