Data Processing Addendum

This Data Processing Addendum (the “DPA”) supplements the Terms of Service between you (“Customer”) and Conduix (operated by iVirtualsoft Corp) and applies to the extent Conduix processes personal data on behalf of Customer in connection with the service.

1. Roles of the parties

For the personal data processed under this DPA, Customer is the controller (or processor on behalf of a third-party controller) and Conduix is the processor (or sub-processor, as applicable). Each party will comply with the obligations applicable to its role under applicable data-protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), where applicable.

2. Scope and subject matter

• Subject matter: Conduix’s provision of the governed LLM gateway service to Customer.
• Duration: The term of the Terms of Service, plus any post-termination retention period required to return or delete Customer Data.
• Nature and purpose of processing: Routing requests to upstream model providers selected by Customer, metering usage, enforcing governance and rate-limit policy, producing audit logs and dashboards, and processing billing events.
• Categories of data subjects: Customer’s authorized users and any individuals referenced in the content Customer chooses to submit through the service.
• Categories of personal data: Account information, usage and request metadata, audit-log records, and any personal data contained in request payloads Customer transmits through the service.

3. Customer instructions

Conduix will process Customer Data only on documented instructions from Customer, including those expressed through Customer’s configuration of the service (such as model selection, BYO endpoints, redaction policy, retention controls, and member permissions), and except as required by applicable law. Conduix will inform Customer if, in its opinion, an instruction violates applicable data-protection law.

4. Sub-processors

Customer authorizes Conduix to engage the sub-processors listed in the Privacy Policy (covering upstream model providers, infrastructure, payments, edge, and transactional email). Conduix will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA. Conduix will give Customer notice of any intended addition or replacement of sub-processors and Customer will have a reasonable opportunity to object on data-protection grounds; if Customer objects, the parties will work in good faith to resolve the objection, and absent resolution Customer may terminate the affected portion of the service.

5. Security measures

Conduix will implement and maintain appropriate technical and organizational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, where applicable:

• Encryption of provider credentials and secrets at rest.
• Encryption of data in transit using current TLS configurations.
• Role-based access control with least-privilege enforcement for production systems.
• Audit logging of security-relevant and administrative actions.
• Optional best-effort structured-PII redaction available to Customer for outbound requests.
• Network protections at the edge (DDoS mitigation, bot protection).

6. Personnel confidentiality

Conduix will ensure that personnel authorized to process Customer Data are bound by written or statutory obligations of confidentiality and are trained on their data-protection responsibilities.

7. Assistance with data subject requests

Taking into account the nature of the processing, Conduix will provide reasonable assistance to enable Customer to respond to requests from data subjects exercising rights of access, rectification, erasure, restriction, portability, or objection. Where a data subject contacts Conduix directly, Conduix will refer the data subject to Customer and notify Customer without undue delay.

8. Personal-data breach notification

Conduix will notify Customer without undue delay after becoming aware of a personal-data breach affecting Customer Data, and will provide reasonably available information about the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it. Notification of a breach is not an acknowledgement of fault or liability.

9. Deletion and return on termination

Upon termination or expiration of the Terms of Service, Conduix will, at Customer’s election, delete or return Customer Data in its possession, except to the extent retention is required by applicable law or for legitimate business purposes such as archival of billing records and security logs. Backups containing Customer Data will be overwritten in the normal course of operations within the standard backup-retention cycle.

10. Audits

Conduix will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party audit reports or certifications where available. On at least thirty (30) days’ prior written notice, and no more than once in any twelve (12) month period, Customer may request additional information; any on-site audit will be conducted during business hours, at Customer’s expense, and subject to confidentiality, so as not to disrupt Conduix’s operations or other customers.

11. International transfers

Where Conduix or its sub-processors process Customer Data outside the jurisdiction in which Customer is established, the parties will rely on a lawful transfer mechanism such as the Standard Contractual Clauses, the UK International Data Transfer Addendum, or any successor mechanism recognized by applicable law.

12. Conflict and governing terms

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal data. All other terms of the Terms of Service remain in full force and effect. Capitalized terms not defined here have the meanings given to them in the Terms of Service or applicable data-protection law.

13. Contact

Questions about this DPA can be sent to support@conduix.ai.