Last updated: January 1, 2025
This Data Processing Agreement ("DPA") forms part of the Respan Terms of Use and applies where Respan, Inc. processes personal data on behalf of a customer ("Controller") in the course of providing the Service. This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation ("GDPR") and equivalent provisions under applicable data protection laws.
"Personal Data", "Data Subject", "Processing", "Controller", and "Processor" have the meanings given in the GDPR. "Sub-processor" means any third party engaged by Respan to process Personal Data in connection with the Service. "Standard Contractual Clauses" or "SCCs" means the clauses approved by the European Commission for the transfer of personal data to third countries.
Subject matter: Provision of the Respan LLM engineering platform. Duration: For the term of the service agreement. Nature and purpose: Processing of LLM request/response data, user behavior data, and operational metadata to provide observability, evaluation, and management features. Categories of data: May include end-user interactions, prompt inputs/outputs, user identifiers, and related metadata. Data subjects: End users of the Controller's AI applications.
Respan shall: (a) process personal data only on documented instructions from the Controller; (b) ensure persons authorized to process data are committed to confidentiality; (c) implement appropriate technical and organizational security measures per Article 32 GDPR; (d) assist the Controller with Data Subject rights requests; (e) delete or return all personal data after the end of service provision; (f) make available all information necessary to demonstrate compliance; and (g) allow and contribute to audits.
Respan may engage sub-processors to assist in providing the Service. A current list of sub-processors is available at respan.ai/sub-processors. Respan shall give the Controller at least 14 days' prior notice of any intended changes to sub-processors. If the Controller objects on reasonable grounds, the parties shall work in good faith to resolve the issue.
Where processing involves transfers of personal data to countries outside the EEA, UK, or Switzerland, Respan shall ensure adequate safeguards are in place, including by entering into Standard Contractual Clauses. SCCs are available upon request at privacy@respan.ai.
Respan implements technical and organizational measures including: TLS 1.2+ encryption in transit; AES-256 encryption at rest; access controls and least-privilege principles; regular penetration testing and security audits; SOC 2 Type II certification; and incident response procedures. Detailed security documentation is available in our Trust Center.
Respan shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by applicable law. Controllers can exercise these rights through the platform settings or by contacting privacy@respan.ai.
For DPA-related inquiries or to request a signed DPA, contact privacy@respan.ai.