Data Processing Agreement
Curate-Me AI, Inc. ("Curate-Me", "we", "our", or "us") offers a Data Processing Agreement (DPA) to customers who require formal data processing terms under GDPR Article 28 or other applicable data protection regulations. The DPA governs how we process personal data on your behalf when you use our AI Gateway, managed runners, and observability platform.
Request a DPA
A signed DPA is available on request for all paid-plan customers. Enterprise customers receive a DPA as part of their contract. To request a copy, contact us at:
Curate-Me AI, Inc.
Email: hello@curate-me.ai
Include your organization name, plan tier, and any specific regulatory requirements. We typically respond within 2 business days.
What the DPA Covers
Our DPA addresses the requirements of GDPR Article 28 and covers the following areas:
- Scope and purpose of data processing
- Categories of personal data and data subjects
- Obligations of the processor (Curate-Me) and the controller (you)
- Technical and organizational security measures
- Sub-processor management and notification obligations
- Cross-border data transfer mechanisms (Standard Contractual Clauses)
- Data subject rights assistance
- Data breach notification procedures
- Audit rights
- Data return and deletion on termination
Our Data Processing Commitments
Regardless of whether a signed DPA is in place, we uphold the following commitments for all customers:
Encryption at Rest and in Transit
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. API keys are stored using bcrypt hashing; plaintext keys are shown once at creation and never retained.
No Training on Customer Data
We do not use your prompts, completions, or any other customer data to train models. Request metadata (model, token count, cost) is stored for the audit trail. Prompt and response content storage is configurable per-org and can be disabled.
Configurable Data Retention
Retention periods are configurable per plan: 7 days (Free), 30 days (Starter), 90 days (Growth), and 1 year or more (Enterprise). You can request shorter retention at any time.
Deletion on Request
You may request full deletion of your data at any time. We will confirm receipt within 2 business days and complete deletion within 30 calendar days, subject only to legal retention obligations.
Sub-Processor Transparency
We maintain a public list of sub-processors and will notify you of any changes. Our primary infrastructure is hosted in Hetzner data centers in Germany (EU). You may object to new sub-processors.
Data Portability
Export all your data at any time via the dashboard, API, or CLI in structured, machine-readable formats (JSON, CSV). No vendor lock-in.
Infrastructure and Data Residency
Our primary infrastructure is hosted in Hetzner data centers in Germany (EU). For EU customers, all data processing can occur entirely within the European Union. Where data is transferred outside the EU (for example, to US-based sub-processors like Stripe for payment processing), we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner | Compute, storage, networking | Germany (EU) |
| Stripe | Payment processing | USA (SCCs in place) |
| LLM Providers | Upstream API proxying (pass-through only) | Various |
A complete sub-processor list is maintained in our Privacy Policy.
Related Documents
- Privacy Policy — How we collect, use, and protect your data
- Terms of Service — General terms governing your use of the platform
- Security — Technical and organizational security measures
- Service Level Agreement — Uptime commitments and service credits