Data Processing Addendum
Last updated · 24 June 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between BMETAL, Inc. (“Processor”) and the customer (“Controller”) for the provision of the Services (the “Agreement”). It applies where BMETAL processes personal data on the Controller’s behalf and reflects the requirements of applicable data-protection laws, including the EU and UK GDPR and the CCPA/CPRA.
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement or in applicable data-protection law. “Data Protection Laws” means all laws applicable to the processing of personal data under the Agreement. “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Sub-processor” have the meanings given in the GDPR. “CCPA” means the California Consumer Privacy Act as amended by the CPRA. “Customer Personal Data” means personal data contained within Customer Content that BMETAL processes on the Controller’s behalf.
2. Roles and scope
The Controller is the controller (or business) and BMETAL is the processor (or service provider) with respect to Customer Personal Data. Each party will comply with its obligations under Data Protection Laws. The Controller is responsible for the lawfulness of the Customer Personal Data and of the instructions it gives. With respect to the CCPA, BMETAL is a “service provider,” and will not sell or share Customer Personal Data, retain, use, or disclose it for any purpose other than performing the Services, or combine it with personal information from other sources except as permitted by the CCPA.
3. Processing instructions
BMETAL will process Customer Personal Data only on documented instructions from the Controller, including as set out in the Agreement and this DPA, and as necessary to provide and secure the Services, unless required to act otherwise by applicable law (in which case BMETAL will inform the Controller unless legally prohibited). BMETAL will inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.
4. Details of processing
| Item | Description |
|---|---|
| Subject matter | Provision of compute, inference, networking, and related Services. |
| Duration | For the term of the Agreement, plus any post-termination export period. |
| Nature and purpose | Hosting, storage, transmission, and processing of Customer Content to deliver the Services. |
| Types of personal data | Determined by the Controller; may include identifiers, content data, and usage data submitted to the Services. |
| Categories of data subjects | Determined by the Controller; may include the Controller’s personnel, customers, and end users. |
The Controller is responsible for ensuring the categories above are accurate for its use and for not submitting categories of data the Services are not designed to handle without appropriate configuration.
5. Confidentiality of personnel
BMETAL will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on their data-protection responsibilities, and will limit access to those who need it to provide the Services.
6. Security measures
BMETAL will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art and the nature of the processing. These measures include, as appropriate: access controls and least-privilege administration; encryption of data in transit; network segmentation; logging and monitoring; resilience and backup practices; vulnerability management; and incident response procedures. BMETAL may update its measures provided the overall level of protection is not materially reduced.
7. Sub-processors
The Controller authorizes BMETAL to engage Sub-processors to support the provision of the Services. BMETAL will impose data-protection obligations on each Sub-processor that are substantially equivalent to those in this DPA and remains responsible for its Sub-processors’ performance. BMETAL will maintain a list of Sub-processors and will provide a mechanism to notify the Controller of intended changes, giving the Controller the opportunity to object on reasonable data-protection grounds.
8. Data-subject requests
Taking into account the nature of the processing, BMETAL will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects to exercise their rights. If BMETAL receives a request directly from a data subject, it will, where permitted, direct the data subject to the Controller and will not respond except on the Controller’s instructions or as required by law.
9. Personal data breach notification
BMETAL will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to assist the Controller in meeting its own notification obligations. Notification will not be construed as an acknowledgement of fault or liability.
10. Assistance with DPIAs
BMETAL will provide reasonable assistance to the Controller with data-protection impact assessments and prior consultations with supervisory authorities, in each case to the extent required by Data Protection Laws and relating to BMETAL’s processing of Customer Personal Data.
11. International transfers
Where the provision of the Services involves the transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a country without an adequacy decision, the parties agree that such transfers are subject to appropriate safeguards. The European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum, as applicable) are incorporated into this DPA by reference and completed with the details set out in the Agreement and this DPA, with BMETAL acting as “data importer.”
12. Return and deletion
Upon termination or expiry of the Agreement, BMETAL will, at the Controller’s choice, delete or return Customer Personal Data and delete existing copies, unless retention is required by law. BMETAL makes Customer Content available for export for a defined period following termination as set out in the Agreement.
13. Audits and information
BMETAL will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. To minimize disruption, BMETAL may satisfy audit obligations by providing relevant third-party certifications or reports where available, with on-site audits limited to reasonable scope, frequency, and prior notice, and subject to confidentiality.
14. General
In the event of a conflict between this DPA and the Agreement regarding the processing of personal data, this DPA controls. Except as modified here, the Agreement remains in full force and effect. This DPA is governed by the law and jurisdiction specified in the Agreement, unless Data Protection Laws require otherwise.
15. Contact
Data-protection enquiries relating to this DPA can be directed to privacy@bmetal.ai.
Questions about this document? Contact legal@bmetal.ai.
BMETAL, Inc. · A Delaware corporation · San Francisco, California, USA.