Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service and governs the processing of personal data by clusterbid on behalf of the Customer. It implements GDPR Article 28 and India DPDP obligations under German law.
§1. Definitions
"Controller" means the Customer. "Processor" means clusterbid. "Personal Data" means any information relating to an identified or identifiable natural person processed by clusterbid on behalf of Customer. "Sub-processor" means a third party engaged by clusterbid to process Personal Data on Customer's behalf. "Supervisory Authority" means the data protection authority with jurisdiction over the Controller.
§2. Scope of processing
clusterbid processes Personal Data submitted by Customer through the Services (API inputs, fine-tuning datasets, console activity) solely to provide the Services as described in the Terms of Service. clusterbid does not process Personal Data for its own purposes.
- Subject matter: Provision of inference, fine-tuning, and deployment services.
- Duration: For the term of the Agreement and 30 days after termination (export period).
- Nature and purpose: Computing inference outputs; storing fine-tuning datasets; generating billing metadata.
- Types of Personal Data: As determined by Customer in the course of using the Services.
- Categories of data subjects: As determined by Customer.
§3. Processor obligations
clusterbid agrees to:
- Process Personal Data only on documented instructions from Customer (these Terms and this DPA constitute such instructions).
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
- Implement technical and organizational security measures as described in §7.
- Notify Customer without undue delay (and no later than 72 hours) after becoming aware of a Personal Data breach.
- Assist Customer in responding to data subject rights requests.
- Delete or return all Personal Data on termination, at Customer's choice, within 30 days.
- Make available information necessary to demonstrate compliance with GDPR Article 28 obligations.
§4. Sub-processors
Customer grants general authorization for clusterbid to engage the sub-processors listed at clusterbid.eu/security. clusterbid will notify Customer at least 30 days before engaging any new sub-processor. Customer may object within that window by providing written notice to dpo@clusterbid.eu. If the parties cannot resolve the objection, Customer may terminate the affected Services without an early-termination fee.
clusterbid imposes data protection obligations on sub-processors equivalent to those in this DPA and remains liable for sub-processor acts and omissions.
§5. International data transfers
Processing in a region specified by Customer (us, eu, in) is conducted in that region. Cross-border transfers for sub-processors (e.g., Stripe for billing, Postmark for email) are covered by Standard Contractual Clauses (EU Commission Decision 2021/914/EU), Module 3 (processor to processor). A copy of the relevant SCCs is available on request.
§6. India DPDP addendum
For Customers processing data of individuals in India: clusterbid operates as a Data Processor under the Digital Personal Data Protection Act 2023. clusterbid will:
- Process India-resident personal data only within the in · mumbai region unless Customer explicitly selects cross-region.
- Assist Customer in meeting obligations under Chapter II of the DPDP Act.
- Notify Customer of any government request for personal data within 48 hours (where permitted by law).
- Delete data on Customer's instruction or at end of purpose as required by Section 8(7).
§7. Security measures
clusterbid implements the following technical and organizational measures:
- Encryption in transit: TLS 1.3 for all API endpoints.
- Encryption at rest: AES-256-GCM for block and object storage.
- Access controls: role-based access with least-privilege enforcement; MFA required for privileged access.
- Audit logging: all privileged operations logged; logs retained for 1 year.
- Vulnerability management: quarterly penetration testing; critical patches within 48 hours.
- Availability: multi-AZ infrastructure per region; disaster recovery tested quarterly.
§8. Breach notification
In the event of a Personal Data breach, clusterbid will notify Customer without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will include: the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; measures taken or proposed to address the breach.
§9. Audit rights
clusterbid will make available information to demonstrate compliance with this DPA and, upon 30 days written notice, contribute to audits conducted by Customer or a mandated auditor (at Customer's expense). Customer agrees to conduct no more than one audit per 12-month period and to treat audit findings as confidential.
§10. Governing law
This DPA is governed by the laws of the Federal Republic of Germany, consistent with the Terms of Service, subject to the mandatory application of GDPR for EU/EEA matters and the DPDP Act for India matters. The exclusive place of jurisdiction for disputes under this DPA is Frankfurt am Main, Germany.
To execute this DPA, email dpo@clusterbid.eu with your organization name and the legal signatory's contact details. We return a countersigned copy within two business days.
Related documents: Terms of Service · Privacy Policy · Acceptable Use Policy · Sub-processor table