Data Processing Agreement (DPA)

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between VoltageGPU ("Processor", "we", "us") and the Customer ("Controller", "you") for the provision of GPU cloud computing and AI inference services.

This DPA reflects the parties' agreement with regard to the processing of personal data in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and other applicable data protection laws.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Sub-processor" means any third party engaged by VoltageGPU to process Personal Data
• "Controller" means the entity that determines the purposes and means of processing
• "Processor" means the entity that processes Personal Data on behalf of the Controller

3. Scope of Processing

3.1 Subject Matter

VoltageGPU processes Personal Data on behalf of the Customer in connection with the provision of GPU cloud computing, AI inference, and related services.

3.2 Nature and Purpose

3.3 Categories of Data Subjects

• Customer's employees and contractors
• Customer's end users (if applicable)
• Any individuals whose data is processed through Customer's workloads

3.4 Types of Personal Data

• Account information (name, email, company)
• Technical data (IP addresses, usage logs)
• Any Personal Data contained in Customer's workloads

4. Processor Obligations

VoltageGPU shall:

• Process only on instructions: Process Personal Data only on documented instructions from the Controller
• Confidentiality: Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
• Security: Implement appropriate technical and organizational measures to ensure security of processing
• Sub-processing: Not engage another processor without prior written authorization
• Assistance: Assist the Controller in responding to Data Subject requests
• Deletion: Delete or return all Personal Data upon termination of services
• Audit: Make available information necessary to demonstrate compliance

5. Security Measures

VoltageGPU implements the following technical and organizational measures:

For detailed security information, please refer to our Security page.

6. Sub-processors

The Customer authorizes VoltageGPU to engage sub-processors for the provision of services. A current list of sub-processors is available at Sub-processors page.

6.1 Sub-processor Requirements

• Written contract with equivalent data protection obligations
• Prior notification of new sub-processors (30 days)
• Right to object to new sub-processors
• VoltageGPU remains liable for sub-processor compliance

7. Data Subject Rights

VoltageGPU will assist the Controller in fulfilling Data Subject requests including:

• Access: Right to obtain confirmation and access to Personal Data
• Rectification: Right to correct inaccurate Personal Data
• Erasure: Right to deletion ("right to be forgotten")
• Restriction: Right to restrict processing
• Portability: Right to receive data in structured format
• Objection: Right to object to processing

Requests should be directed to privacy@voltagegpu.com

8. Data Transfers

8.1 Transfer Mechanisms

For transfers of Personal Data outside the European Economic Area (EEA), VoltageGPU relies on the following legal mechanisms:

• EU Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable
• Binding Corporate Rules (where applicable)

8.2 Data Residency

Upon request, VoltageGPU can ensure that Customer data is processed exclusively within the European Union. Contact us for EU-only data residency options.

9. Data Breach Notification

In the event of a Personal Data breach, VoltageGPU will:

• Notify the Controller without undue delay (within 72 hours of becoming aware)
• Provide details of the breach including nature, categories, and approximate number of Data Subjects affected
• Describe likely consequences and measures taken or proposed
• Cooperate with the Controller in investigating and mitigating the breach

10. Audit Rights

VoltageGPU will make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

• Reasonable advance notice required (minimum 30 days)
• Audits conducted during normal business hours
• Auditor must sign confidentiality agreement
• One audit per year unless required by supervisory authority

11. Data Retention and Deletion

11.1 During Service

Personal Data is retained for the duration of the service agreement and as necessary to provide the services.

11.2 Upon Termination

Upon termination of services, VoltageGPU will:

• Delete all Personal Data within 30 days
• Provide data export upon request (before deletion)
• Certify deletion upon request
• Retain only data required by law (with notification)

12. Controller Obligations

The Controller warrants that:

• It has a lawful basis for processing Personal Data
• It has provided appropriate notices to Data Subjects
• It will comply with applicable data protection laws
• Instructions to VoltageGPU will not violate applicable laws

13. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. VoltageGPU's total liability for breaches of this DPA shall not exceed the amounts paid by the Controller in the 12 months preceding the claim.

14. Contact Information

15. Amendments

This DPA may be amended by VoltageGPU to reflect changes in data protection laws or our processing activities. Material changes will be notified 30 days in advance.

Last Updated: January 2025

Version: 2.0