Data Processing Agreement
Last updated: March 2026
1. Definitions
"Controller" means the entity that determines the purposes and means of processing Personal Data. "Processor" means TokenHub, which processes Personal Data on behalf of the Controller. "Personal Data", "Processing", and "Data Subject" have the meanings given in the GDPR (Regulation (EU) 2016/679).
2. Scope of Processing
TokenHub processes data solely to provide the API proxy service. This includes routing API requests to upstream model providers, managing authentication tokens, and recording usage metrics for billing. We do not process data for any other purpose.
3. Data Retention & Deletion
API request and response payloads are not stored. They are proxied in real-time and discarded immediately after delivery. Account metadata (email, API key hashes, usage counts) is retained for the duration of the account and deleted within 30 days of account closure upon request.
4. Security Measures
TokenHub implements appropriate technical and organizational measures to protect Personal Data, including: encryption in transit (TLS 1.3) and at rest (AES-256), access controls with role-based permissions, regular security audits, and incident response procedures. See our Security page for details.
5. Sub-Processors
TokenHub uses the following categories of sub-processors: cloud infrastructure providers (Cloudflare) for hosting and edge compute, upstream AI model providers (as selected by the Controller per API request), and payment processors for billing. A current list of sub-processors is available upon request.
6. Data Subject Rights
TokenHub will assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible. Requests should be directed to the Controller, who may contact TokenHub for assistance.
7. International Transfers
Where Personal Data is transferred outside the EEA, TokenHub ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.
8. Breach Notification
In the event of a Personal Data breach, TokenHub will notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach, providing sufficient detail to allow the Controller to meet its obligations under applicable data protection law.
9. Contact
For questions about this DPA or to request a signed copy, please contact us via our contact page.