Edgee Data Processing Addendum (DPA)

This is Edgee's standard Data Processing Addendum (DPA) for the Edgee Agent Gateway, and applies by default to all customers who use Edgee as a data processor. A signed version can be made available upon request.

1. Definitions

• Customer: The legal entity that has entered into an agreement with Edgee for the provision of the Services.
• Edgee: Edgee Cloud SAS, a French company registered at 9 rue des Colonnes, 75002 Paris, France, and its U.S. entity Edgee Corporation, a Delaware corporation located at 838 Walker Road, Suite 21-2, Dover, Delaware 19904, United States.
• Data Protection Laws: All applicable data protection and privacy legislation, including the EU GDPR, UK GDPR, CCPA/CPRA, LGPD, and PIPEDA.
• Authorized User: An individual authorized by the Customer to access, configure, or operate the Edgee Agent Gateway on the Customer's behalf (e.g., developers, engineers, administrators).
• Services: The Edgee Agent Gateway, an LLM gateway providing routing, observability, reliability, token compression, and related features for AI/LLM applications, together with any related cloud or enterprise offering provided by Edgee.
• LLM Provider: A third-party provider of large language model or other AI inference services (e.g., Anthropic, OpenAI, Google, Mistral) to which the Gateway routes requests according to the Customer's configuration.
• Prompt Data: Input content (including messages, system prompts, tool definitions, and attached context) sent by the Customer or its Authorized Users, or by an application operated by the Customer, through the Gateway to an LLM Provider.
• Completion Data: Output content returned by an LLM Provider through the Gateway in response to Prompt Data.
• Subprocessor: Any third-party processor engaged by Edgee to support the delivery of the Services, including infrastructure providers and LLM Providers selected by the Customer through Gateway configuration.

2. Scope of the Addendum

This DPA applies when Edgee processes personal data on behalf of the Customer in the course of providing the Edgee Agent Gateway. It supplements the main service agreement between Edgee and the Customer and forms an integral part of it.

3. Roles and Responsibilities

• Customer acts as the Data Controller.
• Edgee acts as the Data Processor.

The Customer determines the purposes and means of processing personal data, including which LLM Providers are used and what content is submitted through the Gateway. Edgee processes data only on documented instructions from the Customer, including via the configuration the Customer establishes within the Services.

4. Categories of Data and Data Subjects

Edgee is an LLM gateway. It transmits, routes, and operates on traffic that the Customer chooses to send through it. Edgee does not actively collect, identify, profile, or track natural persons. The categories below describe the data Edgee handles in the course of operating the Services.

4.1 Data Subjects

Edgee directly processes personal data relating to:

• The Customer's Authorized Users (e.g., developers, engineers, administrators) who configure, operate, or otherwise access the Gateway.

In addition, Prompt Data and Completion Data transmitted through the Gateway at the Customer's discretion may incidentally contain personal data relating to other natural persons (for example, individuals referenced in a prompt by an Authorized User or by an application operated by the Customer). Edgee does not identify, segment, or track such individuals as data subjects, and treats this content as opaque payload. The Customer is solely responsible for the content of Prompts submitted through the Gateway and for the lawful basis applicable to any personal data contained therein.

4.2 Categories of Data

• Account and Authorized User data (e.g., name, business email, role, authentication credentials used to access the Gateway).
• Customer-provided credentials (e.g., API keys and tokens used by the Gateway to address LLM Providers on the Customer's behalf).
• Prompt Data and Completion Data transmitted through the Gateway, treated as opaque payload. These are processed in-memory only and are not stored by Edgee, except when the Customer expressly enables debug mode for a given request, project, or environment. Debug mode is disabled by default. See Section 12 for the corresponding retention.
• Request identifiers and session identifiers generated or supplied by the Customer for routing, debugging, and observability purposes.
• Usage and operational metadata (e.g., token counts, model used, latency, timestamps, request/response sizes, error codes, retry and fallback events).
• Network and client metadata (e.g., source IP address with optional truncation, user agent or client identifiers, source application identifiers).
• Configuration data (e.g., routing rules, compression settings, fallback policies, rate-limit policies, observability settings).

Edgee does not require, and does not actively collect, sensitive personal data. The Customer is solely responsible for the content of Prompts submitted through the Gateway, including any sensitive data they may contain, and for ensuring such content is appropriate for the LLM Providers selected.

5. Processing Activities

Edgee processes personal data solely to:

• Route LLM requests to the LLM Providers designated by the Customer's configuration.
• Apply token compression and prompt optimization features when enabled by the Customer.
• Provide observability, logging, analytics, and usage reporting on the Customer's traffic, based on operational metadata only (see Section 4.2).
• Enforce reliability features (e.g., retries, fallbacks, failover, rate limiting, circuit breakers).
• Where the Customer expressly enables debug mode (disabled by default), temporarily store the content of debugged Prompts and Completions so that Authorized Users may inspect them within the Edgee console.
• Operate, secure, and troubleshoot the Services, including incident response and abuse prevention.

Edgee does not:

• Use Prompt Data, Completion Data, or usage metadata to train, fine-tune, or evaluate any AI or machine learning models.
• Use personal data for marketing, advertising, or profiling.
• Sell personal data, or share personal data with parties other than the LLM Providers and infrastructure Subprocessors required to deliver the Services.
• Retain Prompt Data or Completion Data beyond what is strictly necessary to deliver the requested feature, in accordance with the retention windows defined in Section 12.

6. Subprocessing

Edgee uses the following categories of Subprocessors to deliver the Services:

6.1 Infrastructure Subprocessors

• Amazon Web Services (AWS) – Hosting and compute services.
• Google Cloud Platform – Hosting and storage.
• Fastly – Edge delivery infrastructure.
• Vercel – Web deployment and frontend delivery.
• Clickhouse – Analytics-oriented database.

6.2 LLM Provider Subprocessors

LLM Providers act as Subprocessors when the Customer configures the Gateway to route requests to them. The selection of LLM Providers is controlled by the Customer. Common LLM Providers include, without limitation:

• Anthropic PBC.
• OpenAI, LLC.
• Google LLC (including Vertex AI and Gemini).
• Mistral AI.
• Other LLM Providers as configured by the Customer.

The Customer acknowledges that when routing requests to an LLM Provider, Prompt Data and Completion Data are transmitted to that provider and further processed according to that provider's own data processing terms. The Customer is responsible for reviewing and accepting those terms.

6.3 General Subprocessor Obligations

Edgee imposes data protection obligations on all Subprocessors via written contracts that are no less protective than this DPA. Edgee remains liable for its Subprocessors in accordance with Article 28 of the GDPR. Customers may request the up-to-date list of Subprocessors at any time via the Edgee Trust Center.

6.4 Changes to Subprocessors

Edgee maintains the current list of Subprocessors via the Edgee Trust Center. Edgee will give the Customer at least thirty (30) days' prior notice of the addition or replacement of any Subprocessor that processes personal data, by updating the Trust Center list and, where the Customer has subscribed to notifications, by electronic notice. The Customer may object to a new Subprocessor on reasonable, documented data protection grounds within the notice period. The Parties will work in good faith to resolve the objection; if no resolution is reached, the Customer may terminate the affected Services as its exclusive remedy, without penalty, for the portion of the Services that cannot be provided without the objected-to Subprocessor. Changes to LLM Provider Subprocessors are controlled by the Customer through Gateway configuration and are not subject to this notice requirement.

7. Data Transfers

• Operational data (logs, usage metadata, configuration) is processed and stored in the European Union by default.
• Where transfers outside the EU/EEA occur, in particular when the Customer routes traffic to LLM Providers or uses infrastructure regions located outside the EU/EEA, Edgee relies on:
  • Standard Contractual Clauses (SCCs): where Edgee processes personal data subject to EU or UK Data Protection Laws and transfers it to a country without an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor) where the Customer is a controller, or Module Three (processor-to-processor) where the Customer is itself a processor, are hereby incorporated into this DPA by reference and deemed completed with the Parties' identities, the details set out in Sections 4 to 12, and the governing law and jurisdiction of the principal agreement, to the extent compatible. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies. The completed clauses are available upon request;
  • Adequacy decisions of the European Commission, including the EU-U.S. Data Privacy Framework where applicable;
  • Technical safeguards, including encryption in transit and at rest, and tenant isolation.

The Customer is responsible for selecting LLM Providers and infrastructure regions that comply with the Customer's own data transfer obligations. For further information, refer to the Edgee Trust Center.

8. Security Measures

Edgee maintains a security program aligned with industry best practices and SOC 2 Type II requirements. Measures include:

• TLS 1.2 or higher for data in transit; AES-256 for data at rest.
• Role-based access control, least-privilege principles, and audit logging of administrative actions.
• Isolated tenant processing.
• Secure storage and isolation of Customer-provided API keys and credentials, with encryption at rest and in transit.
• No storage of Prompt Data or Completion Data by default; storage occurs only when the Customer expressly enables debug mode, and is subject to the retention defined in Section 12.
• Regular vulnerability testing, dependency scanning, and incident response procedures.

Full documentation is available via the Edgee Trust Center.

9. Personnel Confidentiality

Edgee ensures that any personnel authorized to process personal data on the Customer's behalf are bound by appropriate obligations of confidentiality, whether contractual or statutory, and are granted access to personal data only on a need-to-know basis to the extent required to perform the Services. Edgee provides appropriate data protection and security training to such personnel.

10. Data Subject Rights

The Customer, as Data Controller, is responsible for responding to data subject requests received from natural persons whose personal data it processes through the Services.

Given the nature of the Gateway, Edgee generally cannot identify the individuals whose personal data may be incidentally contained in Prompt Data or Completion Data. Where Edgee receives a request that it can reasonably attribute to a Customer (for example, a request from an Authorized User of that Customer), Edgee will forward the request to the Customer for response and will, where reasonably required, assist the Customer in fulfilling its obligations under applicable Data Protection Laws.

11. Personal Data Breach Notification

Edgee will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting personal data processed on the Customer's behalf. The notification will describe, to the extent known and as information becomes available, the nature of the breach, the categories and approximate volume of data and data subjects concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its effects. Edgee will provide reasonable assistance to the Customer in connection with the Customer's own breach notification and documentation obligations under applicable Data Protection Laws. Edgee's notification is not an acknowledgment of fault or liability.

12. Data Retention

• Prompt Data and Completion Data (default): not stored by Edgee. Such content is processed in-memory only for the time strictly necessary to route the request to the selected LLM Provider and return the Completion to the Customer.
• Prompt Data and Completion Data (debug mode enabled by the Customer): where the Customer expressly enables debug mode, the content of debugged requests is stored so that the Customer's Authorized Users may inspect it within the Edgee console. Such content is retained for up to 30 days, after which it is automatically deleted. Debug mode is disabled by default and may be enabled or disabled at any time by the Customer via the Gateway configuration.
• Usage and operational metadata (e.g., token counts, latency, model used, request identifiers, error codes): retained for up to 25 months.

13. Data Portability and Export

During the term of the Services, and upon written request, Edgee shall provide the Customer with access to its processed personal data in a structured, commonly used, and machine-readable format. This includes any data processed on behalf of the Customer that has not been deleted in accordance with Section 12 (Data Retention).

Upon termination or expiration of the Services, the Customer shall have a window of at least 30 days to request export of such data prior to deletion, unless longer retention is mandated by applicable law.

Edgee shall provide reasonable assistance and available tools to facilitate the secure export or migration of data upon termination, subject to the Customer's written instructions and any applicable fees outlined in the Master Service Agreement or Service Order.

14. Termination and Deletion

Upon termination of the Services, Edgee will delete or return personal data to the Customer, unless required to retain it by applicable law. Deletion is subject to the export window set out in Section 13, after which Edgee will delete the personal data. Backup copies will be deleted in accordance with Edgee's standard backup retention schedule.

15. Audit and Assistance

Edgee will make available relevant documentation, including its most recent SOC 2 report (where available) and security questionnaires, and will allow for audits upon reasonable notice to demonstrate compliance with this DPA and applicable Data Protection Laws. Audits shall be conducted during business hours, with a frequency proportionate to the risk involved, and subject to reasonable confidentiality protections.

16. Liability and Indemnity

Each party's liability is governed by the main service agreement. Edgee shall be liable for its Subprocessors in accordance with Article 28 of the GDPR.

17. Governing Law and Jurisdiction

This DPA shall be governed by the same law and jurisdiction as the principal agreement between the Customer and Edgee.

18. Contact

Questions about this DPA can be directed to: