Data Processing Addendum
This DPA forms part of our Terms of Service when you process personal data through ByteSpike on behalf of data subjects under GDPR, UK GDPR, or PIPL. It is signed implicitly when you accept the Terms; enterprise customers may request a counter-signed copy.
Last updated
1. Roles
You are the Controller (or processor of your own customer's data); ByteSpike acts as Processor for the personal data you submit through the service.
2. Documented instructions
ByteSpike processes personal data only on your documented instructions, which include the configurations you set in the Console and the requests you send to the API. We will notify you if an instruction would violate applicable law.
3. Subprocessors
Our active subprocessors: Cloudflare (CDN, edge), Lisahost (compute, US), Stripe (payments). Upstream model providers act as subprocessors only for the requests you direct to them. We notify enterprise customers 30 days before adding or replacing a subprocessor.
4. Security measures
TLS 1.3 in transit; AES-256 at rest for credentials and audit logs; least-privilege access; production access logged and reviewed monthly. SOC 2 Type II audit underway, target completion Q4 2026.
5. Breach notification
ByteSpike will notify Controllers of a confirmed personal data breach affecting their data without undue delay and in any case within 72 hours of confirmation, including the nature, scope, and mitigation measures.
6. International transfers
EU/UK transfers rely on the EU SCCs (Module 2: Controller-to-Processor) and the UK Addendum where applicable. PRC transfers rely on the standard contract issued by the CAC.
7. Deletion and return
Upon termination of the Terms, ByteSpike will delete personal data within 30 days unless retention is required by law. Enterprise customers may request earlier export.