Geodd designs its Services to minimize customer data exposure, limit unnecessary access, and protect systems used to provide AI infrastructure services.
Geodd’s Services include:
For AI model API services, Geodd processes prompts, inputs, outputs, request bodies, and response bodies transiently to provide the requested inference response. Unless separately agreed in writing, Geodd does not store API prompts, API inputs, API outputs, completions, API request bodies, API response bodies, uploaded files, embeddings, customer datasets, or fine-tuning data.
Geodd does not use API data for model training and does not conduct human review of prompts or outputs by default.
Geodd applies data minimization principles to reduce the amount of Customer Personal Data stored or retained.
For AI model API services, Geodd’s default handling is:
| Data Type | Default Handling |
|---|---|
| API prompts / inputs | Not stored |
| API outputs / completions | Not stored |
| API request bodies | Not stored |
| API response bodies | Not stored |
| Uploaded files | Not supported / not stored unless separately agreed |
| Embeddings | Not stored unless separately agreed |
| Customer datasets | Not stored unless separately agreed |
| Fine-tuning data | Not supported unless separately agreed |
| API data used for training | No |
| Human review of prompts / outputs | No, by default |
| API payload caching | No |
Geodd may retain limited metadata for billing, usage measurement, security, troubleshooting, service operation, fraud prevention, legal, and compliance purposes.
Limited metadata may include:
Geodd uses encryption measures designed to protect data in transit and at rest.
Security measures include:
Customer API keys are the responsibility of the Customer. Geodd does not store the full API key. Geodd stores only a hash of the API key for authentication and security purposes.
Geodd uses authentication and access control measures to limit access to systems and data.
Security measures include:
Access to systems is limited to authorized personnel who need access for support, security, debugging, service operations, billing, legal, compliance, or other legitimate operational purposes.
Geodd uses network and infrastructure controls designed to protect the Services and reduce unauthorized access risks.
Security measures may include:
For Dedicated Inferencing, customer isolation may be provided through dedicated endpoints or other technical controls.
For Dedicated GPU and Bare Metal Infrastructure, security responsibilities may depend on the service configuration and whether Geodd or the Customer controls the relevant applications, workloads, credentials, datasets, models, and access permissions.
Geodd supports customer isolation through dedicated endpoints where applicable.
For Dedicated Inferencing, Geodd may provision dedicated AI model endpoint infrastructure for Customer’s inference workloads.
For Dedicated GPU and Bare Metal Infrastructure, Customer may receive dedicated infrastructure for its workloads. Where Customer controls applications, models, datasets, credentials, or access permissions on that infrastructure, Customer is responsible for configuring and securing those components appropriately.
Geodd uses logging and monitoring to support security, troubleshooting, service operation, billing, compliance, and abuse prevention.
Logging and monitoring measures may include:
Geodd does not store API request bodies or API response bodies by default.
Geodd maintains vulnerability management processes designed to identify and address security risks.
Measures may include:
Geodd may update its vulnerability management practices over time as the Services, infrastructure, and risk environment evolve.
Geodd maintains an incident response process to assess, manage, and respond to security incidents.
Measures may include:
For Personal Data Breaches affecting Customer Personal Data, Geodd will notify Customer without undue delay and, where feasible, within 72 hours after becoming aware of the breach, as described in Geodd’s Data Processing Agreement.
Security contact: [email protected].
Geodd uses backups for relevant user and usage data where applicable.
Backup and retention measures include:
API prompts, API inputs, API outputs, request bodies, and response bodies are not stored by default and therefore are not available for export, correction, or deletion after processing.
Geodd applies personnel security measures to limit unnecessary access to Customer Personal Data and operational systems.
Measures include:
Personnel access is limited to what is necessary for support, security, debugging, service operations, billing, legal, compliance, and related operational needs.
Support and administrative access may occur where necessary for:
Support/admin access may occur from operational locations used by Geodd, including Sri Lanka, where necessary for support, security, debugging, service operations, billing, legal, and compliance.
Safeguards include:
Geodd uses vendors and subprocessors to support the Services.
Geodd is implementing a vendor and subprocessor review process that may include review of:
Geodd’s Subprocessor List is available at: geodd.io/legal/subprocessors.
Geodd may use third-party suppliers for physical hardware, rack space, power, cooling, connectivity, physical maintenance, and physical security.
Geodd does not treat physical infrastructure suppliers as subprocessors unless they process Customer Personal Data on behalf of Geodd.
Physical infrastructure suppliers are not treated as subprocessors where they do not have logical, administrative, operational, support, storage, backup, monitoring, encryption-key, or readable access to Customer Personal Data, workloads, prompts, outputs, logs, backups, storage, or runtime environments.
Emergency access by physical infrastructure suppliers is limited to physical premises, rack, cabling, power, hardware replacement, cooling, connectivity, and physical security. It does not include logical access to systems, workloads, storage, logs, encryption keys, or Customer Personal Data.
Geodd LLC is established in the United States.
For EU customers, API inference is hosted in EU data center infrastructure by default. EU/UK customers may also choose non-EU infrastructure, in which case API requests may be routed outside the EU/UK for inference processing.
Where Customer Personal Data is transferred to or accessed from a country that has not been recognized as providing an adequate level of protection, Geodd uses transfer safeguards as described in its Data Processing Agreement.
These may include:
Supplementary measures may include TLS encryption in transit, encryption at rest where applicable, API key hash storage, role-based access controls, MFA for administrative access, firewalls and WAF, private networks where applicable, customer isolation through dedicated endpoints, access logging, vulnerability management, incident response processes, staff confidentiality obligations, and access limited based on job role and operational need.
Security is a shared responsibility between Geodd and Customer.
Customer is responsible for:
Where Customer uses Dedicated GPU or Bare Metal Infrastructure, Customer may have additional responsibilities depending on the level of control Customer has over workloads, applications, models, data, credentials, and access permissions.
Geodd may update its security measures over time as the Services, infrastructure, and security environment evolve.
Geodd will not materially reduce the overall level of protection for Customer Personal Data during the term of the applicable Agreement.
For security questions, contact: [email protected]
For privacy questions or data protection requests, contact: [email protected]