legal

Data processing agreement

Last updated: 20 May 2026 · Effective: 20 May 2026 · Version 1.0

This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service between InputGate and the Customer (together the "Agreement"). Where customer personal data is processed via the InputGate Service, this DPA governs that processing under Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

Parties

controller

Customer

The party that signed up for the Service and that determines the purposes and means of processing the personal data of its end-users submitted via the Service.

processor

FreeMan LLC (a Wyoming limited liability company)

Spokane, WA 99201, USA. Processes personal data on behalf of the Controller solely to provide the Service in accordance with the Agreement.

1. Definitions

Capitalised terms have the meanings set out in the GDPR, supplemented by the following:

"Customer Personal Data" means personal data of the Controller's end-users submitted to the Service via the API (e.g. fields content and client_ip).
"Service" means the InputGate API and dashboard as described in the Agreement.
"Sub-processor" means any third party engaged by the Processor to process Customer Personal Data.
"SCCs" means the Standard Contractual Clauses approved by the European Commission for transfers of personal data to third countries.

2. Scope and roles

The Customer acts as the controller and InputGate as the processor with respect to Customer Personal Data. Where the Customer is itself a processor of its own customer's data, this DPA shall apply on a back-to-back basis (InputGate as sub-processor).

The subject matter, nature, purpose, duration, categories of data subjects and personal data are set out in Annex I.

3. Customer instructions

InputGate shall process Customer Personal Data only on documented instructions from the Customer. The Agreement (including this DPA, the request parameters submitted via the API, and the dashboard configuration) constitute the Customer's complete and final documented instructions.

The Customer's choice of the retention parameter on each request is treated as a specific written instruction for the corresponding processing. Any additional or differing instructions require written agreement of both parties.

InputGate shall inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data-protection law.

4. Confidentiality

InputGate shall ensure that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate data-protection training.

5. Security measures

InputGate shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and nature of the processing. The current measures are described in Annex II and may be updated by InputGate without notice, provided the overall level of protection is not reduced.

6. Sub-processors

The Customer provides general written authorisation for InputGate to engage Sub-processors. The current list is set out in Annex III below.

InputGate shall:

Notify the Customer of any intended addition or replacement of a Sub-processor at least 30 days in advance, by email and/or dashboard notice.
Impose data-protection obligations on each Sub-processor materially equivalent to those in this DPA.
Remain fully liable to the Customer for the acts and omissions of its Sub-processors.

The Customer may object to a new Sub-processor on reasonable data-protection grounds within 14 days. If the parties cannot resolve the objection in good faith, the Customer may terminate the affected Service by written notice; pre-paid fees are refunded pro-rata.

7. Data subject rights

InputGate shall provide reasonable assistance to enable the Customer to respond to requests from data subjects exercising their rights under GDPR Articles 12–22 (access, rectification, erasure, restriction, portability, objection, automated decision-making).

Where technically feasible, InputGate provides self-service tools for the Customer to fulfil such requests directly — including the POST /v1/erasure endpoint, which programmatically erases all log entries tied to a given client_ip and produces an audit-trail record (Art. 30).

8. Breach notification

InputGate shall notify the Customer of any Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it, and in any event within 72 hours. The notification will include, to the extent then known:

The nature of the breach, including categories and approximate number of data subjects and records concerned.
The likely consequences.
Measures taken or proposed to address the breach and mitigate adverse effects.
Contact details of the InputGate data protection point of contact.

InputGate shall reasonably cooperate with the Customer's investigation and any notifications the Customer must make to supervisory authorities or affected data subjects.

9. DPIA & consultation assistance

Taking into account the nature of processing and the information available, InputGate shall provide reasonable assistance to the Customer with data-protection impact assessments and prior consultations with supervisory authorities under GDPR Articles 35–36, where required.

10. Deletion or return on termination

On termination of the Agreement, and at the Customer's choice, InputGate shall delete or return all Customer Personal Data, including all copies thereof, within 30 days, unless storage is required by applicable law. Encrypted backups will be overwritten in the normal rotation (≤ 30 days).

11. Audit rights

InputGate shall make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations under this DPA. This typically takes the form of:

A current copy of this DPA, with Annexes.
Independent third-party audit summaries or certifications (e.g. SOC 2 reports of Cloudflare as Sub-processor), where available.
Written responses to reasonable customer questionnaires within 30 days.

On-site audits may be conducted by the Customer (or a mutually agreed third-party auditor) no more than once per year, on at least 30 days' written notice, at the Customer's expense, during business hours, and subject to reasonable confidentiality obligations. Where supervisory-authority requirements impose more frequent audits, those will be honoured.

12. International transfers

Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland, the parties agree to rely on the EU SCCs (Module 2, controller-to-processor), the UK International Data Transfer Addendum, and the Swiss-equivalent FDPIC mechanism, as applicable. Both parties shall implement supplementary measures where necessary following Schrems II guidance.

By entering into this DPA, the parties are deemed to have signed the SCCs and agreed that Annex I (II / III) of this DPA also serves as the Annex of the SCCs, mutatis mutandis.

13. Liability

Each party's liability under or in connection with this DPA shall be subject to and form part of the aggregate liability limits set out in the Terms of Service, except where mandatory law requires otherwise.

14. Term and order of precedence

This DPA takes effect on the Effective Date and remains in force for the duration of the Agreement. Provisions which by their nature should survive termination shall survive.

In case of conflict between this DPA and the Terms of Service, this DPA prevails as to the subject matter of personal-data processing. The SCCs prevail over both for matters within their scope.

annex i

Processing details

Subject matter. Provision of spam-filtering, risk-scoring, and content-classification services to the Customer.

Duration. Term of the Agreement plus the retention windows set out in Privacy Policy §4.

Nature and purpose. Scoring inbound textual data submitted by Customer end-users for spam, abuse, prompt-injection, and quality signals; returning a structured result to the Customer.

Categories of data subjects. The Customer's end-users (e.g. visitors completing a contact form on the Customer's website).

Categories of personal data.

Category	Mandatory?
Text content submitted via `fields`	Yes
IP address (`client_ip`)	Yes (for accurate scoring)
Email address (when included in `fields.email`)	Optional
Country (derived from `client_ip`)	Derived

Special categories of data. The Customer instructs InputGate not to submit special-category data (Art. 9 GDPR) unless the Customer has set retention: "none" and a lawful basis exists.

Frequency of processing. Continuous, on receipt of API calls.

annex ii

Technical and organisational security measures

InputGate maintains the following measures (which may be updated, provided the overall level of protection is not reduced):

Encryption in transit. TLS 1.2+ on all customer-facing endpoints.
Encryption at rest. Customer Personal Data is stored on Cloudflare D1 / R2 with platform-level encryption at rest.
Authentication. Bearer tokens stored as SHA-256 hashes; never raw. Rate limiting and quota enforcement on every request.
Access control. Principle of least privilege for internal personnel; access reviewed quarterly.
Network security. Edge-deployed Workers with no exposed origin servers; service-to-service calls via Cloudflare service bindings (SSRF-safe).
Logging & monitoring. Per-request structured logs; security-relevant events (auth failure, erasure) audit-logged separately.
Privacy-by-default. Default retention value is flagged_only; none available per request.
Storage limitation. Daily scheduled deletion of expired log rows per per-user retention setting.
Resilience. Cloudflare's globally-distributed infrastructure; in-process circuit breaker on the upstream classifier to fail open under load.
Incident response. Documented procedure with 72-hour authority notification target.
Personnel. Background checks for personnel with production access; mandatory data-protection training; binding confidentiality obligations.
Sub-processor management. Sub-processors reviewed before onboarding and re-assessed annually.
No model training. Customer Personal Data is not used to train, fine-tune, or evaluate machine-learning models.

annex iii

Authorised Sub-processors

Sub-processor	Role	Location	Transfer mechanism
Cloudflare, Inc.	Edge compute (Workers), database (D1), object storage (R2), DNS, hosting	Global edge; primary D1 region configurable	EU SCCs + Cloudflare DPA
Clerk	Customer authentication for the dashboard	USA	EU SCCs
Stripe	Payment processing	USA / EU	EU SCCs (Stripe is also an independent controller for fraud-prevention purposes)

To subscribe to change notifications, email privacy@inputgate.cloud from your account email.

Need a signed paper copy or a custom DPA on your template? Available on the Scale plan and above — contact privacy@inputgate.cloud.