This Data Processing Agreement applies to all business customers who use GetMoreToken within their own applications and thereby process personal data of third parties (e.g. their end customers). By accepting the Terms of Service you also enter into this DPA.
1. Subject matter and duration
Processing of personal data to the extent necessary to perform the services described in §2 of the Terms. Term: for the duration of the main contract (account usage).
2. Nature and purpose of processing
Transmission, storage, evaluation and forwarding of input and output data to the AI models selected by the customer. Authentication, billing, abuse detection.
3. Type of data and categories of data subjects
- Data: input texts (prompts), generated outputs, metadata (token counts, latencies, timestamps).
- Categories of data subjects: end customers, employees or users of the customer’s applications interacting with the API.
4. Obligations of the processor
- Processing only on the documented instructions of the customer (via the API calls themselves).
- Confidentiality obligation of all staff with data access.
- Implementation of technical and organisational measures under Art. 32 GDPR (see §6).
- Assistance to the customer in responding to data subject requests and meeting notification obligations (Art. 33/34 GDPR).
- Reporting of personal data breaches without undue delay, at the latest within 72 hours of becoming aware.
- Deletion or return of all personal data after the end of the contract, subject to statutory retention obligations.
5. Sub-processors
The processor uses the following sub-processors:
- Vercel Inc. — hosting/CDN, EU region (Frankfurt). DPA: vercel.com/legal/dpa.
- Neon Inc. — database (PostgreSQL), EU region. DPA: neon.tech/dpa.
- Stripe Payments Europe Ltd. — payment processing, Ireland. DPA: stripe.com/legal/dpa.
- Resend — transactional emails, EU region. DPA: resend.com/legal/dpa.
- AI model providers (selected by customer): OpenAI, Anthropic, Google, xAI, Meta, Mistral, DeepSeek and others — the DPA of each respective provider applies.
Addition or replacement of a sub-processor will be announced at least 14 days in advance by email. The customer has a right to object; in case of objection both parties may extraordinarily terminate.
6. Technical and organisational measures (TOMs)
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Authentication via session cookies or bearer tokens (API), bcrypt password hashing.
- Pseudonymisation of usage logs (customer ID instead of plain-text name).
- Strict separation of production and test environments.
- Need-to-know access control, documented roles and permissions.
- Regular automated backups, tested restore procedures.
- Logging and monitoring of security-relevant events.
7. Customer audit rights
The customer can verify compliance with these TOMs, typically by obtaining written information and audit reports from our sub-processors. On-site audits are possible upon prior coordination and subject to confidentiality.
8. Third-country transfers
For transfers to sub-processors or model providers located outside the EU/EEA (e.g. the United States), Standard Contractual Clauses (Art. 46(2)(c) GDPR) and, where applicable, the EU-US Data Privacy Framework serve as the transfer basis.
9. Signed paper version
This online version is legally binding. A signable version (PDF) is available to business customers on request at dpa@getmorecredits.com.