Data Processing Addendum
Last updated: May 2, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between neokens, Inc. ("neokens," "Processor," "we," or "us") and the entity that has agreed to the Terms of Service ("Customer," "you," or "Controller") and applies to the extent that neokens processes Personal Data on behalf of the Customer in connection with the Service. This DPA incorporates the terms defined in the Terms of Service and supplements the Privacy Policy.
This DPA is intended to comply with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws. To the extent there is a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms of Service. In addition, the following terms have the following meanings:
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by neokens on behalf of the Customer in connection with the Service.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Sub-processor" means any third party engaged by neokens to process Personal Data on behalf of the Customer.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, CCPA, and any implementing or supplementary national legislation.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Commission Implementing Decision (EU) 2021/914, as may be amended or superseded.
2. Parties and Roles
The parties to this DPA are neokens, Inc. (Processor) and the Customer (Controller). The Customer determines the purposes and means of the processing of Personal Data submitted through the Service. neokens processes Personal Data only on the Customer's documented instructions and in accordance with this DPA.
For purposes of the CCPA, neokens acts as a "service provider" (as defined in Cal. Civ. Code § 1798.140(ag)) with respect to the Personal Data it processes on behalf of the Customer. neokens shall not sell, share, or retain Personal Data for any purpose other than providing the Service as specified in the Terms of Service.
3. Scope of Data Processing
neokens processes Personal Data only for the following purposes:
- Routing API requests (including prompt content) from the Customer to the appropriate upstream AI provider and returning the AI-generated response
- Maintaining account information necessary to provide the Service
- Calculating credit consumption and maintaining billing records
- Detecting and preventing abuse, fraud, and violations of the Acceptable Use Policy
- Complying with applicable legal obligations
neokens shall not process Personal Data for any purpose other than as specified in this DPA and the Terms of Service, unless required by applicable law, in which case neokens shall inform the Customer of such legal requirement before processing, unless prohibited by law.
4. Categories of Data
The Personal Data processed under this DPA may include:
| Category | Description | Examples |
|---|---|---|
| Account Data | Data provided by the Customer to create and maintain their account | Email address, display name, authentication credentials |
| Prompt Data | Content submitted by the Customer through the API for processing by AI models | Text prompts, system instructions, conversation history |
| Response Data | AI-generated content returned to the Customer | Model completions, generated text |
| Usage Metadata | Metadata generated by the use of the Service | Request timestamps, model identifiers, token counts, credit consumption |
| Payment Data | Information related to payment processing | Billing name, address, last four digits of card (full card data processed by Stripe only) |
| Technical Data | Automatically collected technical information | IP address, browser type, operating system |
The Customer is responsible for ensuring that any Personal Data submitted through the Service has been collected and is processed in compliance with applicable Data Protection Laws, including obtaining necessary consents and providing required notices to Data Subjects.
5. Sub-processors
neokens engages the following Sub-processors to process Personal Data on behalf of the Customer in connection with the Service. The Customer generally authorizes the use of these Sub-processors by agreeing to the Terms of Service. neokens will provide notice of changes to Sub-processors as described in Section 5.2.
5.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| OpenAI, Inc. | AI model inference (GPT models) | United States |
| Anthropic, Inc. | AI model inference (Claude models) | United States |
| Google LLC (Gemini) | AI model inference (Gemini models) | United States |
| Stripe, Inc. | Payment processing | United States |
| Amazon Web Services, Inc. | Cloud infrastructure and hosting | United States |
5.2 Changes to Sub-processors
neokens will notify the Customer of any addition or replacement of a Sub-processor at least 30 days before the change takes effect. The Customer may object to a new Sub-processor on reasonable data protection grounds by notifying neokens in writing within 15 days of receiving the notice. If the objection cannot be resolved, either party may terminate the affected portion of the Service with a refund of any prepaid fees for the terminated portion.
6. Data Subject Rights
neokens will assist the Customer in fulfilling its obligations to respond to Data Subject requests for exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, data portability, and objection. If neokens receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Customer, neokens will redirect the Data Subject to the Customer and notify the Customer promptly.
neokens will not respond to Data Subject requests without the Customer's instructions, except to confirm receipt and redirect the Data Subject to the Customer. The Customer is responsible for responding to such requests within the timeframes required by applicable Data Protection Laws.
7. Security Measures
neokens implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction. These measures include:
- Encryption in transit: All data transmitted between the Customer and neokens, and between neokens and Sub-processors, is encrypted using TLS 1.2 or higher
- Encryption at rest: Personal Data stored on neokens systems is encrypted at rest using AES-256
- Access controls: Role-based access controls, multi-factor authentication for administrative access, and least-privilege principles for all personnel
- Network security: Firewalls, intrusion detection systems, and network segmentation to protect internal systems
- Logging and monitoring: Audit logs for access to systems containing Personal Data, with automated alerting for anomalous activity
- Vulnerability management: Regular security assessments, penetration testing, and timely patching of identified vulnerabilities
- Employee training: Annual data protection and security awareness training for all personnel with access to Personal Data
- Data minimization: Prompt data (prompts and responses) is not persisted beyond the transient processing period required to fulfill the API request
- Incident response: Documented incident response plan with defined roles, escalation procedures, and communication protocols
The Customer is responsible for implementing appropriate security measures on its own systems, including the secure storage and handling of API keys and any Personal Data before it is submitted to the Service.
8. Personal Data Breach Notification
neokens will notify the Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach that is likely to result in a risk to the rights and freedoms of Data Subjects. The notification will include:
- The nature of the breach, including the categories and approximate number of Data Subjects and records affected
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach and mitigate its effects
- Contact information for neokens' data protection officer or designated point of contact
neokens will cooperate with the Customer in investigating the breach and will provide all information reasonably necessary for the Customer to comply with its notification obligations under Data Protection Laws. neokens will not make public announcements about a breach without the Customer's prior approval, unless required by law.
9. International Data Transfers
neokens is headquartered in the United States. To the extent that the processing of Personal Data under this DPA involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or other jurisdictions with data transfer restrictions, the parties agree that such transfers shall be governed by the Standard Contractual Clauses. neokens has executed the SCCs and will make them available to the Customer upon request.
neokens will ensure that all Sub-processors that process Personal Data outside the EEA do so under appropriate safeguards, including the execution of SCCs or reliance on an approved adequacy mechanism.
10. Data Retention and Deletion
neokens will retain Personal Data only for as long as necessary to fulfill the purposes described in this DPA, or as required by applicable law. Upon termination of the Service, neokens will, at the Customer's election, return or delete all Personal Data in its possession within 90 days, except where retention is required by law. neokens will certify deletion upon the Customer's written request.
Prompt Data and Response Data are not persisted by neokens beyond the transient processing period. Usage metadata is retained for 12 months for billing and operational purposes. Payment records are retained for 7 years as required by financial regulations.
11. Audits
neokens will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or a qualified third-party auditor mandated by the Customer, subject to reasonable confidentiality obligations and upon at least 30 days' written notice. Such audits shall be conducted at the Customer's expense and during normal business hours, and shall not unreasonably interfere with neokens' operations.
12. Termination
This DPA will remain in effect for the duration of the Terms of Service. Upon termination of the Terms of Service, the provisions of this DPA regarding data return and deletion (Section 10), audit rights (Section 11), and liability for breaches (Section 8) will survive for a period of two (2) years or as required by applicable Data Protection Laws.
13. Contact
For questions about this DPA, please contact our data protection team:
- Email: [email protected]
- Web: neokens.com/contact
- Mail: neokens, Inc., Attn: Data Protection, San Francisco, CA 94105