Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the agreement between the customer (“Customer”) and Recovea, Inc. (“Recovea”), the Terms of Service or a signed order form (the “Agreement”), and applies whenever Recovea processes personal data on Customer’s behalf. Where this DPA conflicts with the Agreement regarding the processing of personal data, this DPA controls. Because Recovea sits inline on production traffic, this DPA is core to the relationship, not an afterthought.

1. Roles & details of processing

Customer is the controller (or a processor acting for its own controllers); Recovea is a processor. Subject matter: operation of the Recovea gateway, savings ledger, dashboard, account, and billing functions. Duration: the term of the Agreement plus the deletion period below. Nature and purpose: signing Customer’s inference traffic to Customer’s own providers, applying cost-optimization levers, and recording content-free metering and savings entries per Customer’s configuration. Data subjects: Customer’s users, customers, and personnel, to the extent Customer’s traffic contains their data. Categories of data: whatever personal data Customer chooses to include in routed traffic, plus account and usage metadata. Customer, not Recovea, determines what personal data its traffic contains.

2. Documented instructions

Recovea processes personal data only on Customer’s documented instructions and as required by law (in which case Recovea informs Customer unless legally prohibited). The Agreement, this DPA, and Customer’s configuration of the Service (routes enabled, levers on or off, logging mode including no-bodies-by-default and metadata-only, retention settings, and — once region pinning ships — region selection) constitute the complete documented instructions. Recovea will inform Customer if, in its opinion, an instruction infringes applicable data-protection law.

3. No training on customer data

Recovea does not train, and will not train, any model on Customer personal data or content. Prompts and completions are used only to serve Customer’s own traffic, compute Customer’s own ledger, and run Customer’s own quality gates. Statistics Recovea derives from operating the Service are content-free and aggregated as described in the Agreement and contain no personal data.

4. Customer responsibilities

• Customer warrants it has all rights, consents, and lawful bases required for the personal data it routes through the Service, and that its instructions are lawful.
• Customer will not route protected health information, cardholder data, or other specially regulated categories through the Service unless agreed with Recovea in writing.
• Customer is responsible for its configuration choices, including enabling body logging or including sensitive routes in eval mirroring.

5. Confidentiality & security

• All personnel with access are bound by confidentiality obligations.
• Encryption in transit; provider keys encrypted at rest (AES-256-GCM), rotatable and revocable by Customer at any time, with the plaintext key shown exactly once at mint. Planned: KMS envelope encryption with per-tenant encryption contexts.
• Tenant-scoped isolation on all data access. Planned (ships with the cache lever): salted per-tenant cache namespaces, so cross-tenant cache hits are structurally impossible.
• No prompt/completion bodies logged by default; metadata-only mode available; body logging only by explicit Customer opt-in.
• Scoped, least-privilege access; privileged key actions (mint, rotate, revoke) are audit-logged; ledger history is hash-chained with append-only enforcement. Planned: tenant-visible audit log views.

Current technical and organizational measures are described on the security & trust page. Recovea may update them over time provided the updates do not materially reduce the overall level of protection.

6. Subprocessors

Customer grants general written authorization for the subprocessors listed on the subprocessors page. Recovea will give at least 30 days’ notice before adding or replacing a subprocessor (via the page and email to subscribed customers). Customer may object on reasonable data-protection grounds within the notice period; the parties will work in good faith on a resolution (such as a configuration that avoids the new subprocessor), and if none is found Customer may terminate the affected portion of the Service and receive a pro-rata refund of prepaid fees for it. Recovea remains responsible for its subprocessors’ performance and imposes data-protection obligations on them no less protective than this DPA. Customer’s own LLM providers, engaged under Customer’s keys (BYOK), are Customer’s processors, not Recovea’s subprocessors.

7. Data-subject requests & assistance

If a data subject contacts Recovea directly about Customer’s data, Recovea will redirect them to Customer and not respond substantively except as legally required. Taking into account the nature of the processing (no-bodies-by-default makes most requests structurally small), Recovea will reasonably assist Customer with data-subject requests, data-protection impact assessments, and consultations with authorities. Recovea may charge reasonable fees for assistance that is manifestly excessive or repetitive.

8. Personal data breach

Recovea will notify Customer without undue delay after confirming a personal data breach affecting Customer’s data, with the information reasonably available at the time and supplemented as the investigation proceeds. Notification is not an acknowledgment of fault or liability.

9. Audits

Recovea will demonstrate compliance first through documentation: this DPA, the security pack, audit reports and certifications as they become available, and the per-tenant audit log. Where those are insufficient under applicable law, Customer may audit (directly or via an independent auditor under NDA, not a Recovea competitor) no more than once per 12 months, on at least 30 days’ written notice, during business hours, without access to other customers’ data or systems, and at Customer’s expense. Findings are confidential information.

10. Return & deletion

During the term, Customer can export its data at any time. On termination, Recovea makes data available for export for 30 days, then deletes the deletable categories within 90 days (backups purge on a rolling cycle not exceeding 90 days), and provides written confirmation on request, except where law requires retention. The deletable categories are account PII, opt-in request/completion bodies, the stored provider key, and most account usage metadata; at v1 this erasure is performed by early, partly manual operations rather than automated time-bound purge cycles. The content-free, hash-chained, append-only ledger and integrity chain are immutable by design and persist: they contain no prompt or completion content and no account PII in the chained rows; on deletion any customer identifier they reference is set to null (the rows remain in de-identified form). Recovea therefore does not promise blanket erasure of all data; it deletes the deletable categories and de-identifies the immutable ledger, which Recovea retains for integrity, financial-record, and legal-compliance purposes.

11. International transfers

Where Recovea processes personal data subject to GDPR or UK GDPR outside jurisdictions with adequacy, the EU Standard Contractual Clauses (Module 2, controller-to-processor) and the UK Addendum are incorporated by reference, with Customer as data exporter and Recovea as data importer. Today, storage and processing of customer personal data under the Service occur in the United States — specifically AWS us-east-1 (N. Virginia). Recovea, Inc. is a US (Delaware) corporation. For US customers, no cross-border transfer of personal data occurs; where a Customer is established in the EEA, UK, or Switzerland, the SCCs and UK Addendum above govern the transfer of that Customer’s personal data to the United States. Region pinning beyond the current single us-east-1 deployment and self-host/BYOC deployments that keep traffic and the ledger inside Customer’s own boundary are planned offerings.

12. Liability & term

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, which apply in aggregate across the Agreement and this DPA and not separately to each. This DPA lasts as long as Recovea processes personal data for Customer.

Contact

Security and privacy questions: security@recovea.ai. To execute a countersigned copy of this DPA (with the SCCs annexed) for your vendor file, email the same address.