Data Processing Agreement (DPA)
Last updated: July 9, 2026
1. Purpose and Scope
This Data Processing Agreement ("DPA") supplements the Terms of Service between you and Fluxon LLC ("Processor") and applies to the processing of personal data under applicable data protection laws, including GDPR, CCPA, and others.
This DPA applies to all personal data processed by Fluxon LLC on your behalf ("Controller").
2. Definitions
"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given to them in applicable data protection laws.
"Applicable Data Protection Laws" means all laws applicable to the processing of personal data, including but not limited to the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and others.
"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
3. Roles of Controller and Processor
For personal data processed through GateLLM:
You (the Customer) are the Controller, determining the purposes and means of processing.
Fluxon LLC is the Processor, processing personal data on your instructions.
You are responsible for ensuring you have the right to process the relevant personal data and have obtained all necessary consents and authorizations.
4. Scope and Purpose of Processing
The Processor will process personal data on behalf of the Controller for the following purposes:
Providing and maintaining the GateLLM service
Managing accounts and subscriptions
Processing payments
Providing technical support
Complying with legal obligations
Nature of processing: Automated processing, storage, transmission, and retrieval.
5. Types of Personal Data Processed
The types of personal data that may be processed by the Processor include:
Contact information: Name, email address, company name
Account information: Login credentials, preference settings
Payment information: Billing information processed by Stripe
Technical data: IP addresses, browser information, access logs
Usage data: Service usage and performance metrics
6. Categories of Data Subjects
The categories of data subjects covered by this DPA include:
Controller's employees and representatives
Controller's customers and end users
Other individuals interacting with the Controller
7. Processor's Obligations
The Processor will:
Process personal data only on the Controller's documented instructions, unless required to do otherwise by law
Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Implement appropriate technical and organizational measures to protect personal data
Comply with the requirements regarding sub-processors
Assist the Controller in fulfilling its obligations to respond to data subject rights requests
Delete or return personal data at the Controller's request
Provide all information necessary to demonstrate compliance with the obligations under this DPA
8. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors:
Supabase Inc.: Database storage and authentication services
Stripe Inc.: Payment processing services
Resend Inc.: Email delivery services
Cloud hosting providers: Infrastructure and hosting services
Analytics providers (if enabled): Google LLC (Google Analytics) or Plausible Insights Ltd.
The Processor will ensure that all sub-processors are bound by written agreements providing the same level of data protection as this DPA.
The Processor will notify the Controller in advance of any addition or replacement of sub-processors and provide the Controller with a reasonable opportunity to object.
9. Security Measures
The Processor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
Pseudonymization and encryption of personal data
Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident
Regularly testing, assessing, and evaluating the effectiveness of technical measures
10. Data Breaches
If the Processor becomes aware of a security breach involving the Controller's personal data, it will notify the Controller without undue delay and within 72 hours of discovery.
The notification will include:
A description of the nature of the breach, including the number and categories of data subjects affected
The name and contact details of the data protection officer or contact point
The likely consequences of the breach
The measures taken or proposed to be taken to mitigate its adverse effects
11. International Data Transfers
If the Processor transfers personal data to a country outside the European Economic Area (EEA), it will ensure:
The European Commission has made an adequacy decision for that country, or
Appropriate safeguards have been implemented, such as Standard Contractual Clauses (SCCs) approved by the European Commission.
The Processor will ensure that sub-processors comply with the same data transfer requirements.
12. Data Subject Rights
The Processor will assist the Controller, to the extent reasonably possible, in fulfilling its obligations to respond to requests from data subjects exercising their rights, including:
Right of access
Right to rectification
Right to erasure (right to be forgotten)
Right to restriction of processing
Right to data portability
Right to object
The Processor will notify the Controller of any data subject requests within 5 business days of receipt.
13. Audits and Inspections
The Controller has the right to conduct audits or inspections of the Processor, after reasonable advance notice, to verify the Processor's compliance with this DPA.
Audits should:
Be conducted during normal business hours
Be reasonably limited in frequency and scope
Not interfere with the Processor's normal business operations
The Controller may engage an independent third party to conduct audits.
14. Deletion and Return of Data
Upon termination of the service or at the Controller's request, the Processor will:
Delete all personal data, unless required to store by law
Return a copy of personal data in a structured, commonly used format
Delete all existing copies, unless required to retain by law
The Processor will provide written confirmation within 30 days of deletion or return.
15. Liability
Each party shall bear its liability in accordance with applicable data protection laws.
If a party violates its obligations under this DPA, it shall be liable for damages caused thereby.
Liability limitations shall follow the provisions in the Terms of Service, but shall not apply to willful misconduct or gross negligence.
16. Term and Termination
This DPA takes effect simultaneously with the Terms of Service and remains in effect after termination of the Terms of Service until the Processor deletes or returns all personal data.
Either party may terminate this DPA if the other party breaches a material term of this DPA.
17. Governing Law
This DPA is governed by the laws of the State of Delaware.
Any disputes arising from this DPA shall be resolved in the courts of Delaware.
18. Execution
By using the GateLLM service, you accept the terms of this DPA.
For a formally executed copy of the DPA, please contact support@gatellm.io.
GateLLM is a product of Fluxon LLC, a Delaware limited liability company.