Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Infrastacks, LLC, doing business as NeuronEdge.AI ("Processor" or "NeuronEdge"), and the entity agreeing to these terms ("Controller" or "Customer").
This DPA reflects the parties' agreement with respect to the processing of Personal Data by NeuronEdge on behalf of Customer pursuant to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws.
1Definitions
For the purposes of this DPA:
- "Personal Data": means any information relating to an identified or identifiable natural person that is processed by NeuronEdge on behalf of Customer in connection with the Services.
- "Processing": means any operation performed on Personal Data, including collection, storage, alteration, retrieval, use, disclosure, or erasure.
- "Data Subject": means the identified or identifiable natural person to whom Personal Data relates.
- "Subprocessor": means any third party engaged by NeuronEdge to process Personal Data on behalf of Customer.
- "Data Protection Laws": means GDPR, UK GDPR, CCPA, and any other applicable data protection and privacy laws.
- "Standard Contractual Clauses": means the EU Commission's standard contractual clauses for international data transfers (Module 2: Controller to Processor).
2Scope and Roles
2.1 Role of the Parties
Customer is the Controller of Personal Data. NeuronEdge is the Processor, processing Personal Data only on behalf of and in accordance with Customer's documented instructions.
2.2 Subject Matter and Purpose
NeuronEdge processes Personal Data to provide PII detection and redaction services. The purpose is to identify and protect sensitive information in API requests to third-party LLM providers before transmission and restore such information in responses.
2.3 Nature of Processing
Processing operations include:
- In-memory detection of PII using pattern matching and machine learning
- Tokenization and replacement of PII with placeholders or synthetic values
- Routing of redacted content to third-party LLM providers
- Restoration of original PII values in responses
- Logging of metadata (entity types, counts) for analytics
Zero-Knowledge Architecture
Original PII values are processed in-memory only and are never persisted to storage. NeuronEdge maintains zero-knowledge of actual PII content after request completion.
2.4 Categories of Personal Data
Categories may include, depending on Customer's use case:
- Names and contact information
- Government identifiers (SSN, passport numbers, etc.)
- Financial information (credit card numbers, bank accounts)
- Health information (when applicable)
- Location data (addresses, coordinates)
- Technical identifiers (IP addresses, device IDs)
- Any other PII contained in Customer's API requests
2.5 Categories of Data Subjects
Data Subjects may include Customer's end users, employees, customers, or any individuals whose data is processed through the Services.
3Controller Obligations
Customer agrees to:
- Ensure it has a lawful basis for processing Personal Data
- Provide clear instructions to NeuronEdge regarding data processing
- Ensure the accuracy of Personal Data provided to NeuronEdge
- Comply with all applicable Data Protection Laws
- Implement appropriate data governance and security practices
- Inform Data Subjects about the processing as required by law
- Respond to Data Subject requests in a timely manner
4Processor Obligations
4.1 Processing Instructions
NeuronEdge shall process Personal Data only on documented instructions from Customer, unless required by applicable law. If NeuronEdge is required by law to process Personal Data, it shall inform Customer before processing (unless prohibited by law).
4.2 Confidentiality
NeuronEdge shall ensure that all personnel authorized to process Personal Data are subject to confidentiality obligations.
4.3 Security Measures
NeuronEdge implements appropriate technical and organizational measures to ensure security, including:
- TLS 1.3 encryption for all data in transit
- Encryption at rest for stored data
- API key hashing using bcrypt (never stored in plaintext)
- Role-based access controls
- Regular security assessments
- SOC 2 and ISO 27001 certified infrastructure providers
- In-memory only processing of PII (no persistence)
4.4 Subprocessors
Customer authorizes NeuronEdge to engage Subprocessors subject to the following:
- NeuronEdge maintains a current list of Subprocessors
- NeuronEdge will notify Customer of new Subprocessors at least 30 days in advance
- Customer may object to new Subprocessors within 14 days
- Subprocessors are bound by data protection obligations equivalent to this DPA
4.5 Data Subject Rights
NeuronEdge shall assist Customer in responding to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
4.6 Data Protection Impact Assessments
NeuronEdge shall provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities.
4.7 Breach Notification
NeuronEdge shall notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer data. The notification shall include:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
4.8 Deletion and Return
Upon termination of the Agreement, NeuronEdge shall, at Customer's choice, delete or return all Personal Data and delete existing copies, unless applicable law requires continued storage.
4.9 Audit Rights
NeuronEdge shall make available to Customer all information necessary to demonstrate compliance with this DPA. Customer may conduct audits, directly or through an independent auditor, with reasonable notice and during business hours.
5Current Subprocessors
NeuronEdge currently engages the following Subprocessors:
| Provider | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge computing, CDN, Workers | Global (US-based) |
| Neon Inc. | Database hosting (PostgreSQL) | United States |
| Clerk Inc. | User authentication | United States |
| Stripe, Inc. | Payment processing | United States |
| Sentry | Error tracking | United States |
Note on LLM Providers
Third-party LLM providers (OpenAI, Anthropic, etc.) are not Subprocessors. Customer contracts directly with these providers, and NeuronEdge routes requests on Customer's behalf using Customer's API keys.
6International Data Transfers
NeuronEdge is based in the United States. Personal Data may be transferred to and processed in the United States and other countries where our Subprocessors operate.
For transfers of Personal Data from the European Economic Area, United Kingdom, or Switzerland to countries that do not have an adequacy decision, NeuronEdge relies on:
- Standard Contractual Clauses (Module 2: Controller to Processor)
- Supplementary measures as necessary
- Subprocessor agreements incorporating equivalent protections
Upon request, NeuronEdge will execute the Standard Contractual Clauses with Customer.
7CCPA Provisions
For purposes of the California Consumer Privacy Act (CCPA):
- NeuronEdge is a "Service Provider" as defined under the CCPA
- NeuronEdge processes Personal Information on behalf of Customer for the business purpose of providing the Services
- NeuronEdge does not "sell" Personal Information as defined under the CCPA
- NeuronEdge does not retain, use, or disclose Personal Information for any purpose other than providing the Services
- NeuronEdge certifies that it understands and will comply with these restrictions
8Duration
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, NeuronEdge shall delete or return Personal Data as specified in Section 4.8.
9Liability
Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability for intentional misconduct, gross negligence, or violations of applicable law.
10Amendments
NeuronEdge may update this DPA from time to time to reflect changes in Data Protection Laws, our practices, or industry standards. Material changes will be communicated with 30 days' notice.
11Contact Information
For questions about this DPA or to request execution of Standard Contractual Clauses, contact:
Enterprise Customers
Enterprise customers may request a customized DPA or execution of Standard Contractual Clauses. Contact our enterprise team at enterprise@neuronedge.ai to discuss your specific requirements.