GDPR-aligned DPA for the o10 inference spend control plane — Customer as Controller, o10 as Processor, with subprocessors, SCCs, security, and deletion on termination.
For Customer Personal Data processed through the o10 control plane, Customer is the Controller and o10 is the Processor. o10 processes data only on documented instructions to deliver routing, shadow/enforce modes, evals, KYI scoring, and ledger reporting.
No. o10 does not use Customer Personal Data or User Content to train foundation models. Processing is limited to providing the Service, security, compliance, and aggregated de-identified analytics where permitted.
Hosting (e.g. Vercel), cloud infrastructure, analytics, payment processors, and email/support tools listed in the Subprocessors section. We provide notice of material subprocessor changes; Customer may object on reasonable grounds.
How this DPA applies to enterprise use of o10.
This Data Processing Agreement ("DPA") forms part of the agreement between Shen Pandi and the o10 team ("o10," "Processor," "we," or "us") and the entity agreeing to our Terms of Service or order form ("Customer," "Controller," or "you").
This DPA applies when o10 processes Personal Data on behalf of Customer in connection with the o10 inference spend control plane (the "Service"). It supplements the Privacy Policy and Terms of Service.
In the event of conflict between this DPA and the Terms regarding Personal Data processing, this DPA prevails. Capitalized terms not defined here have the meanings in the Terms or Privacy Policy.
By using the Service for business purposes, executing an order form that references this DPA, or clicking to accept, Customer agrees to this DPA.
Key terms for GDPR and enterprise privacy teams.
"Personal Data" means information relating to an identified or identifiable natural person processed by o10 on behalf of Customer through the Service.
"Customer Personal Data" means Personal Data submitted to or generated through the Service by or for Customer, including account data, routing metadata, ledger entries, eval results, and — where configured — limited prompt or completion excerpts for quality-floor verification.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Subprocessor" means a third party engaged by o10 to process Personal Data on behalf of Customer.
"Data Protection Laws" means GDPR, UK GDPR, CCPA/CPRA as applicable, and other privacy laws governing the processing described here.
Controller and Processor responsibilities.
Customer is the Controller of Customer Personal Data. Customer determines the purposes and means of processing end-user or employee data that flows through Customer's inference workloads.
o10 is the Processor. o10 processes Customer Personal Data only on Customer's documented instructions — including configuration of shadow mode, enforce mode, quality floors, residency rules, and retention — and as required by applicable law.
Customer is responsible for providing lawful basis, privacy notices, and consents to data subjects whose Personal Data is processed through the Service. Customer instructs o10 only to process Personal Data in compliance with Data Protection Laws and Provider Terms.
What o10 processes and why.
Subject matter: provision of the inference spend control plane — eval-gated routing, budget envelopes, KYI governance, and immutable ledger reporting.
Duration: for the term of the Customer agreement plus retention periods described in the Privacy Policy and this DPA.
Nature and purpose: route inference per Customer policy; record economics and governance metadata; verify shadow savings; produce audit and board reporting.
What o10 will and will not do with Customer Personal Data.
o10 will process Customer Personal Data only on documented instructions from Customer, including the Service configuration and this DPA.
o10 will ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
o10 will not sell Customer Personal Data or use it for cross-context behavioral advertising.
o10 will not use Customer Personal Data to train foundation models for o10 or third parties.
o10 will assist Customer with data subject requests, DPIAs, and regulator inquiries to the extent required by Data Protection Laws and commercially reasonable.
o10 will notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Customer Personal Data, providing information reasonably available to support Customer's obligations.
Technical and organizational measures.
o10 implements appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized access, alteration, disclosure, or destruction, including access controls, encryption in transit where supported, logging, and personnel training.
Measures are reviewed periodically and may be updated. Customer is responsible for securing its credentials, API keys, and integration endpoints.
No security program is perfect; Customer acknowledges residual risk inherent in internet-based services.
Third parties that support the Service.
Customer authorizes o10 to engage Subprocessors listed below and updates posted at https://o10.io/dpa#subprocessors. o10 will impose data protection obligations on Subprocessors substantially similar to this DPA.
Current categories: cloud hosting and CDN (e.g. Vercel), infrastructure providers, analytics (e.g. Google Analytics on the marketing Site only when enabled), payment processors, email and support tooling.
o10 will notify Customer of intended additions or replacements of Subprocessors that process Customer Personal Data. Customer may object on reasonable data-protection grounds within 14 days. If parties cannot resolve the objection, Customer may terminate the affected Service upon written notice.
| Category | Purpose | Location |
|---|---|---|
| Hosting / CDN | Site and Service delivery | United States / global edge |
| Cloud infrastructure | Service compute and storage | United States / EU regions as configured |
| Payment processor | Billing and invoicing | United States |
| Email / support | Transactional and support communications | United States |
Cross-border processing safeguards.
Customer Personal Data may be processed in the United States and other countries where o10 or Subprocessors operate.
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to countries without an adequacy decision, o10 relies on Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms as required by Data Protection Laws.
Customer may request SCC execution via legal@o10.io. Module Two (Controller to Processor) applies where Customer is Controller.
End of processing and return of data.
Upon termination or expiry of the Service, Customer may export ledger and KYI data per product functionality. o10 will delete or return Customer Personal Data within 90 days of termination unless law requires retention.
Immutable ledger archives required for tax, audit, or litigation may be retained in restricted form for the period legally necessary, then deleted or de-identified.
Customer may request deletion of specific data subject to legal and contractual limits — email privacy@o10.io.
Demonstrating compliance.
o10 will make available information reasonably necessary to demonstrate compliance with this DPA, including security summaries and subprocessor lists.
Upon reasonable written request no more than once per year (unless required by a regulator), Customer may audit o10's relevant practices through a mutually agreed third-party auditor under confidentiality, at Customer's expense, subject to 30 days' notice and minimal business disruption.
Customer may satisfy audit needs through o10's SOC 2 or equivalent reports when available.
Alignment with the Terms.
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA limits either party's liability for matters that cannot be limited under applicable law.
Duration and updates.
This DPA remains in effect for the duration of the Service agreement. o10 may update this DPA to reflect legal or product changes with 30 days' notice to Customer. Material reductions in protection may be objected to; continued use after notice constitutes acceptance where permitted by law.
Questions and countersignature requests: legal@o10.io
When Customer uses the o10 control plane for business purposes and processes Personal Data through the Service. It is incorporated by reference in the Terms and order forms.
Yes. Customer determines why and how end-user or employee data flows through inference workloads. o10 is the processor acting on Customer's configuration and instructions.
No. Processing is limited to delivering the Service. o10 does not use Customer Personal Data for foundation model training.
Email legal@o10.io to execute SCC Module Two (Controller to Processor) for EEA/UK transfers.
We maintain a category list in this DPA and notify Customer of material changes. Customer may object on reasonable data-protection grounds within 14 days.
Customer may export ledger and KYI outputs during wind-down. o10 deletes or returns Personal Data within 90 days unless law or dispute requires limited retention.
Email legal@o10.io with your entity name, billing contact, and order reference for a countersigned copy.
This DPA covers the Service. The public Site is described in the Privacy Policy; limited analytics on o10.io are separate from control-plane processing.