Data Processing Agreement

Last updated: May 2026

EUrouter B.V. (“Processor”) provides an AI model routing API that Processes requests on behalf of the Customer (“Controller”) through European infrastructure (“Services”). This Data Processing Agreement (“DPA”) governs the Processing of any Personal Data in the context of the Services.

This DPA forms an integral part of the agreement entered into between the Controller and Processor, consisting of EUrouter’s Order Form, Processor’s General Terms and Conditions (available via https://www.eurouter.ai/terms), and this DPA (together “Agreement”). In the event of a conflict between this DPA and any other part of the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

Capitalised terms used in this DPA, such as “Controller”, “Processor”, “Personal Data”, “Processing”, “Data Subject” and “Supervisory Authority”, shall have the meaning ascribed to them in the General Terms and Conditions or the GDPR and any applicable national implementation legislation of the GDPR (together “Privacy Legislation”), unless otherwise defined in this DPA.

1. Applicability

Unless the Parties have agreed otherwise in writing, the provisions of this DPA shall apply to any Processing by the Processor pursuant to the General Terms and Conditions.
The Processor shall Process Personal Data on behalf of the Controller, in accordance with the Controller’s written instructions and under the Controller’s responsibility and in the manner set out in this DPA. For the purposes of this DPA, written instructions may also include instructions provided through the Controller’s configuration of the Services, including API settings and dashboard preferences.
The Processor shall only Process the Personal Data on the instructions of the Controller, except where required otherwise by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before Processing, unless prohibited by law.

2. General Obligations of the Processor

The Processor shall have no control over the purpose of and the means for the Processing of Personal Data and shall not take any independent decisions regarding the use of the Personal Data, the disclosure to third parties and the duration of the storage of Personal Data.
The Processor shall notify the Controller in writing and without undue delay if, in the Processor’s reasonable opinion, an instruction constitutes an infringement of applicable Privacy Legislation.
The Processor shall, upon first request of the Controller, make available all information necessary to demonstrate compliance with the obligations set out in this DPA.
The Processor shall ensure compliance with the conditions imposed by applicable Privacy Legislation on the Processing of Personal Data by Processors.
The Processor shall only grant access to the Personal Data to its employees and authorized contractors insofar as this is necessary for the performance of the services under this DPA.
The Processor shall not Process the Personal Data for longer than the period specified in Annex 1, unless the Controller has expressly given written instructions to do so.

3. Obligations of the Controller

The Controller agrees and warrants that the Processing of the Personal Data in accordance with this Agreement complies with the obligations incumbent upon it under applicable Privacy Legislation.
The Controller shall promptly notify the Processor of any changes that may affect the Processing of Personal Data under this DPA, including but not limited to changes in the categories of Personal Data Processed, the categories of Data Subjects, or the purposes of Processing. The Controller shall provide the Processor with sufficient information to enable the Processor to assess and implement any necessary adjustments to its Processing activities in a timely manner.

4. Disclosure of Personal Data to Third Parties

The Processor shall not disclose or make available any Personal Data to any third party unless pursuant to an express written instruction from the Controller or by order of a judicial or administrative authority, provided that in such case the Processor shall, to the extent permitted by law, notify the Controller as soon as possible, but in any event within 5 business days of receipt of such order, in order to enable the Controller to pursue any legal remedy available to it.
If the Processor is of the opinion that it is required by a legal obligation to make Personal Data available to a competent authority, it shall notify the Controller thereof in writing as soon as possible, to the extent permitted by law. The Processor shall provide all relevant information that the Controller reasonably requires to assess whether and under what conditions disclosure may take place, and to consider any legal remedies. The Processor shall not proceed with disclosure until the Controller has had a reasonable opportunity to respond, unless applicable laws or regulations require immediate disclosure or prohibit notification.

5. Processing Outside the European Economic Area

The Processor shall ensure that all Processing of Personal Data takes place exclusively within the European Economic Area. The Processor shall not transfer Personal Data to any country outside the EEA, unless expressly authorised by the Controller in writing and subject to the requirements of Chapter V GDPR.

6. Data Subject Requests

In the event that the Processor receives a Data Subject request directly from a Data Subject, the Processor shall not respond to such request on behalf of the Controller and shall refer the Data Subject to the Controller without undue delay. The Processor shall notify the Controller of such request without undue delay and in any event within 5 business days of receipt. The Processor shall only respond to such a request if the Controller has given the Processor written instructions to do so. The Processor shall, by means of appropriate technical and organisational measures, provide the Controller with all assistance upon first request in fulfilling its obligation to respond to requests for the exercise of the established rights of Data Subjects.
The Processor shall handle all requests for information from the Controller regarding the Processing of the Personal Data promptly and properly. The Processor shall, upon first request of the Controller, make available all information necessary to demonstrate compliance with the obligations of the Controller as set out in this DPA and Article 28 GDPR.
The Processor shall, upon request, assist the Controller in carrying out a data protection impact assessment and any prior consultation pursuant to applicable Privacy Legislation.

7. Engagement of New Sub-Processors by the Processor in the Performance of the Agreement

The Processor shall maintain an up-to-date list of engaged sub-Processors, which shall be made publicly available via https://www.eurouter.ai/dpa.
The Processor shall notify the Controller by email of any changes to the list of sub-Processors at least 10 business days prior to the engagement of a new sub-Processor or the replacement of an existing sub-Processor. The Controller shall have the right to object in writing and on reasonable grounds relating to data protection within this period against the proposed engagement. If the Controller has raised such an objection, the Parties shall enter into consultations. If the Parties fail to reach agreement, the Controller shall be entitled to terminate the Agreement with reasonable notice.
Where a sub-Processor is engaged to carry out specific Processing activities on behalf of the Controller (as a sub-Processor), the Processor shall impose on such sub-Processor, by way of agreement, at least the same obligations regarding the Processing and protection of Personal Data as the obligations set out in this DPA.
If the sub-Processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the sub-Processor’s obligations.

8. Confidentiality

The Processor shall keep the Personal Data and other information obtained from the Controller strictly confidential, exercising at least the same degree of care as it exercises with respect to the protection of its own information of a highly confidential nature.
The Processor shall not publish, distribute, disclose, or otherwise make known the Personal Data or other information obtained from the Controller to any persons other than its employees or contractors who need to have knowledge of the Personal Data or other information obtained from the Controller for their work for the Processor. The Processor shall only grant such employees or contractors access to the Personal Data and other information obtained from the Controller after they have been informed of the confidential nature of the Personal Data and other information obtained from the Controller. The Processor shall also impose the aforementioned confidentiality obligations on its employees or contractors involved in the Processing.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay and in any event no later than 48 hours after the Processor becomes aware of a Personal Data Breach that relates to the Processing of Personal Data in the context of the provision of its Services under this DPA.
The Processor shall in any event provide the Controller with information regarding the following: (i) the nature of the breach, where possible including the categories of Data Subjects concerned and, approximately, the number of Data Subjects concerned; (ii) the (potentially) affected Personal Data and, approximately, the number of affected Personal Data records concerned; (iii) the established and expected consequences of the breach for the Processing of the Personal Data and the persons involved; and (iv) the measures that the Processor has taken and will take to address the breach, including, where applicable, measures to mitigate any potential adverse effects of the breach.
The notification referred to in Article 9.1 shall be directed by the Processor to a contact person designated by the Controller and by means of the contact details made available. Upon receipt of the notification, the Controller shall inform the Processor of the manner in which the Controller will, if necessary, report any data breach to the Data Protection Authority.
The Processor acknowledges that the Controller may, under certain circumstances, be legally obliged to report a security breach (of whatever nature) that relates or may relate to the Personal Data Processed by the Processor to Data Subjects and/or authorities. Such a report by the Controller shall never be considered a failure to perform under this DPA or otherwise as an unlawful act. The Processor shall take all measures necessary to mitigate the (potential) damage of a security breach and shall assist the Controller with notifications to Data Subjects and/or authorities.

10. Retention of Personal Data

By default, the Processor applies a zero-retention policy with respect to the content of API requests and responses. The Processor retains only the minimal metadata strictly necessary for billing and service operation, including timestamps, model identifiers, and token counts, as further specified in Annex 1.
If, in the opinion of the Controller, certain Personal Data may or need no longer be retained, the Processor shall, upon written request of the Controller, promptly destroy the specified Personal Data and confirm to the Controller that it has done so.

11. Security Measures and Audit

The Processor shall, in accordance with Article 32 GDPR, take all appropriate technical and organisational measures to protect Personal Data against loss or any form of unlawful Processing (“Security Measures”). These Security Measures shall ensure an appropriate level of security, taking into account the state of the art, the costs of implementation, as well as the nature, scope, context and purposes of the Processing and the risks of varying likelihood and severity that the Processing of the Personal Data processed by the Processor entails for the rights and freedoms of the Data Subjects. These Security Measures are specified in Annex 1.
The Processor shall periodically evaluate the effectiveness of the Security Measures in light of the latest state of the art and the risks associated with the Processing, and adjust or update them where necessary. The Processor shall be entitled to independently modify the Security Measures insofar as this is necessary to ensure an appropriate level of security.
The Processor shall enable the Controller to demonstrate compliance with this DPA. The Controller shall have the right to conduct or have conducted an audit once per calendar year, and more frequently only where there is a reasonable suspicion of non-compliance, with respect to the Processing activities covered by this DPA. Such audit shall be carried out by an independent and qualified auditor who is bound by a duty of confidentiality. The audit shall be limited to information that is reasonably necessary to establish compliance and shall not cause disproportionate disruption to the Processor’s business operations. The costs of the audit, including reasonable internal costs of the Processor, shall be borne by the Controller. The Controller shall, upon request, provide the Processor with a copy of the audit report, insofar as it relates to compliance with this DPA.
The Processor shall be entitled to provide recent, relevant independent certifications or audit reports in lieu of an audit, provided that these provide sufficient insight into compliance with the applicable obligations.

12. Liability

The liability of the Parties arising from or in connection with this DPA shall be subject to the limitations of liability as set out in the Agreement. Notwithstanding the foregoing, the limitations of liability set out in this article shall not apply to the extent that damages are directly attributable to willful misconduct or gross negligence on the part of EUrouter, or to any liability that cannot be excluded or limited under applicable mandatory Dutch law.

13. Termination

This DPA shall remain in force for the duration of the Agreement and shall terminate automatically upon termination of the Agreement.
Without prejudice to any contrary written instruction from the Controller, the Processor shall, upon termination of the Agreement, promptly, but at least within 30 days of termination, permanently delete, destroy or irreversibly anonymise all Personal Data, and confirm to the Controller in writing that it has done so, unless the Controller has requested to return all Personal Data to the Controller and permanently delete, destroy or irreversibly anonymise all remaining copies thereafter.
If, in the reasonable opinion of the Processor, an independent legal obligation of the Processor prohibits or restricts the return or destruction of the Personal Data in whole or in part, the Processor shall notify the Controller in writing as soon as possible of the legal obligation and provide all relevant information that the Controller reasonably requires to determine whether destruction may take place and, if so, under what conditions. If, in the reasonable opinion of the Controller, the legal obligation permits (partial) destruction of the Personal Data by the Processor, the Processor shall proceed to do so promptly upon request of the Controller. If the Controller is of the opinion that destruction may not take place, it shall notify the Processor thereof in writing. In such case, the Processor shall guarantee the confidentiality of the Personal Data vis-à-vis the Controller and shall not Process the Personal Data except in compliance with its aforementioned legal obligation or upon written instruction from the Controller.

14. Miscellaneous Provisions

This DPA and the rights and obligations under this DPA may not be transferred by the Processor to third parties without the prior written consent of the Controller, such consent not to be unreasonably withheld.
If one or more provisions of this DPA prove to be invalid, the Agreement shall remain in force for the remainder. The Parties shall consult on the provisions that are invalid in order to agree on a replacement arrangement that is valid and as closely as possible reflects the intent of the provision to be replaced.
This DPA shall be governed by the laws of the Netherlands.
All disputes arising from or in connection with this DPA shall be submitted exclusively to the competent court of the District Court of Amsterdam.

Annex 1

Description of the Processing

Categories of Data Subjects whose Personal Data is processed

The Personal Data processed may relate to:

authorised users, employees, contractors, developers, administrators and other representatives of the Controller;
end users of the Controller’s applications, products or services;
business contacts or other persons whose Personal Data is included by or on behalf of the Controller in API requests, prompts, inputs, files, messages, metadata or other Customer API Data.

Categories of Personal Data processed

The Personal Data processed may include the following categories, depending on the data submitted by or on behalf of the Controller:

Customer API Data, such as prompts, instructions, messages, input text, generated outputs, embeddings inputs, tool or function-call parameters, files or file references, images, audio, structured payloads, request headers, routing preferences, selected models, selected providers, customer-provided metadata, end-user identifiers and related configuration data.
API metadata, such as customer account or organisation ID, API key reference, request ID, timestamp, IP address, selected provider, selected model, routing configuration, token counts, latency, status codes, error information, usage and cost information, rate-limit data and service performance metrics.
Support data, where the Controller requests support, such as name, email address, company, account information, message content, attachments, support history and other information provided by the Controller.

EUrouter does not store the substantive content of prompts, inputs, uploaded files, model responses or outputs as part of default API logs.

Sensitive and special categories of Personal Data (if applicable)

The Services are not intended for the processing of special categories of Personal Data, criminal-offence data, children’s data, health data, biometric data, government identifiers, payment card data, financial account credentials, passwords, API keys, private keys, secrets, export-controlled data or other highly sensitive, regulated or restricted data.

The Controller shall not submit such data to the Services unless expressly agreed in writing with EUrouter and supported by the selected provider, model and configuration.

Nature of the Processing

The nature of the Processing consists of receiving, proxying, parsing, routing, transmitting, temporarily handling, processing in memory, and returning API requests and responses.

The Processing may also include usage metering, calculating billing and cost information, monitoring performance and reliability, detecting errors, preventing abuse, investigating security issues, providing support where requested, deleting data, anonymising data, and retaining permitted metadata and operational records.

Customer API Data is processed transiently as necessary to provide the Services. EUrouter does not store prompts, inputs, uploaded files, model responses or outputs after request completion by default.

Purpose(s) for which the Personal Data is processed on behalf of the Controller

EUrouter processes Personal Data on behalf of the Controller for the purpose of providing the Services, including:

routing API requests to AI model providers selected, configured or authorised by the Controller;
returning model responses to the Controller;
enabling provider and model selection, routing and fallback routing where configured;
measuring usage, calculating costs and supporting billing;
maintaining the security, availability, reliability and performance of the Services;
detecting and preventing abuse, fraud, misuse and security incidents;
providing technical or customer support at the Controller’s request;
complying with documented instructions from the Controller and applicable legal obligations.

Duration of the Processing

The Personal Data shall be processed for the duration of the Agreement. Following termination of the Agreement, Personal Data shall be deleted, anonymised or returned to the Controller within 30 days, unless a statutory retention obligation applies.

Technical and Organisational Measures

Measure	Description
Data transmission	Customer API traffic is transmitted over encrypted channels such as TLS 1.2 or higher where technically supported.
Access control	Administrative access is restricted to authorised personnel using least-privilege principles and appropriate authentication.
Credential security	API credentials and provider credentials are handled securely and are not intended to be stored in plain text.
Data economy	Prompts, inputs, uploaded files, outputs and model responses are processed transiently and are not stored by EUrouter by default after request completion.
Logging and monitoring	Operational logs and monitoring are designed to capture metadata needed for security, billing and reliability, not substantive prompt or output content.
Backups	Backups are used for relevant account, billing, configuration and operational systems. Transient API payload content is not expected to be available in backups.
Incident response	EUrouter maintains procedures to assess, contain, remediate and notify relevant parties of security incidents where required.
Subprocessor review	EUrouter reviews subprocessors appropriate to their role and maintains the Provider and Subprocessor List.
Personnel controls	Personnel authorised to process Customer Personal Data are subject to confidentiality obligations and need-to-know access.
Customer responsibilities	The Controller is responsible for its own applications, accounts, API keys, end users, provider selections, outputs and data classification decisions.

EUrouter Provider and Sub-Processor List

Last updated: 4 May 2026

The list below contains the sub-Processors and providers engaged by EUrouter in the performance of its services. For each sub-Processor or provider, the purpose of the processing and the country in which the processing takes place are indicated. For more information on the processing activities and security measures of the individual sub-Processors and provider, please refer to the website of the relevant sub-Processor or provider below. EUrouter reserves the right to amend this list. The Controller will be informed of changes by email.

For the standard Service, Customer API Data is routed through EU/EEA configurations only. Customers can select or filter AI providers based on data-residency, retention and model-training information shown in the Service and this list.

Sub-Processors for Customer API Data

Provider	Purpose	Customer API Data	Location / safeguards
Scaleway	Core infrastructure, hosting, compute, databases, networking, logs and monitoring.	May process API traffic and API metadata transiently.	EU/EEA. Compute and storage in Scaleway nl-ams (Amsterdam); telemetry via Scaleway Cockpit (fr-par).
AI model providers selected or authorised by the customer	AI model processing, inference, embeddings and related services.	Yes, only for selected models/routes.	EU/EEA configurations only. See provider table below.
Sentry (EU-hosted)	Error tracking and diagnostics.	No substantive API content intended. May process diagnostic metadata if present in error events.	EU-hosted or EU-limited configuration.
PostHog Cloud EU	Error tracking and diagnostics.	No substantive API content intended. May process diagnostic metadata if present in error events.	EU-hosted (eu.posthog.com / eu.i.posthog.com).
Scaleway Cockpit / monitoring	Monitoring, observability and reliability.	No substantive API content intended. May process operational metadata.	EU/EEA. Scaleway Cockpit (fr-par) via OpenTelemetry.

AI model providers

The customer authorises an AI provider by selecting, allowing, or configuring the relevant provider, model, route, or fallback setting. The list below is generated from EUrouter’s currently enabled providers and reflects the headquarters, retention and training position recorded for each in the Service.

Provider	Purpose	Approved location / configuration	Retention / training information
AWS Bedrock	AI model processing	EU/EEA configurations only (HQ: United States)	No prompt retention / no training
GreenPT	AI model processing	EU/EEA configurations only (Netherlands)	No prompt retention / no training
Inceptron	AI model processing	EU/EEA configurations only (Sweden)	No prompt retention / no training
Infercom	AI model processing	EU/EEA configurations only (Luxembourg)	No prompt retention / no training
IONOS Cloud	AI model processing	EU/EEA configurations only (Germany)	No prompt retention / no training
Microsoft Foundry	AI model processing	EU/EEA configurations only (HQ: United States)	No prompt retention / no training
Mistral AI	AI model processing	EU/EEA configurations only (France)	No prompt retention / no training
Nebius	AI model processing	EU/EEA configurations only (Netherlands)	No prompt retention / no training
OVHcloud	AI model processing	EU/EEA configurations only (France)	No prompt retention / no training
Scaleway	AI model processing	EU/EEA configurations only (France)	No prompt retention / no training
Tensorix	AI model processing	EU/EEA configurations only (Ireland)	No prompt retention / no training

Controller-data service providers

The providers below are used primarily for EUrouter controller data, such as account, billing, analytics, website, email, marketing, authentication, business operations or status-page data. They are not used for Customer API Data unless separately stated above or in an updated DPA/list.

Provider	Purpose	Data
Mollie	Payment processing	Billing and payment data; no Customer API Data intended.
PostHog Cloud EU	Website and product analytics	Website/product events; no Customer API Data intended.
Cookiebot (by Usercentrics)	Cookie consent management	Consent preferences and consent logs; no Customer API Data intended.
Brevo	Transactional and marketing email	Email address and email engagement data; no Customer API Data intended.
Google Workspace	Support, privacy and business email	Support and business communications. Customers must not include Customer API Data in standard support emails.
Google OAuth	Google login	Login identifiers; no Customer API Data intended.
GitHub OAuth	GitHub login	Login identifiers; no Customer API Data intended.
Phare.io	Status page	Status-page data; no Customer API Data intended.

Notes and contact

EUrouter does not store prompts, inputs, uploaded files, model responses or outputs after request completion by default. EUrouter does not use Customer API Data to train, fine-tune or improve AI models and does not sell Customer API Data. Provider retention and model-training positions may vary. Customers should select providers that match their requirements. Questions may be sent to privacy@eurouter.ai.