This DPA is between:
Geodd LLC
1007 N Orange St., 4th Floor, Suite #1382
United States
Website: geodd.io
Privacy contact: [email protected]
Security contact: [email protected]
Legal notices: [email protected]
and Customer, meaning the person or entity that uses the Services or enters into an Agreement with Geodd.
Geodd and Customer may each be referred to as a “Party” and together as the “Parties.”
2.1 Geodd provides AI infrastructure services, including:
2.2 Geodd acts as an independent controller for personal data processed for its own business purposes, including customer account data, billing data, payment data, usage records, security logs, support communications, legal records, administrative records, marketing data, and website visitor data.
2.3 Geodd acts as a processor where it processes Customer Personal Data submitted by or on behalf of Customer through the Services solely to provide the Services under Customer’s documented instructions.
2.4 Customer is responsible for determining whether it acts as a controller or processor in relation to Customer Personal Data and for ensuring that it has all required rights, notices, lawful bases, consents, authorizations, and permissions to submit Customer Personal Data to the Services.
“Agreement” means Geodd’s Terms of Service, order form, online agreement, service agreement, or other agreement governing Customer’s use of the Services.
“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including where applicable the GDPR, UK GDPR, UK Data Protection Act 2018, Swiss FADP, and relevant U.S. state privacy laws.
“Bare Metal Infrastructure” means dedicated physical server, bare metal, or infrastructure services provided or managed by Geodd for Customer.
“Customer Personal Data” means personal data that Customer submits to the Services and that Geodd processes as a processor on behalf of Customer.
“Data Subject” means an identified or identifiable natural person to whom Customer Personal Data relates.
“Dedicated GPU” means bare metal GPU endpoint infrastructure provided by Geodd for Customer workloads.
“Dedicated Inferencing” means dedicated AI model endpoint infrastructure provided by Geodd for Customer’s inference workloads.
“DPA” means this Data Processing Agreement.
“GDPR” means Regulation (EU) 2016/679.
“Inferencing” means Geodd’s AI model inference service, including Serverless Inferencing and Dedicated Inferencing.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by Geodd as processor.
“Serverless Inferencing” means shared inferencing infrastructure made available by Geodd for API access to AI models.
“Services” means the Geodd products and services made available to Customer under the Agreement, including Inferencing, Serverless Inferencing, Dedicated Inferencing, Dedicated GPU, Bare Metal Infrastructure, and related support, security, operational, billing, and administrative services.
“Subprocessor” means a third party engaged by Geodd to process Customer Personal Data on behalf of Geodd in connection with the Services.
“Swiss FADP” means the Swiss Federal Act on Data Protection.
“UK GDPR” means the GDPR as incorporated into the laws of the United Kingdom.
Terms such as “controller,” “processor,” “personal data,” “processing,” and “supervisory authority” have the meanings given to them under Applicable Data Protection Laws.
4.1 Customer as Controller or Processor. Customer may act as a controller or processor with respect to Customer Personal Data. Where Customer acts as a processor on behalf of another controller, Customer represents that its instructions to Geodd are authorized by the relevant controller.
4.2 Geodd as Processor. Geodd will process Customer Personal Data only as a processor and only for the purposes described in this DPA, the Agreement, the applicable order form, or Customer’s documented instructions.
4.3 Geodd as Independent Controller. Geodd acts as an independent controller for personal data processed for account management, billing, payment processing, legal compliance, fraud prevention, security, support, service administration, analytics, marketing, and similar business purposes.
4.4 No Sale or Training Use. Geodd will not sell Customer Personal Data or use Customer Personal Data for targeted advertising, model training, or unrelated commercial purposes.
5.1 Customer instructs Geodd to process Customer Personal Data as necessary to:
5.2 Geodd will not process Customer Personal Data for any purpose outside Customer’s documented instructions unless required by applicable law. If Geodd is legally required to process Customer Personal Data for another purpose, Geodd will inform Customer before such processing unless legally prohibited.
5.3 Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws. Geodd is not responsible for determining whether Customer’s instructions are lawful.
5.4 If Geodd believes that an instruction infringes Applicable Data Protection Laws, Geodd may notify Customer and suspend the relevant processing until Customer confirms or modifies the instruction.
The subject matter, duration, nature, purpose, categories of Data Subjects, and categories of Customer Personal Data are described in Schedule 1.
7.1 For Inferencing services, including Serverless Inferencing and Dedicated Inferencing, Geodd processes prompts, inputs, outputs, completions, request bodies, and response bodies transiently for the purpose of providing the Services.
7.2 Unless expressly agreed in writing, Geodd does not store:
7.3 Geodd does not use Customer Personal Data submitted through the API to train models.
7.4 Geodd does not conduct human review of prompts or outputs by default.
7.5 Geodd may process limited metadata, including model used, timestamp, token count, status code, usage records, IP address where applicable, and authentication metadata for billing, security, fraud prevention, troubleshooting, service operation, legal, and compliance purposes.
7.6 Customer acknowledges that Geodd does not control the content of prompts, inputs, outputs, or other data submitted by Customer or Customer’s users through the Services.
8.1 Customer is responsible for:
8.2 Customer is responsible for the content of all prompts, inputs, outputs, workloads, data, and materials submitted to or processed through the Services.
9.1 Customer is responsible for determining whether Customer Personal Data submitted to the Services includes sensitive, special category, regulated, or high-risk personal data under Applicable Data Protection Laws.
9.2 Geodd’s Services are designed to process Customer-submitted data according to Customer’s instructions. Geodd does not require Customer to submit sensitive or regulated data in order to use the Services.
9.3 If Customer submits sensitive, special category, regulated, or high-risk personal data to the Services, Customer is responsible for ensuring that it has all required lawful bases, notices, consents, authorizations, permissions, safeguards, and contractual rights necessary for such processing.
9.4 Sensitive or regulated data may include, where applicable, special category data under the GDPR, health data, biometric data, children’s data, criminal offense data, payment card data, protected health information, financial regulated data, or other data subject to heightened legal requirements.
9.5 Unless expressly agreed in writing, Geodd does not provide Services specifically intended for HIPAA-regulated protected health information, children’s data, biometric identification, criminal offense records, or other legally restricted workloads requiring dedicated contractual or regulatory controls.
9.6 Customer must not use the Services in a manner that violates Applicable Data Protection Laws, the Agreement, this DPA, or Geodd’s acceptable use or service policies.
9.7 Geodd may suspend or restrict processing only where Geodd reasonably believes that Customer’s use of the Services creates a material legal, security, regulatory, or operational risk to Geodd, the Services, other customers, or Data Subjects.
10.1 Geodd will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
10.2 Geodd will limit access to Customer Personal Data to personnel who require access based on their job role and operational need.
10.3 Customer must keep all non-public information about the Services, security measures, audit materials, documentation, and technical systems confidential.
11.1 Geodd will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
11.2 The technical and organizational measures are described at Security Measures and are incorporated into this DPA by reference.
11.3 Customer acknowledges that security measures may evolve over time, provided Geodd does not materially reduce the overall level of protection for Customer Personal Data.
12.1 Geodd will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.
12.2 Geodd’s notification may include, where available:
12.3 Geodd may provide information in phases as it becomes available.
12.4 Geodd’s notification of a Personal Data Breach is not an admission of fault, liability, or violation of law.
12.5 Customer is responsible for determining whether it must notify Data Subjects, regulators, customers, or other third parties.
13.1 Taking into account the nature of the processing, Geodd will provide reasonable assistance to Customer in responding to Data Subject requests relating to Customer Personal Data.
13.2 Where Geodd receives a request directly from a Data Subject relating to Customer Personal Data, Geodd may redirect the Data Subject to Customer unless legally required to respond directly.
13.3 Customer acknowledges that API prompts and outputs cannot be exported, corrected, or deleted after processing where Geodd does not store them.
13.4 Geodd may charge reasonable fees for assistance that is excessive, complex, repetitive, non-standard, or outside the normal operation of the Services.
14.1 Taking into account the nature of processing and information available to Geodd, Geodd will provide reasonable assistance to Customer with:
14.2 Geodd may decline to disclose confidential, commercially sensitive, or security-sensitive information where disclosure could compromise the Services, Geodd, or other customers.
14.3 Geodd may charge reasonable fees for assistance that is not included in standard support or that requires significant time, resources, legal review, security review, or technical review.
15.1 Customer grants Geodd general authorization to engage Subprocessors to process Customer Personal Data in connection with the Services.
15.2 Geodd’s current Subprocessor list is available at Subprocessor List and is incorporated into this DPA by reference.
15.3 Geodd will provide at least 30 days’ prior notice before adding or replacing a Subprocessor that will process Customer Personal Data.
15.4 Customer may object to a new Subprocessor by emailing [email protected] within the notice period and explaining its reasonable data protection grounds for objection.
15.5 If Customer objects, Geodd may use reasonable efforts to make available a commercially reasonable alternative, where technically and commercially feasible.
15.6 If Geodd cannot reasonably accommodate the objection, Customer may terminate only the affected Services by providing written notice before the new Subprocessor is used for Customer Personal Data.
15.7 Unless required by applicable law or expressly stated in the Agreement, Geodd is not required to refund prepaid fees due to Customer’s objection to a Subprocessor.
15.8 Geodd will impose written data protection obligations on Subprocessors that are no less protective in substance than those in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor.
15.9 Geodd remains responsible for the performance of its Subprocessors’ data protection obligations to the extent required by Applicable Data Protection Laws.
16.1 Geodd may use third-party suppliers for physical hardware, rack space, power, cooling, connectivity, physical maintenance, physical security, and related infrastructure support.
16.2 Geodd does not treat such suppliers as Subprocessors where they do not process Customer Personal Data on behalf of Geodd.
16.3 Physical infrastructure suppliers are not Subprocessors where they do not have logical, administrative, operational, support, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, workloads, prompts, outputs, logs, backups, storage, or runtime environments.
16.4 Emergency access by such suppliers is limited to physical premises, racks, cabling, power, hardware replacement, and physical security, and does not include logical access to systems, workloads, storage, logs, encryption keys, or Customer Personal Data.
17.1 Geodd LLC is established in the United States.
17.2 Where Customer Personal Data subject to the GDPR, UK GDPR, or Swiss FADP is transferred to or accessed from a country that has not been recognized as providing an adequate level of protection, the Parties agree that the applicable transfer mechanism will apply as set out in this DPA, including:
17.3 International transfer terms are set out in Schedule 4.
17.4 Upon reasonable request, Geodd will provide information reasonably necessary to assist Customer in assessing international transfers of Customer Personal Data, including information about applicable transfer mechanisms, processing locations, Subprocessors, technical and organizational measures, and supplementary measures.
17.5 Geodd is not required to disclose confidential, commercially sensitive, or security-sensitive information where disclosure would compromise the security of the Services.
18.1 Where Geodd offers Customer a choice of infrastructure region, Customer is responsible for selecting the region appropriate for its use of the Services.
18.2 If Customer selects infrastructure located outside the EU, EEA, UK, Switzerland, or another relevant jurisdiction, Customer acknowledges and instructs Geodd that Customer Personal Data submitted to the Services may be transferred to and processed in that selected region for the purpose of providing the Services.
18.3 For EU/UK customers using EU/UK or EU-region infrastructure, Geodd will process API requests for inference in the applicable selected region, except where a transfer is required for support, security, debugging, service operations, billing, legal, compliance, or where Customer selects or enables infrastructure outside that region.
19.1 Upon termination of the Services or upon Customer’s written request, Geodd will delete or return Customer Personal Data in accordance with this DPA, the Agreement, applicable law, and Geodd’s retention practices.
19.2 Customer may request deletion of Customer Personal Data or deletion of its user account by emailing [email protected] or by using any deletion functionality made available in the Services.
19.3 Where Customer requests deletion of its user account, Geodd will delete or deactivate the account within a reasonable period and, where applicable, delete associated account data within 30 days, except for records that Geodd is required or permitted to retain for legal, tax, billing, security, fraud prevention, dispute, compliance, or legitimate business purposes.
19.4 Customer may export account or administrative data before account deletion where export functionality is available or where Geodd reasonably supports such export.
19.5 API prompts, inputs, outputs, completions, request bodies, and response bodies are not available for export, return, correction, or deletion after processing where Geodd does not store them.
19.6 Usage records, billing records, tax records, security logs, legal records, dispute records, fraud prevention records, and compliance records may be retained where required or permitted for legal, tax, billing, security, fraud prevention, dispute, or compliance purposes.
19.7 Backup deletion occurs through normal backup expiry cycles and not by immediate deletion from all backups.
19.8 Geodd may provide a deletion certificate upon reasonable request after deletion has been completed, subject to retained records and backup expiry.
20.1 Geodd will make available information reasonably necessary to demonstrate compliance with its processor obligations under this DPA and Applicable Data Protection Laws.
20.2 Audits will be conducted on a documentation-first basis.
20.3 Customer may request reasonable security documentation, questionnaires, policies, summaries, certifications, or third-party reports where available, subject to confidentiality obligations.
20.4 On-site audits are permitted only where:
20.5 Unless legally required otherwise, audits are limited to once per 12-month period.
20.6 Customer must provide at least 30 days’ prior written notice for any audit, except where shorter notice is required due to a confirmed Personal Data Breach or legally binding regulator request.
20.7 Any auditor must be independent, qualified, not a competitor of Geodd, and bound by written confidentiality obligations.
20.8 Audits must be limited to Customer Personal Data and Geodd’s obligations under this DPA.
20.9 Audits must not:
20.10 Customer is responsible for all audit costs unless the audit reveals a material breach of this DPA caused by Geodd.
20.11 Geodd may charge reasonable fees for time and resources required to support audits.
21.1 If Geodd receives a legally binding request for Customer Personal Data from a public authority, court, regulator, or law enforcement body, Geodd will, where legally permitted, notify Customer.
21.2 Geodd may challenge or narrow a request where Geodd reasonably determines that the request is unlawful, overbroad, or inconsistent with applicable legal requirements.
21.3 Geodd will not voluntarily disclose Customer Personal Data to government authorities except as required by law or necessary to protect the Services, Geodd, Customer, users, or the public.
22.1 Each Party’s liability under this DPA is subject to the limitations, exclusions, and liability caps in the Agreement.
22.2 If the Agreement does not contain a liability cap, then, to the maximum extent permitted by law, each Party’s total aggregate liability arising out of or relating to this DPA will not exceed the amounts paid or payable by Customer to Geodd for the affected Services in the 12 months before the event giving rise to liability.
22.3 Neither Party will be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, goodwill, business opportunity, or anticipated savings, whether direct or indirect, except to the extent such limitation is prohibited by applicable law.
22.4 Nothing in this DPA limits liability to the extent such limitation is prohibited by applicable law.
22.5 Customer is responsible for claims, fines, penalties, damages, losses, or costs arising from Customer’s unlawful instructions, unlawful submission of Customer Personal Data, failure to provide notices or obtain consents, submission of regulated data without appropriate safeguards, or misuse of the Services.
23.1 If there is a conflict between this DPA and the Agreement, this DPA controls only with respect to the processing of Customer Personal Data as processor.
23.2 If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses control to the extent of the conflict.
23.3 If there is a conflict between this DPA and the UK Addendum, the UK Addendum controls to the extent required by UK Data Protection Laws.
24.1 Geodd may provide notices under this DPA by email, through the Services, through the customer dashboard, through the website, or by other reasonable electronic means.
24.2 Notices to Geodd must be sent as follows:
24.3 Customer is responsible for keeping its account, admin, billing, privacy, security, and legal contact details accurate and up to date.
24.4 Notices sent by email are deemed received when sent, unless the sender receives an automated delivery failure notice.
25.1 This DPA is governed by the laws of the State of Delaware, United States, except where Applicable Data Protection Laws require otherwise.
25.2 Mandatory rights and obligations under Applicable Data Protection Laws remain unaffected.
26.1 This DPA begins on the effective date of the Agreement or the date Customer first uses the Services, whichever is earlier.
26.2 This DPA remains in effect for as long as Geodd processes Customer Personal Data as processor.
26.3 Any provisions that by their nature should survive termination will survive, including confidentiality, deletion, audit, international transfer, liability, and governing law provisions.
Geodd’s processing of Customer Personal Data in connection with the provision of the Services to Customer.
For the duration of the Agreement and any period during which Geodd processes Customer Personal Data on behalf of Customer, subject to deletion, retention, backup expiry, and legal retention obligations.
The nature of processing may include:
The purpose of processing is to provide, operate, maintain, secure, support, and improve Geodd’s Inferencing, Dedicated GPU, Bare Metal Infrastructure, and related services under Customer’s instructions.
Customer Personal Data may relate to:
Customer Personal Data processed by Geodd as processor may include:
Unless expressly agreed in writing, Geodd does not store:
Customer is responsible for determining whether Customer Personal Data includes sensitive, special category, regulated, or high-risk personal data and for ensuring that such processing complies with Applicable Data Protection Laws.
Continuous or as initiated by Customer’s use of the Services.
Processing may occur in the region selected by Customer, in Geodd’s operational locations, and in Subprocessor locations as described in this DPA, the applicable order form, and the Subprocessor list.
Geodd’s technical and organizational measures are described at Security Measures and are incorporated into this DPA by reference.
Geodd’s Subprocessor list is available at Subprocessor List and is incorporated into this DPA by reference.
Physical infrastructure suppliers that provide hardware, rack space, power, cooling, connectivity, physical maintenance, physical security, or physical hardware support without access to Customer Personal Data are not treated as Subprocessors.
Where the GDPR applies and Customer Personal Data is transferred to a country that has not been recognized as providing an adequate level of protection, the Parties agree that the EU Standard Contractual Clauses apply as follows:
The full EU Standard Contractual Clauses are incorporated by reference at: https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en.
Where the UK GDPR applies and Customer Personal Data is transferred to a country that has not been recognized as providing an adequate level of protection, the UK International Data Transfer Addendum applies.
The UK Addendum is incorporated by reference at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf
For purposes of the UK Addendum:
Where the Swiss FADP applies, the Parties agree that the SCCs will be interpreted to protect personal data subject to the Swiss FADP.
For Swiss transfers:
Upon reasonable request, Geodd will provide information reasonably necessary to assist Customer in assessing international transfers of Customer Personal Data, including information about:
Geodd is not required to disclose confidential or security-sensitive information where disclosure could compromise the security of the Services.
Geodd implements supplementary measures designed to protect Customer Personal Data, including:
| Data Type | Retention / Handling |
|---|---|
| API prompts / inputs | Not stored |
| API outputs / completions | Not stored |
| API request bodies | Not stored |
| API response bodies | Not stored |
| Uploaded files | Not supported / not stored unless separately agreed |
| Embeddings | Not stored unless separately agreed |
| Customer datasets | Not stored unless separately agreed |
| Fine-tuning data | Not supported unless separately agreed |
| Billing / financial usage records | Retained for legal, tax, billing, fraud prevention, dispute, security, and compliance purposes |
| Billing / tax records | 7 years or as legally required |
| Security logs | 12 months unless longer retention is required |
| Support tickets | 12 months unless longer retention is required |
| Marketing records | Until unsubscribe plus 2 years |
| Marketing consent records | 6 years |
| Database backups | 30-day rolling backups |
| Deleted account data | Deleted within 30 days, except lawful retained records and backup expiry |
This Schedule describes the Services covered by this DPA. The applicable Services are those made available to Customer under the Agreement, order form, dashboard, or other service documentation.
Geodd’s Inferencing product includes:
Inferencing may involve transient processing of API prompts, inputs, outputs, completions, request bodies, and response bodies to generate and return API responses.
Unless expressly agreed in writing, default handling for Inferencing is as follows:
Limited metadata may include model used, timestamp, token count, status code, usage records, IP address where applicable, and authentication metadata.
Serverless Inferencing means shared inferencing infrastructure made available by Geodd for API access to AI models.
For Serverless Inferencing:
Dedicated Inferencing means dedicated AI model endpoint infrastructure provided for Customer’s inference workloads.
For Dedicated Inferencing:
Dedicated Inferencing may include provisioning, operating, monitoring, securing, maintaining, and supporting dedicated endpoint infrastructure for Customer.
Dedicated GPU means bare metal GPU endpoint infrastructure provided for Customer workloads.
Processing may include provisioning, operating, maintaining, securing, monitoring, and supporting dedicated GPU infrastructure selected or used by Customer.
Where Customer uses Dedicated GPU infrastructure, Customer is responsible for:
Where a GPU provider or physical infrastructure supplier only provides hardware, rack space, power, cooling, connectivity, physical maintenance, or physical security without logical, administrative, operational, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, Geodd does not treat that provider as a Subprocessor.
Bare Metal Infrastructure means dedicated physical server, bare metal, or infrastructure services provided or managed by Geodd for Customer.
Processing may include provisioning, operating, maintaining, securing, monitoring, and supporting bare metal infrastructure selected or used by Customer.
Where Customer uses Bare Metal Infrastructure, Customer is responsible for:
Where a physical infrastructure supplier only provides hardware, rack space, power, cooling, connectivity, physical maintenance, or physical security without logical, administrative, operational, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, Geodd does not treat that provider as a Subprocessor.