Data Handling

Geodd designs its Services to minimize unnecessary data storage and reduce customer data exposure.

For AI model API services, Geodd processes prompts, inputs, outputs, request bodies, and response bodies transiently to provide the requested inference response. Unless separately agreed in writing, Geodd does not store API prompts, API inputs, API outputs, completions, API request bodies, API response bodies, uploaded files, embeddings, customer datasets, or fine-tuning data.

Geodd does not use API data for model training and does not conduct human review of prompts or outputs by default.

This page applies to Geodd Services, including:

• Inferencing
• Serverless Inferencing
• Dedicated Inferencing
• Dedicated GPU
• Bare Metal Infrastructure
• Website, dashboard, APIs, and related systems

Data handling may differ depending on the Service, customer configuration, infrastructure region, and Order.

For AI model API services, Customer may submit prompts, inputs, or other request data to receive model outputs or completions.

By default:

API data is processed to provide the requested inference response and is discarded after processing, unless a different arrangement is expressly agreed in writing.

Although Geodd does not store API request bodies or response bodies by default, Geodd may retain limited metadata for legitimate operational purposes.

This metadata may include:

• Model used
• Timestamp
• Token count
• Status code
• Usage records
• IP address where applicable
• Authentication metadata

Geodd may use this metadata for:

• Billing
• Usage measurement
• Security
• Troubleshooting
• Service operation
• Fraud prevention
• Abuse prevention
• Legal and compliance purposes
• Dispute resolution

This metadata does not include the text of API prompts, API inputs, API outputs, request bodies, or response bodies by default.

Customers are responsible for securing their API keys, credentials, tokens, dashboard access, applications, and account permissions.

Geodd does not store full API keys. Geodd stores only a hash of the API key for authentication and security purposes.

Customers should:

• Keep API keys confidential
• Avoid sharing API keys in public repositories, logs, messages, or client-side code
• Rotate keys if compromise is suspected
• Limit access to authorized users and systems
• Notify Geodd promptly of suspected unauthorized access or credential compromise

Geodd may disable, rotate, suspend, revoke, or require replacement of API keys where necessary for security, abuse prevention, legal compliance, service protection, or suspected compromise.

Geodd does not use API prompts, inputs, outputs, completions, request bodies, response bodies, uploaded files, embeddings, customer datasets, or fine-tuning data for model training by default.

Geodd also does not use API data for fine-tuning by default.

If any customer-specific training, fine-tuning, evaluation, or dataset processing is offered in the future, it should be governed by a separate written agreement or Order.

Geodd does not conduct human review of API prompts or outputs by default.

Geodd personnel may access limited account, usage, technical, operational, billing, support, or security information where reasonably necessary to:

• Provide support
• Investigate technical issues
• Debug service issues
• Secure the Services
• Prevent fraud or abuse
• Comply with legal obligations
• Enforce agreements and policies
• Operate and maintain the Services

Such access is limited based on role, operational need, and applicable security controls.

Geodd may process account, administrative, billing, support, legal, security, and usage data to operate the Services and manage its relationship with customers.

This may include:

• Name
• Business email
• Phone number
• Company name
• Job title
• Login credentials
• Billing address
• Payment metadata
• Invoices
• Tax IDs
• Contract and order details
• Support messages
• Usage records
• Security logs
• Authentication metadata

Geodd processes this data as an independent controller, as described in its Privacy Policy.

Customers are responsible for determining whether data submitted through the Services contains personal data.

Where Geodd processes Customer Personal Data submitted by or on behalf of a Customer through the Services, Geodd generally acts as a processor and processes that data under the Customer’s instructions.

Customers are responsible for ensuring that they have:

• A lawful basis for submitting personal data to the Services
• Provided required notices to data subjects
• Obtained required consents, authorizations, or permissions
• All required rights to submit and process the data
• Appropriate safeguards for sensitive, regulated, or high-risk data

Geodd’s Data Protection Addendum is available at: geodd.io/legal/data-protection-addendum

Geodd does not require customers to submit sensitive, special category, regulated, or high-risk personal data in order to use the Services.

Customers should avoid submitting sensitive or regulated data unless they have confirmed that their use case is lawful, appropriate, and supported by the applicable Order and agreements.

Unless expressly agreed in writing, Geodd does not provide Services specifically intended for:

• HIPAA-regulated protected health information
• Children’s data
• Biometric identification
• Criminal offense records
• Other legally restricted workloads requiring dedicated contractual or regulatory controls

If a customer submits sensitive, special category, regulated, or high-risk personal data, the customer is responsible for ensuring that it has all required lawful bases, notices, consents, authorizations, permissions, safeguards, and contractual rights.

For Dedicated Inferencing, Geodd may provide dedicated AI model endpoint infrastructure for Customer’s inference workloads.

Geodd’s default API data handling position still applies unless expressly agreed otherwise:

• API prompts are not stored
• API outputs are not stored
• API request bodies are not stored
• API response bodies are not stored
• API data is not used for training
• Human review of prompts and outputs does not occur by default
• Limited metadata may be retained for billing, usage, security, troubleshooting, service operation, fraud prevention, legal, and compliance purposes

Dedicated Inferencing may provide stronger workload isolation compared with shared infrastructure, depending on the service configuration and Order.

For Dedicated GPU and Bare Metal Infrastructure, Customer may have direct control over workloads, applications, models, datasets, credentials, operating environments, access permissions, and network exposure.

Customer is responsible for:

• Securing Customer-controlled systems
• Configuring access controls and credentials
• Managing workloads, applications, models, and datasets
• Applying patches and updates where Customer controls the environment
• Maintaining independent backups of Customer-controlled data
• Ensuring workloads comply with applicable law and Geodd policies
• Ensuring Customer has required rights to use all data, software, models, and workloads

Unless expressly agreed in writing, Geodd does not provide customer workload backup, model backup, dataset backup, file backup, or disaster recovery services.

Geodd’s retention practices depend on the type of data.

Backup deletion occurs through normal backup expiry cycles and not by immediate deletion from all backups.

Customers may request account deletion by contacting [email protected] or by using deletion functionality made available in the Services.

Where a customer requests account deletion, Geodd will delete or deactivate the account within a reasonable period and, where applicable, delete associated account data within 30 days, except for records that Geodd is required or permitted to retain for legal, tax, billing, security, fraud prevention, dispute, compliance, or legitimate business purposes.

API prompts, inputs, outputs, completions, request bodies, and response bodies are not available for export, correction, deletion, backup, or restoration after processing where Geodd does not store them.

Geodd uses technical and organizational measures designed to protect personal data and systems against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

Security measures may include:

• TLS protection for data in transit
• Encryption at rest where applicable
• API key hash storage
• API authentication using API keys and OAuth where applicable
• Role-based access controls
• MFA for administrative access
• Firewalls and web application firewall protection
• Private networks where applicable
• Customer isolation through dedicated endpoints where applicable
• Access logging
• Vulnerability management
• Incident response processes
• 30-day rolling backups for users and usage data where applicable
• Staff confidentiality obligations
• Staff access limited based on job role and operational need

Geodd’s Security Measures page is available at: geodd.io/trust-center/security-measures

Support and administrative access may occur where necessary for:

• Customer support
• Security
• Debugging
• Service operations
• Billing
• Legal obligations
• Compliance
• Abuse or fraud prevention

Support and administrative access may occur from Geodd operational locations, including Sri Lanka, where necessary for support, security, debugging, service operations, billing, legal, and compliance.

Safeguards may include:

• MFA
• Role-based access controls
• Access logging
• Encryption
• Confidentiality obligations
• Staff training
• Transfer safeguards where applicable

Geodd LLC is established in the United States.

For EU customers, API inference is hosted in EU data center infrastructure by default. EU/UK customers may also choose non-EU infrastructure, in which case API requests may be routed outside the EU/UK for inference processing.

Support and administrative access may occur from Geodd operational locations where necessary for support, security, debugging, service operations, billing, legal, compliance, abuse prevention, and fraud prevention.

Where personal data is transferred to or accessed from a country that has not been recognized as providing an adequate level of protection, Geodd uses appropriate transfer safeguards as described in its Data Protection Addendum and International Data Transfers page.

Geodd’s International Data Transfers page is available at: geodd.io/legal/international-data-transfers

Geodd may use vendors and subprocessors to provide, secure, support, and operate the Services.

Geodd’s Subprocessor List is available at: geodd.io/legal/subprocessors

The Subprocessor List describes vendors, purposes, categories of data processed, region or processing location information, transfer mechanisms, and notes.

Geodd may use third-party suppliers for physical hardware, rack space, power, cooling, connectivity, physical maintenance, and physical security.

Geodd does not treat physical infrastructure suppliers as subprocessors unless they process Customer Personal Data on behalf of Geodd.

Physical infrastructure suppliers are not treated as subprocessors where they do not have logical, administrative, operational, support, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, workloads, prompts, outputs, logs, backups, storage, or runtime environments.

Emergency access by physical infrastructure suppliers is limited to physical premises, rack, cabling, power, hardware replacement, cooling, connectivity, and physical security. It does not include logical access to systems, workloads, storage, logs, encryption keys, or Customer Personal Data.

Customers are responsible for:

• Keeping API keys, credentials, and account access secure
• Managing user access permissions
• Selecting appropriate infrastructure regions
• Maintaining independent backups where Customer controls data, models, workloads, or configurations
• Ensuring submitted data may lawfully be processed
• Avoiding unnecessary submission of sensitive or regulated data
• Reviewing and validating AI outputs before use
• Configuring Customer-controlled workloads securely
• Complying with applicable laws, agreements, and Geodd policies

Geodd may update this Data Handling page from time to time to reflect changes in Services, infrastructure, law, security measures, vendors, or operational practices.

If changes are material, Geodd will provide notice by reasonable means, such as through the website, dashboard, email, or other electronic notice.

The “Last Updated” date shows when this page was last revised.

For privacy questions: [email protected]

For security questions: [email protected]

For support: [email protected]

For legal notices: [email protected]