INFEROUTE
Get API Key

Data Processing Agreement

Last updated: May 27, 2026

This Data Processing Agreement (the “DPA”) supplements the Terms of Service between YOUTH FIRST SHOW PTE LTD, a company registered at 112 Robinson Road, #03-01, Robinson 112, Singapore 068902 (the “Processor”), and the customer that has accepted the Terms of Service (the “Controller”). It applies whenever the Processor processes Personal Data on behalf of the Controller in the course of providing the inferoute AI gateway (the “Service”).

The DPA is intended to satisfy the requirements of Article 28 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) and the corresponding requirements of the United Kingdom Data Protection Act 2018, the Singapore Personal Data Protection Act 2012 (the “PDPA”), and other data protection laws that apply to the parties (collectively, “Data Protection Laws”).

Where the Terms of Service and this DPA conflict on a topic of data protection, this DPA prevails.

1. Definitions

Capitalised terms used but not defined here have the meaning given in the Terms of Service or in the applicable Data Protection Laws. In this DPA:

  • “Personal Data” means any information relating to an identified or identifiable natural person that the Processor handles on behalf of the Controller through the Service.
  • “Process”, “Processing”, and “Processed” have the meaning given in Article 4 of the GDPR.
  • “Data Subject” means the natural person to whom Personal Data relates.
  • “Sub-processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller in connection with the Service.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
  • “Model Provider” means a third-party operator of an AI model that the Controller selects through the Service.

2. Roles of the Parties

The parties acknowledge that, in respect of the Personal Data Processed through the Service:

  • the Controller acts as a controller (or, where the Controller is itself a processor for another controller, as a processor); and
  • the Processor acts as a processor.

Where the Controller is itself a processor, the Controller warrants that it has authority from the relevant controller to engage the Processor as a sub-processor on the terms of this DPA.

3. Subject Matter and Duration

The subject matter of the Processing is the operation of the Service for the Controller. Processing continues for as long as the Controller uses the Service and for any retention period required by law. Annex A describes the nature and purpose of the Processing, the categories of Personal Data and Data Subjects, and the duration in more detail.

4. Controller's Instructions

The Processor will Process Personal Data only on documented instructions from the Controller. The Terms of Service, this DPA, the configuration the Controller selects in the dashboard, and the API requests the Controller submits each constitute documented instructions for the purposes of Article 28(3)(a) of the GDPR.

The Processor will inform the Controller without undue delay if, in its opinion, an instruction infringes a Data Protection Law, unless the Processor is prohibited from giving that notification by law.

5. Confidentiality

The Processor will ensure that personnel authorised to Process Personal Data are bound by an appropriate obligation of confidentiality (whether contractual or statutory) and have received suitable training on their data protection responsibilities.

6. Security of Processing

The Processor will implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, or damage. These measures take into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects. A summary of the measures is set out in Annex B.

The Processor reviews these measures periodically and may update them from time to time, provided the level of protection is not materially reduced.

7. Sub-processors

The Controller gives the Processor general authorisation to engage Sub-processors to Process Personal Data, subject to this section.

  • Categories. The Processor may engage Sub-processors that provide cloud hosting, content delivery, error monitoring, transactional email, payment processing, customer support tooling, and similar functions necessary to operate the Service. Model Providers selected by the Controller are Sub-processors with respect to the prompts and outputs the Controller routes to them.
  • List and updates. The Processor maintains a current list of its Sub-processors and will notify the Controller of any intended addition or replacement at least fourteen (14) days before the change takes effect, by email or by an in-product notice. The Controller may object to a change by writing to inferoute@glodrapay.com on reasonable data protection grounds before the change takes effect; if the parties cannot agree on a remedy, the Controller may terminate the affected portion of the Service.
  • Flow-down. The Processor will impose data protection terms on each Sub-processor that are no less protective than those in this DPA, and remains responsible to the Controller for the performance of each Sub-processor's obligations.

8. International Data Transfers

Personal Data may be transferred to, stored in, or accessed from jurisdictions outside the country where the Controller is located, including Singapore, the European Economic Area, the United Kingdom, and the United States.

Where Personal Data subject to the GDPR or UK GDPR is transferred to a country that the European Commission or the UK government has not recognised as providing an adequate level of protection, the parties will rely on the European Commission's Standard Contractual Clauses (Module Two for controller-to-processor transfers and Module Three for processor-to-processor transfers, as applicable), or the UK International Data Transfer Addendum, which are incorporated into this DPA by reference.

Where Personal Data is governed by the PDPA, the Processor will take steps reasonably required by the PDPA to ensure that the recipient is bound by legally enforceable obligations to provide a comparable standard of protection.

9. Assistance to the Controller

9.1 Data Subject Requests

Taking into account the nature of the Processing, the Processor will provide reasonable assistance to the Controller, by appropriate technical and organisational measures, to enable the Controller to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If the Processor receives a request directly from a Data Subject, it will not respond to the substance of the request and will, unless prohibited by law, forward the request to the Controller without undue delay.

9.2 Data Protection Impact Assessments

The Processor will provide reasonable assistance to the Controller with any data protection impact assessment or prior consultation with a supervisory authority that the Controller is required to conduct under Articles 35 and 36 of the GDPR or equivalent provisions of other Data Protection Laws, in each case to the extent the assistance relates to the Service.

10. Personal Data Breach Notification

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will, to the extent then known, describe:

  • the nature of the breach and the categories of data affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to be taken to address the breach; and
  • a contact point at the Processor where further information can be obtained.

The Processor will cooperate with the Controller and provide such further information as the Controller reasonably requires to comply with its own breach notification obligations.

11. Audits and Inspections

The Processor will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. To minimise disruption, the parties agree that:

  • the Controller may exercise audit rights once per twelve (12) month period, except where a competent supervisory authority requires otherwise or where the Controller has a reasonable, specific concern arising from a Personal Data Breach;
  • the Controller will give the Processor at least thirty (30) days prior written notice of any audit;
  • the Controller, its auditor, and any persons given access to the Processor's systems or information must be bound by confidentiality obligations no less strict than those in the Terms of Service; and
  • the Processor may meet audit requests by providing the Controller with copies of recent independent third-party assessments (such as ISO 27001 or SOC 2 reports) where these reasonably address the Controller's questions.

12. Return or Deletion of Personal Data

On termination of the Service, the Processor will, at the Controller's choice, return Personal Data to the Controller or delete it, except to the extent retention is required by law or by legitimate accounting or audit obligations. The Controller may, at any time during the term, export Personal Data through the Service or request deletion of stored prompts and completions in accordance with the configuration available on its account.

13. Liability

Each party's liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits a Data Subject's rights against either party under Article 82 of the GDPR or analogous provisions of other Data Protection Laws.

14. Term and Termination

This DPA takes effect on the date the Controller accepts the Terms of Service and continues for as long as the Processor Processes Personal Data on behalf of the Controller. Provisions that by their nature should survive termination, including those relating to security, confidentiality, audit, deletion, and liability, will continue to apply.

15. Governing Law

This DPA is governed by the laws of the Republic of Singapore, except to the extent that mandatory provisions of an applicable Data Protection Law require a different governing law. Disputes arising out of or in connection with this DPA are subject to the dispute resolution provisions in the Terms of Service.

16. Order of Precedence

If there is any conflict between this DPA, any Standard Contractual Clauses incorporated by reference, the Terms of Service, and any order form, the order of precedence is: (1) the Standard Contractual Clauses, (2) this DPA, (3) any order form, (4) the Terms of Service.

Annex A — Description of Processing

Subject matter and duration

The Processor processes Personal Data for the purpose of operating the Service for the Controller. Processing lasts for the term of the Terms of Service, plus any period required by law or for legitimate accounting or audit purposes.

Nature and purpose of Processing

Receipt of API requests, authentication and authorisation of users, forwarding of prompts to the Model Provider selected by the Controller, return of model output, logging of metadata for billing and abuse prevention, and (where the Controller has enabled it) storage of prompt and completion bodies for the period the Controller has configured.

Categories of Data Subjects

  • users and administrators of the Controller's account;
  • end users of any product or service the Controller builds on top of the Service; and
  • any other natural person whose Personal Data the Controller chooses to include in a prompt.

Categories of Personal Data

  • identifiers and account data (name, email address, organisation, authentication tokens);
  • billing data (payment instrument metadata, billing address, tax identifiers);
  • technical and usage data (IP address, user-agent, request and response metadata, model and provider used, token counts, latency, cost);
  • content the Controller submits (prompt and completion bodies, and any Personal Data the Controller chooses to embed in them); and
  • support data (records of correspondence with the Processor and information shared in support tickets).

Special categories of data

The Service is not designed to receive special categories of data within the meaning of Article 9 of the GDPR. The Controller should not submit such data unless it has implemented additional safeguards appropriate to the risk.

Annex B — Technical and Organisational Measures

The Processor implements measures including, but not limited to, the following:

  • Encryption. TLS 1.2 or higher for data in transit; encryption at rest for production data stores using industry-standard algorithms.
  • Access control. Role-based access to production systems, single sign-on with multi-factor authentication for staff, least-privilege principles, and periodic review of access rights.
  • Network security. Segmented production networks, firewalls and security groups limiting ingress and egress, and isolation of customer data.
  • Application security. Secure development lifecycle, peer code review, dependency scanning, and pre-release testing.
  • Logging and monitoring. Centralised logging, monitoring of security events, alerting on anomalous behaviour, and retention of audit trails for a reasonable period.
  • Backups and resilience. Periodic backups of essential systems, separation of backup storage, and a documented incident response plan.
  • Personnel. Background checks where permitted by law, written confidentiality undertakings, and security awareness training.
  • Vendor management. Due diligence on Sub-processors and contractual data protection commitments.
  • Data subject rights. Tooling to support export and deletion of Personal Data on request.

Annex C — Sub-processors

A current list of Sub-processors used to provide the Service is available on request to inferoute@glodrapay.com. Each Model Provider selected by the Controller through the dashboard is also a Sub-processor with respect to the prompts and outputs routed to it.

Contact

Questions or notices under this DPA should be sent to:

YOUTH FIRST SHOW PTE LTD
112 Robinson Road, #03-01, Robinson 112
Singapore 068902
Email: inferoute@glodrapay.com