Legal
Data Processing Addendum
Effective July 1, 2026. This addendum forms part of the Deploy Terminal Terms of Service.
1. Purpose and scope
This Data Processing Addendum ("DPA") governs how Deploy ("Processor") handles personal data submitted by customers ("Controller") through the Deploy Terminal inference routing service ("Services"). It supplements the Deploy Terminal Terms of Service and applies wherever the Controller transmits personal data to Deploy in the course of using the Services.
2. Definitions
- Personal Data.Any information relating to an identified or identifiable natural person that is submitted by the Controller through the Services.
- Processing.Any operation performed on Personal Data, limited here to in-transit routing of inference requests.
- Controller.The customer who determines the purposes and means of processing Personal Data.
- Processor.Deploy, which processes Personal Data solely on behalf of and under instruction from the Controller.
- Subprocessor.Any third party engaged by Deploy to assist in processing Personal Data.
3. Nature of processing
Deploy's processing is limited to the following: receiving an inference request from the Controller, routing that request to Anthropic's API over an encrypted connection using an authorized seat token, receiving Anthropic's response, and returning that response to the Controller.
This is the complete scope of Deploy's processing activity. Deploy does not analyze, index, transform, or retain the content of requests or responses for any purpose beyond completing the routing operation described above.
4. Deploy's obligations as Processor
4.1 No retention
Deploy does not write prompt content, response content, or any Personal Data to persistent storage. Data exists in memory only for the duration of a single request-response cycle and is not recoverable after that cycle completes. Deploy maintains no database of customer inference requests.
4.2 Purpose limitation
Deploy processes Personal Data only to fulfill the routing function described in Section 3. Deploy will not use Personal Data for model training, product analytics, advertising, benchmarking, or any other purpose.
4.3 Security
Deploy implements TLS encryption for all data in transit between the Controller, Deploy's infrastructure, and Anthropic's API. Access to routing infrastructure is limited to personnel who require it to operate the Services and is subject to confidentiality obligations.
4.4 Subprocessors
The Controller authorizes Deploy to engage the following subprocessors:
Subprocessor
Purpose
Location
Anthropic PBC
Large language model inference
United States
Vercel Inc.
Hosting and routing infrastructure
United States
Deploy will provide the Controller with at least 30 days notice before adding or replacing a subprocessor that processes Personal Data. The Controller may object in writing within that period; if the parties cannot resolve the objection, the Controller may terminate the Services.
4.5 Data subject rights
Deploy will cooperate with the Controller in responding to data subject requests (access, deletion, correction, portability) within a commercially reasonable timeframe. Because Deploy retains no Personal Data beyond individual request cycles, Deploy's response to deletion requests will confirm the absence of stored data.
4.6 Breach notification
Deploy will notify the Controller without undue delay, and no later than 72 hours after becoming aware, of any breach of security that affects Personal Data processed under this DPA. Notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address it.
4.7 Audit rights
Upon the Controller's written request, Deploy will provide information reasonably necessary to demonstrate compliance with this DPA. On-site audits may be conducted no more than once per year upon 30 days written notice and at the Controller's expense.
5. Controller's obligations
The Controller represents and warrants that it has a lawful basis for processing Personal Data and for transferring Personal Data to Deploy for routing purposes under applicable law, including obtaining any necessary consents from data subjects.
The Controller is solely responsible for the accuracy, quality, and legality of Personal Data submitted through the Services, and for ensuring that its use of the Services complies with all applicable laws.
6. International data transfers
Personal Data processed under this DPA is routed through infrastructure located in the United States. Controllers subject to GDPR or UK GDPR acknowledge that this constitutes a transfer to a third country.
Where required by applicable law, the parties agree to execute EU Standard Contractual Clauses (Module 2: Controller to Processor) or UK International Data Transfer Addendum upon written request by the Controller. Requests should be directed to ben@deploy.report.
7. Term and termination
This DPA is effective for the duration of the Controller's use of the Services. Upon termination, the Controller's obligation to pay outstanding credits survives. Deploy has no data to delete or return upon termination, as no Personal Data is retained beyond individual request cycles.
8. Governing law
This DPA is governed by the laws of the State of Delaware, without regard to conflict of law provisions, and subject to the dispute resolution provisions of the Deploy Terminal Terms of Service.
9. Order of precedence
In the event of conflict between this DPA and the Deploy Terminal Terms of Service regarding the processing of Personal Data, this DPA controls.
Execution
By using the Deploy Terminal Services, the Controller agrees to this DPA. For a countersigned copy, contact ben@deploy.report.
For Deploy (Processor)
Signature
Name
Ben Smith
Title
Founder, Deploy
Date
For Controller
Signature
Name
Title
Company
Date
This document does not constitute legal advice. If you have questions about your compliance obligations, consult qualified legal counsel.