LLM ControlsLLM Controls
PricingFAQ
Log in

Legal

Data Processing Addendum

Updated: May 2026

Master Data Processing Addendum (MDPA)

This Data Processing Addendum ("DPA"), also referred to as the Master Data Processing Addendum ("MDPA") where referenced in an order form, forms part of the LLM Controls Customer Terms of Service.

This DPA applies when LLM Controls processes Personal Data on behalf of Customer in connection with the Services.

1. Scope

This DPA applies to the processing of Personal Data by LLM Controls in providing:

  • the LLM Controls platform;
  • AI applications;
  • AI workflows and agents;
  • integrations;
  • monitoring and governance services;
  • implementation and professional services.

This DPA does not apply to data for which LLM Controls acts as an independent controller or where Personal Data is processed outside the scope of the Services.

2. Roles of the Parties

For Personal Data processed under this DPA:

Customer acts as the:

  • controller;
  • business;
  • data owner;
  • or equivalent responsible party under applicable privacy law.

LLM Controls acts as the:

  • processor;
  • service provider;
  • data recipient;
  • or equivalent processing party.

Each party will comply with its respective obligations under applicable privacy and data protection laws.

3. Processing Instructions

LLM Controls will process Personal Data only:

(a) according to Customer's documented instructions;

(b) as necessary to provide, secure, maintain, support, and improve operation of the Services;

(c) as described in the Agreement, order form, or statement of work;

(d) as required by applicable law.

Customer's instructions include:

  • configuration of AI workflows;
  • integrations authorized by Customer;
  • user permissions;
  • system connections;
  • operational settings.

If LLM Controls believes an instruction violates applicable law, LLM Controls may suspend the relevant processing and notify Customer where legally permitted.

4. Customer Responsibilities

Customer is responsible for:

(a) ensuring it has a lawful basis to provide Personal Data to LLM Controls;

(b) providing required notices and obtaining required consents;

(c) determining whether the Services are appropriate for the categories of Personal Data processed;

(d) configuring access, permissions, retention, and workflow controls;

(e) ensuring Customer users comply with privacy obligations.

Customer will not provide regulated or sensitive categories of Personal Data unless expressly authorized under the Agreement or an applicable order form.

5. Confidentiality and Personnel

LLM Controls will ensure personnel authorized to process Personal Data:

  • have a legitimate need for access;
  • are subject to confidentiality obligations;
  • receive appropriate security and privacy guidance.

Access to Personal Data is restricted based on role and business need.

6. Security Measures

LLM Controls will implement and maintain appropriate technical and organizational measures designed to protect Personal Data.

Security measures are described in the Security Addendum and may include:

  • access controls;
  • encryption;
  • monitoring;
  • logging;
  • vulnerability management;
  • operational safeguards;
  • incident response procedures.

Security measures are designed considering:

  • processing risks;
  • nature of the Services;
  • sensitivity of Personal Data;
  • available technology.

7. AI Systems and Personal Data

Customer acknowledges that the Services may process Personal Data through AI-enabled systems, workflows, agents, and integrations.

LLM Controls will not use Customer Personal Data to train, fine-tune, or improve:

  • public foundation models;
  • shared AI models;
  • third-party AI models;

unless Customer provides prior written authorization.

AI processing may include:

  • generating Outputs;
  • retrieving relevant information;
  • transforming data;
  • classifying information;
  • summarizing content;
  • automating workflows;
  • monitoring application performance.

Customer remains responsible for determining whether AI processing is appropriate for Customer's use case and regulatory obligations.

8. Subprocessing

Customer authorizes LLM Controls to engage subprocessors necessary to provide the Services.

Subprocessors may include providers of:

  • cloud infrastructure;
  • AI models;
  • databases;
  • hosting;
  • monitoring;
  • security;
  • support;
  • operational services.

LLM Controls will impose written obligations on subprocessors requiring protections substantially consistent with this DPA.

Where required by applicable law or contract, LLM Controls will:

  • provide notice of material subprocessor changes;
  • provide a mechanism for reasonable objection.

LLM Controls remains responsible for its obligations under this DPA, subject to the Agreement's limitations.

9. International Data Transfers

To the extent Personal Data is transferred internationally, the parties will use lawful transfer mechanisms where required.

Such mechanisms may include:

  • Standard Contractual Clauses (SCCs);
  • UK International Data Transfer Addendum;
  • adequacy decisions;
  • other legally recognized transfer mechanisms.

Additional transfer safeguards may apply where required by law.

10. Data Subject Requests

Taking into account the nature of the processing, LLM Controls will reasonably assist Customer in responding to requests relating to:

  • access;
  • deletion;
  • correction;
  • portability;
  • restriction;
  • objection;
  • other applicable privacy rights.

Customer is responsible for managing requests from individuals unless applicable law requires otherwise.

11. Privacy Impact and Compliance Assistance

LLM Controls will reasonably assist Customer with:

  • privacy impact assessments;
  • regulatory inquiries;
  • security assessments;
  • documentation requests;

where required by applicable law and commercially reasonable.

Assistance may be subject to:

  • confidentiality requirements;
  • technical feasibility;
  • reasonable limitations.

12. Personal Data Breach Notification

LLM Controls will notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Personal Data.

Notification will include information reasonably available, which may include:

  • nature of the incident;
  • categories of affected data;
  • remediation actions;
  • mitigation steps.

Notification does not constitute an admission of fault or liability.

13. Return and Deletion

Upon termination of the Services, Customer may request return or deletion of Personal Data.

LLM Controls will delete or return Personal Data within a commercially reasonable period, subject to:

  • legal retention requirements;
  • backup retention cycles;
  • security obligations;
  • dispute-resolution needs.

Data stored in backups may be deleted according to normal backup lifecycle processes.

14. Sensitive and Regulated Data

Customer must not provide sensitive or regulated Personal Data unless expressly permitted in writing and supported by appropriate contractual and technical controls.

Such data may include:

  • protected health information (PHI);
  • payment card information;
  • government identification data;
  • children's data;
  • biometric information;
  • export-controlled data;
  • other regulated categories.

Additional agreements may be required, including:

  • Business Associate Agreements (BAAs);
  • enhanced security requirements;
  • compliance-specific terms.

15. CCPA / CPRA and Similar Privacy Laws

To the extent applicable, LLM Controls acts as a service provider, processor, or equivalent restricted recipient.

LLM Controls will not:

(a) sell Personal Data;

(b) share Personal Data for cross-context behavioral advertising;

(c) retain, use, or disclose Personal Data outside the business purposes described in the Agreement;

(d) combine Personal Data except as permitted by applicable law;

(e) process Personal Data outside Customer's documented instructions.

16. Audit Rights

Upon reasonable written request, LLM Controls will make available information reasonably necessary to demonstrate compliance with this DPA.

Information may include:

  • security documentation;
  • compliance summaries;
  • audit materials;
  • assessment results.

Customer audits must:

  • be reasonable in scope;
  • protect confidentiality;
  • avoid disruption to the Services;
  • avoid compromising other customers' information.

17. De-Identified and Aggregated Data

LLM Controls may create and use aggregated or de-identified information derived from operation of the Services for:

  • security;
  • analytics;
  • reliability improvement;
  • operational insights;
  • product improvement.

Such data will not identify Customer, Customer users, or individuals.

LLM Controls will not attempt to re-identify de-identified data except as permitted by law.

18. Order of Precedence

If there is a conflict among:

  • 1. Order form or statement of work;
  • 2. This DPA;
  • 3. Security Addendum;
  • 4. Main Agreement;

the documents will govern in that order for privacy and Personal Data matters, unless expressly agreed otherwise in writing.

19. Survival

Obligations relating to:

  • confidentiality;
  • security;
  • Personal Data protection;
  • deletion;
  • legal compliance;

continue after termination for as long as required by applicable law or while LLM Controls retains Personal Data.

Contact Us

If you have questions about this Data Processing Addendum, please contact us at:

LLM Controls
Email: contact@llmcontrols.ai