Skip to content
Legal

Data Processing Addendum

Last updated

1. Parties and roles

This Data Processing Addendum ("DPA") forms part of the Terms of Service between SquadProxy Ltd. ("Processor") and the Customer identified in the Order Form ("Controller"). Where Customer uses the service to process personal data, Controller is the data controller and SquadProxy is the data processor under UK-GDPR Article 28 and EU-GDPR Article 28.

2. Scope of processing

SquadProxy processes personal data solely for the purpose of providing the service and on the documented instructions of Controller. Processing details:

  • Subject matter: proxy gateway access for AI training-corpus collection, model evaluation, RAG ingestion, and research workloads.
  • Duration: lifetime of the service contract plus metadata retention per our Privacy Policy.
  • Categories of data subjects: end users of target resources accessed by Controller through the service.
  • Categories of personal data: any personal data Controller chooses to transmit via the gateway. SquadProxy does not intercept or store payload data.

3. Sub-processors

Controller authorises SquadProxy to engage the sub-processors listed in our Privacy Policy. We notify Controller of new sub-processors with at least 30 days' notice, giving Controller the right to object.

4. Technical and organisational measures

Encryption in transit (TLS 1.2+), encryption at rest for all billing and account data, access controls, least-privilege principle for engineering access, annual penetration testing.

5. International transfers

Where personal data is transferred outside the UK or EEA, the transfer is protected by the UK IDTA or EU Standard Contractual Clauses as applicable, with supplementary measures appropriate to the destination (Japan adequacy decision, US DPF where certified, etc.).

6. Breach notification

In the event of a personal data breach involving Controller's data, SquadProxy will notify Controller without undue delay and in any case within 48 hours of detection.

7. Data subject rights

SquadProxy will assist Controller, insofar as possible, in responding to data subject requests exercised against Controller under UK-GDPR Articles 15–22 and equivalent provisions in other applicable regimes.

8. Deletion and return

On termination of the service, SquadProxy will delete all personal data under its control within 30 days, save where retention is required by applicable law (UK tax retention, for example).

9. Audit

Once per 12-month period, Controller may request evidence of compliance in the form of our architecture overview and any current third-party attestations. On-site audits are available by mutual arrangement and are typical for Lab and Enterprise customers.

10. AI Act alignment

For Controllers that qualify as providers of general-purpose AI models under Regulation (EU) 2024/1689 (EU AI Act), SquadProxy supports documentation requirements under Article 53 by providing, on request, transit-level logs sufficient to evidence the source infrastructure used for data collection. SquadProxy does not process content and cannot provide copyright-level data provenance; that remains the Controller's obligation.