Data Processing Agreement
Last Updated: January 18, 2026
Version 1.0 | This DPA forms part of your agreement with Costbase
1. Introduction
This Data Processing Agreement ("DPA") is entered into between you ("Customer", "Data Controller") and Costbase ("Processor", "we", "us") and forms part of your agreement to use our LLM gateway services.
This DPA applies when Costbase processes Personal Data on your behalf in connection with providing our services. It reflects the requirements of the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.
By using our services, you agree to this DPA. If you are accepting on behalf of your employer or another entity, you represent that you have full legal authority to bind that entity to this DPA.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that Costbase processes on your behalf.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Sub-processor" means any third party engaged by Costbase to process Personal Data on your behalf.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Roles and Responsibilities
3.1 Customer as Data Controller
You are the Data Controller and determine the purposes and means of processing Personal Data. You are responsible for:
- Ensuring you have a lawful basis to process Personal Data
- Providing appropriate notices to Data Subjects
- Obtaining necessary consents where required
- Responding to Data Subject requests
- Ensuring the accuracy of Personal Data
3.2 Costbase as Data Processor
Costbase acts as a Data Processor and processes Personal Data only on your documented instructions. We are responsible for:
- Processing Personal Data only as instructed by you
- Ensuring personnel are bound by confidentiality obligations
- Implementing appropriate security measures
- Assisting you with Data Subject requests
- Notifying you of Security Incidents
- Deleting or returning Personal Data upon termination
4. Data Processing Details
4.1 Categories of Personal Data
The Personal Data processed may include:
- Request Content: Prompts and completions sent through our gateway that may contain personal information about your end users
- Request Metadata: IP addresses, timestamps, model selections, token counts
- Account Data: Email addresses, names, organization details of your team members
4.2 Categories of Data Subjects
Data Subjects may include your employees, contractors, customers, and end users whose data is contained in prompts or completions processed through our gateway.
4.3 Purpose of Processing
Costbase processes Personal Data solely to provide our LLM gateway services, including:
- Routing requests to LLM providers using your API keys
- Semantic caching to improve performance and reduce costs
- Generating usage analytics and cost reports
- Detecting PII/PHI when guardrails are enabled
- Enforcing rate limits and budget controls
4.4 Duration of Processing
Processing continues for the duration of your use of our services. Upon termination, we will delete Personal Data in accordance with Section 10.
5. Data Retention Periods
We retain different categories of data for specific periods:
| Data Type | Retention Period |
|---|---|
| Semantic cache (prompts/responses) | Configurable TTL (default: 1 hour) |
| Request logs (metadata only by default) | Tier-based: Free (3 days), Pro (30 days), Team (90 days), Enterprise (365 days) |
| Account and organization data | Duration of account + 30 days |
| Billing records | 7 years (legal requirement) |
| Encrypted backups | 30 days after deletion |
Note: You can configure log visibility settings to store metadata only (no prompt/response content), use trimmed logs, or apply automatic PII masking.
6. Security Measures
Costbase implements appropriate technical and organizational measures to protect Personal Data, including:
6.1 Technical Measures
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for sensitive data at rest (API keys, MFA secrets)
- Network isolation and firewall protection
- Regular security audits and vulnerability scanning
- Automated monitoring and intrusion detection
- Multi-factor authentication support
6.2 Organizational Measures
- Access controls based on principle of least privilege
- Confidentiality agreements with all personnel
- Security awareness training for staff
- Incident response procedures
- Regular review of security policies
7. Sub-processors
You authorize Costbase to engage the following categories of Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud Infrastructure Provider (AWS/GCP) | Hosting and infrastructure | United States |
| Polar.sh | Payment processing | United States |
| Google Analytics | Console usage analytics | United States |
| LLM Providers (OpenAI, Anthropic, etc.) | Request routing (using your keys) | United States |
We will notify you of any intended changes to Sub-processors at least 30 days in advance, giving you the opportunity to object. We ensure all Sub-processors are bound by data protection obligations no less protective than those in this DPA.
Important: When you route requests through our gateway, your prompts are sent to the LLM provider you configure (or select via auto-routing). These providers process data according to their own privacy policies and terms.
8. Data Subject Rights
Costbase will assist you in responding to Data Subject requests to exercise their rights under applicable law, including:
- Right of access to Personal Data
- Right to rectification of inaccurate data
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object to processing
Response Timeframe: We will respond to your assistance requests within 10 business days.
If we receive a request directly from a Data Subject, we will promptly notify you unless legally prohibited from doing so.
9. Security Incident Notification
In the event of a Security Incident affecting your Personal Data, Costbase will:
- Notify you within 72 hours of becoming aware of the incident
- Provide details of the nature of the incident, categories and volume of data affected
- Describe likely consequences and measures taken to address the incident
- Cooperate with your investigation and regulatory notification obligations
- Document the incident and remediation steps taken
You can report security concerns or suspected incidents to: security@costbase.ai
10. Data Deletion and Return
Upon termination of your use of our services, or upon your written request, Costbase will:
- Delete all Personal Data within 30 days, except where retention is required by law
- Provide written confirmation of deletion upon request
- Ensure Sub-processors delete their copies of Personal Data
You may export your data (usage logs, analytics) through the console before account closure.
11. International Data Transfers
Costbase is based in the United States. When we transfer Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved clauses for controller-to-processor transfers
- UK Addendum: For transfers from the United Kingdom
- Swiss DPA requirements: For transfers from Switzerland
We implement supplementary measures (encryption, access controls, data minimization) to ensure adequate protection for transferred data.
12. Audits and Compliance
Costbase will make available information necessary to demonstrate compliance with this DPA. Upon reasonable written request (no more than once per year), we will:
- Provide relevant audit reports, certifications, or attestations
- Answer written questions about our data protection practices
- Allow audits by you or a mutually agreed third-party auditor, subject to reasonable confidentiality terms and advance notice
Audit requests should be sent to: contact@costbase.ai
13. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law where such limitation would not be permitted by applicable law.
14. General Provisions
14.1 Governing Law
This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict of laws principles. For customers in the EEA, this does not affect the applicability of mandatory provisions of GDPR.
14.2 Updates to this DPA
We may update this DPA to reflect changes in law or our practices. Material changes will be communicated via email at least 30 days in advance.
14.3 Conflict
In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
15. Contact Information
For questions about this DPA or to exercise your rights, contact us:
Data Protection Inquiries: contact@costbase.ai
Security Issues: security@costbase.ai
General Contact: contact@costbase.ai
Costbase Data Processing Agreement
Version 1.0 | January 2026