DEPLOYTerminal

Legal

Data Processing Addendum

Effective July 1, 2026. This addendum forms part of the Deploy Terminal Terms of Service.

1. Purpose and scope

This Data Processing Addendum ("DPA") governs how Deploy ("Processor") handles personal data submitted by customers ("Controller") through the Deploy Terminal inference routing service ("Services"). It supplements the Deploy Terminal Terms of Service and applies wherever the Controller transmits personal data to Deploy in the course of using the Services.

2. Definitions

  • Personal Data.Any information relating to an identified or identifiable natural person that is submitted by the Controller through the Services.
  • Processing.Any operation performed on Personal Data, limited here to in-transit routing of inference requests.
  • Controller.The customer who determines the purposes and means of processing Personal Data.
  • Processor.Deploy, which processes Personal Data solely on behalf of and under instruction from the Controller.
  • Subprocessor.Any third party engaged by Deploy to assist in processing Personal Data.

3. Nature of processing

Deploy's processing is limited to the following: receiving an inference request from the Controller, routing that request to Anthropic's API over an encrypted connection using an authorized seat token, receiving Anthropic's response, and returning that response to the Controller.

This is the complete scope of Deploy's processing activity. Deploy does not analyze, index, transform, or retain the content of requests or responses for any purpose beyond completing the routing operation described above.

4. Deploy's obligations as Processor

4.1 No retention

Deploy does not write prompt content, response content, or any Personal Data to persistent storage. Data exists in memory only for the duration of a single request-response cycle and is not recoverable after that cycle completes. Deploy maintains no database of customer inference requests.

4.2 Purpose limitation

Deploy processes Personal Data only to fulfill the routing function described in Section 3. Deploy will not use Personal Data for model training, product analytics, advertising, benchmarking, or any other purpose.

4.3 Security

Deploy implements TLS encryption for all data in transit between the Controller, Deploy's infrastructure, and Anthropic's API. Access to routing infrastructure is limited to personnel who require it to operate the Services and is subject to confidentiality obligations.

4.4 Subprocessors

The Controller authorizes Deploy to engage the following subprocessors:

Subprocessor

Purpose

Location

Anthropic PBC

Large language model inference

United States

Vercel Inc.

Hosting and routing infrastructure

United States

Deploy will provide the Controller with at least 30 days notice before adding or replacing a subprocessor that processes Personal Data. The Controller may object in writing within that period; if the parties cannot resolve the objection, the Controller may terminate the Services.

4.5 Data subject rights

Deploy will cooperate with the Controller in responding to data subject requests (access, deletion, correction, portability) within a commercially reasonable timeframe. Because Deploy retains no Personal Data beyond individual request cycles, Deploy's response to deletion requests will confirm the absence of stored data.

4.6 Breach notification

Deploy will notify the Controller without undue delay, and no later than 72 hours after becoming aware, of any breach of security that affects Personal Data processed under this DPA. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address it.

4.7 Audit rights

Upon the Controller's written request, Deploy will provide information reasonably necessary to demonstrate compliance with this DPA. On-site audits may be conducted no more than once per year upon 30 days written notice and at the Controller's expense.

5. Controller's obligations

The Controller represents and warrants that it has a lawful basis for processing Personal Data and for transferring Personal Data to Deploy for routing purposes under applicable law, including obtaining any necessary consents from data subjects.

The Controller is solely responsible for the accuracy, quality, and legality of Personal Data submitted through the Services, and for ensuring that its use of the Services complies with all applicable laws.

6. International data transfers

Personal Data processed under this DPA is routed through infrastructure located in the United States. Controllers subject to GDPR or UK GDPR acknowledge that this constitutes a transfer to a third country.

Where required by applicable law, the parties agree to execute EU Standard Contractual Clauses (Module 2: Controller to Processor) or UK International Data Transfer Addendum upon written request by the Controller. Requests should be directed to ben@deploy.report.

7. Term and termination

This DPA is effective for the duration of the Controller's use of the Services. Upon termination, the Controller's obligation to pay outstanding credits survives. Deploy has no data to delete or return upon termination, as no Personal Data is retained beyond individual request cycles.

8. Governing law

This DPA is governed by the laws of the State of Delaware, without regard to conflict of law provisions, and subject to the dispute resolution provisions of the Deploy Terminal Terms of Service.

9. Order of precedence

In the event of conflict between this DPA and the Deploy Terminal Terms of Service regarding the processing of Personal Data, this DPA controls.

Execution

By using the Deploy Terminal Services, the Controller agrees to this DPA. For a countersigned copy, contact ben@deploy.report.

For Deploy (Processor)

Signature

Name

Ben Smith

Title

Founder, Deploy

Date

For Controller

Signature

 

Name

 

Title

 

Company

 

Date

 

This document does not constitute legal advice. If you have questions about your compliance obligations, consult qualified legal counsel.