Skip to content

This template applies between feder8d and any Customer whose use of the platform involves the processing of personal data. It is incorporated into the Terms of Service by reference and survives termination for so long as feder8d processes Customer’s personal data.

1. Definitions

Terms in this DPA align with GDPR (Regulation (EU) 2016/679) and POPIA (Act 4 of 2013). “Customer Personal Data” means personal data Customer or its end users ingest into the feder8d platform.

2. Roles

3. Scope & duration

feder8d processes Customer Personal Data only on documented instructions from Customer for the purpose of providing the Services described in the agreement, for the term of that agreement plus 30 days post-termination for export and deletion.

4. Sub-processors

The current list of sub-processors is at /legal/sub-processors. feder8d will provide 30 days’ notice before adding a new sub-processor. Customer may object on reasonable grounds; if the objection cannot be resolved within 30 days, Customer may terminate the affected Services without penalty.

5. Cross-border transfers

Tenant data is resident in af-south-1. Inference processing happens in eu-central-1. The transfer relies on the Standard Contractual Clauses (Commission Decision 2021/914) for EU-to-third-country transfers and on Section 72 of POPIA for South Africa. Prompts cross the border in encrypted form via Linkerd mTLS and are not logged at the model plane.

6. Security measures

feder8d implements technical and organisational measures including (without limitation):

A full control inventory is available under NDA from security@feder8d.ai.

7. Personnel

Persons processing Customer Personal Data are bound by confidentiality and complete annual security training.

8. Data subject rights

feder8d provides DSAR endpoints (/admin/users/{id}/export, /erase, /data-inventory) in the Tenant API to enable Customer to fulfil its controller obligations. feder8d will assist Customer in responding to data subject requests where Customer cannot itself comply using these endpoints.

9. Breach notification

feder8d notifies Customer without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, with sufficient information for Customer to meet its own notification obligations under GDPR Art. 33 and POPIA Sec 22.

10. Audits

Customer (or a third-party auditor under NDA) may audit feder8d’s compliance with this DPA once per twelve-month period on 30 days’ notice, during business hours, at Customer’s expense. feder8d will provide the most recent SOC 2 Type II report on request to satisfy audit obligations.

11. Deletion or return

On termination, feder8d will, at Customer’s election, return or delete all Customer Personal Data within 30 days, except where retention is required by law. Special-PI collections are deleted immediately.

12. Liability

Liability under this DPA is subject to the limits in the Terms of Service.

13. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

Signature

Acceptance is recorded by acceptance of the Terms of Service for SaaS customers, or by signature of the MSA for Dedicated customers. A countersigned PDF is available on request to legal@feder8d.ai.

Annex A — Categories of personal data

Identifiers, contact details, content of customer-managed knowledge bases, end-user prompts and completions (in transit only; not logged at the model plane).

Annex B — Sub-processors

See /legal/sub-processors.

Annex C — Security measures

See section 6 above and the NDA-gated control inventory.

Last updated 2026-06-01T00:00:00.000Z.