Data Processing Agreement (DPA)

Last updated: July 9, 2026

1. Purpose and Scope

This Data Processing Agreement ("DPA") supplements the Terms of Service between you and Fluxon LLC ("Processor") and applies to the processing of personal data under applicable data protection laws, including GDPR, CCPA, and others.

This DPA applies to all personal data processed by Fluxon LLC on your behalf ("Controller").

2. Definitions

"Personal Data", "Processing", "Controller", "Processor", and "Data Subject" have the meanings given to them in applicable data protection laws.

"Applicable Data Protection Laws" means all laws applicable to the processing of personal data, including but not limited to the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and others.

"Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.

3. Roles of Controller and Processor

For personal data processed through GateLLM:

You (the Customer) are the Controller, determining the purposes and means of processing.

Fluxon LLC is the Processor, processing personal data on your instructions.

You are responsible for ensuring you have the right to process the relevant personal data and have obtained all necessary consents and authorizations.

4. Scope and Purpose of Processing

The Processor will process personal data on behalf of the Controller for the following purposes:

Providing and maintaining the GateLLM service

Managing accounts and subscriptions

Processing payments

Providing technical support

Complying with legal obligations

Nature of processing: Automated processing, storage, transmission, and retrieval.

5. Types of Personal Data Processed

The types of personal data that may be processed by the Processor include:

Contact information: Name, email address, company name

Account information: Login credentials, preference settings

Payment information: Billing information processed by Stripe

Technical data: IP addresses, browser information, access logs

Usage data: Service usage and performance metrics

6. Categories of Data Subjects

The categories of data subjects covered by this DPA include:

Controller's employees and representatives

Controller's customers and end users

Other individuals interacting with the Controller

7. Processor's Obligations

The Processor will:

Process personal data only on the Controller's documented instructions, unless required to do otherwise by law

Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

Implement appropriate technical and organizational measures to protect personal data

Comply with the requirements regarding sub-processors

Assist the Controller in fulfilling its obligations to respond to data subject rights requests

Delete or return personal data at the Controller's request

Provide all information necessary to demonstrate compliance with the obligations under this DPA

8. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

Supabase Inc.: Database storage and authentication services

Stripe Inc.: Payment processing services

Resend Inc.: Email delivery services

Cloud hosting providers: Infrastructure and hosting services

Analytics providers (if enabled): Google LLC (Google Analytics) or Plausible Insights Ltd.

The Processor will ensure that all sub-processors are bound by written agreements providing the same level of data protection as this DPA.

The Processor will notify the Controller in advance of any addition or replacement of sub-processors and provide the Controller with a reasonable opportunity to object.

9. Security Measures

The Processor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

Pseudonymization and encryption of personal data

Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services

Restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident

Regularly testing, assessing, and evaluating the effectiveness of technical measures

10. Data Breaches

If the Processor becomes aware of a security breach involving the Controller's personal data, it will notify the Controller without undue delay and within 72 hours of discovery.

The notification will include:

A description of the nature of the breach, including the number and categories of data subjects affected

The name and contact details of the data protection officer or contact point

The likely consequences of the breach

The measures taken or proposed to be taken to mitigate its adverse effects

11. International Data Transfers

If the Processor transfers personal data to a country outside the European Economic Area (EEA), it will ensure:

The European Commission has made an adequacy decision for that country, or

Appropriate safeguards have been implemented, such as Standard Contractual Clauses (SCCs) approved by the European Commission.

The Processor will ensure that sub-processors comply with the same data transfer requirements.

12. Data Subject Rights

The Processor will assist the Controller, to the extent reasonably possible, in fulfilling its obligations to respond to requests from data subjects exercising their rights, including:

Right of access

Right to rectification

Right to erasure (right to be forgotten)

Right to restriction of processing

Right to data portability

Right to object

The Processor will notify the Controller of any data subject requests within 5 business days of receipt.

13. Audits and Inspections

The Controller has the right to conduct audits or inspections of the Processor, after reasonable advance notice, to verify the Processor's compliance with this DPA.

Audits should:

Be conducted during normal business hours

Be reasonably limited in frequency and scope

Not interfere with the Processor's normal business operations

The Controller may engage an independent third party to conduct audits.

14. Deletion and Return of Data

Upon termination of the service or at the Controller's request, the Processor will:

Delete all personal data, unless required to store by law

Return a copy of personal data in a structured, commonly used format

Delete all existing copies, unless required to retain by law

The Processor will provide written confirmation within 30 days of deletion or return.

15. Liability

Each party shall bear its liability in accordance with applicable data protection laws.

If a party violates its obligations under this DPA, it shall be liable for damages caused thereby.

Liability limitations shall follow the provisions in the Terms of Service, but shall not apply to willful misconduct or gross negligence.

16. Term and Termination

This DPA takes effect simultaneously with the Terms of Service and remains in effect after termination of the Terms of Service until the Processor deletes or returns all personal data.

Either party may terminate this DPA if the other party breaches a material term of this DPA.

17. Governing Law

This DPA is governed by the laws of the State of Delaware.

Any disputes arising from this DPA shall be resolved in the courts of Delaware.

18. Execution

By using the GateLLM service, you accept the terms of this DPA.

For a formally executed copy of the DPA, please contact support@gatellm.io.

GateLLM is a product of Fluxon LLC, a Delaware limited liability company.