Data processing addendum

Parties

This addendum supplements the terms of service between OneAPIKey ("Processor") and you ("Controller") for the processing of personal data.

Subject matter & duration

Processor handles personal data only for the purpose of delivering the service described in the main agreement. Processing continues for the duration of the agreement and 30 days thereafter.

Nature & purpose

Account authentication, proxying API requests, usage metering, billing, transactional email, and fraud prevention.

Data categories

• Identifiers: email, name, profile image.
• Request metadata: timestamps, token counts, cost, latency, status.
• Billing metadata: Stripe customer/invoice IDs.

Sub-processors

The following sub-processors may be engaged:

• Vercel — hosting
• Supabase / Neon — primary database
• Upstash — rate limiting & caching
• Stripe — payment processing
• Resend — transactional email
• Upstream AI providers — forwarding customer request bodies

Security measures

• Encryption in transit (TLS 1.2+).
• Encryption at rest for upstream credentials (AES-256-GCM).
• API keys stored only as HMAC-SHA256 hashes.
• RBAC-controlled admin access + audit logging.
• Least-privilege DB users; no raw card data.

Data subject requests

We'll respond to Controller-forwarded data subject access, deletion, rectification, and portability requests within 30 days, free of charge.

International transfers

Where transfers occur between regions, we rely on Standard Contractual Clauses and/or adequacy decisions.

Breach notification

Processor will notify Controller of a confirmed personal data breach without undue delay and within 72 hours of detection.

Return & deletion

On termination, personal data is deleted or returned within 30 days, except backups which are purged on their normal rotation.