NEWAnnouncing our $4M seedRead
Wafer logo

Data Processing Addendum

Last updated: May 12, 2026

Template for marketplace and aggregation partners that route end-user inference traffic to Wafer-designated API endpoints under a separate provider or partnership agreement (“Provider Agreement”). This addendum is incorporated into and governed by that Provider Agreement once executed or referenced there.

This Data Processing Addendum (“DPA”) is between Wafer, Inc. (“Wafer,” “Processor”) and the counterparty identified in the Provider Agreement (“Customer,” “Controller”). Capitalized terms not defined here have the meanings in the Provider Agreement. Wafer's general privacy practices for wafer.ai visitors and direct subscribers are described in our Privacy Policy; this DPA applies only to processing performed by Wafer as a processor on behalf of Customer under the Provider Agreement.

1. Definitions

  • “Covered Processing” means processing of Customer Personal Data described in Section 3 when Customer routes traffic to Wafer API endpoints expressly designated in the Provider Agreement or an order form as subject to this DPA (“Covered Endpoints”).
  • “Customer Personal Data” means personal data that Customer (or its end users) transmits to Wafer in connection with Covered Processing, including prompt and completion content and associated request metadata (such as timestamps, model identifiers, token counts, latency, HTTP status, and technical identifiers needed to operate and secure the service).
  • “Applicable Data Protection Law” means privacy and data protection laws that apply to Customer as controller of Customer Personal Data and that mandate processor obligations, including, where applicable, the GDPR and similar laws.

2. Roles

As between the parties, Customer is the controller of Customer Personal Data and Wafer is the processor. Wafer will process Customer Personal Data only on documented instructions from Customer (including as set forth in this DPA and the Provider Agreement) unless Applicable Data Protection Law requires otherwise, in which case Wafer will inform Customer of that requirement unless notice is prohibited by law.

3. Details of processing

  • Subject matter: Provision of hosted inference for large language and related models via Covered Endpoints.
  • Duration: For the term of the Provider Agreement and as described in Section 12.
  • Nature and purpose: Transmitting, executing, and returning inference requests and responses; metering usage; operating, securing, monitoring, and supporting the service; complying with law.
  • Categories of data: Prompt and completion content submitted by Customer or its end users; technical and operational metadata listed in Section 1.
  • Categories of data subjects: Individuals whose personal data appears in prompts or completions or in metadata (for example account or technical identifiers Customer chooses to send).

4. Processing obligations

Wafer will:

  • Ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Not sell Customer Personal Data or use it for targeted advertising.
  • Not train, fine-tune, or improve machine learning models using prompts or completions from Covered Processing, including internal draft models used for speculative decoding. This matches Wafer's Zero Data Retention posture for Wafer Pass Privacy and grandfathered ZDR accounts described in Section 6 of our Privacy Policy.
  • Upon Customer's reasonable written request, provide information reasonably necessary to demonstrate compliance with this DPA.

5. Zero data retention for Covered Processing

For Covered Processing, Wafer applies Zero Data Retention (“ZDR”) to prompt and completion content: such content is not written to durable storage after request processing completes. Wafer may retain operational metadata needed to operate, secure, meter, and bill the service and to detect abuse (for example token counts, timestamps, correlation or request identifiers, model name, latency, error codes, and similar non-content fields), consistent with Section 6 of the Privacy Policy.

6. Security measures

Wafer implements administrative, technical, and organizational measures appropriate to the risk, including those summarized in Annex B (Technical and Organizational Measures). Customer acknowledges that no method of transmission or storage is perfectly secure.

7. Location of processing

Covered Processing takes place only in the United States, including compute and storage used to execute inference for Covered Endpoints (even where a sub-processor listed in Annex A operates globally, Wafer configures Covered Processing to use U.S. regions only under this DPA). Customer instructs Wafer to process Customer Personal Data there. If Applicable Data Protection Law requires safeguards for transfers from other jurisdictions, the parties will execute appropriate standard contractual clauses or another lawful mechanism as specified in the Provider Agreement or a separate exhibit.

8. Sub-processors

Customer authorizes Wafer to engage sub-processors listed in Annex A. Wafer remains responsible for its sub-processors' performance of obligations comparable to Wafer's under this DPA. Wafer will inform Customer of intended additions or replacements at least 30 days before they take effect by updating Annex A on wafer.ai/dpa (or by written notice if the Provider Agreement says otherwise). Customer may object on reasonable data-protection grounds; if the parties do not agree on a workaround within 30 days, Customer may terminate only the portions of the Provider Agreement relating to the affected Covered Endpoints as its sole remedy.

9. Data subject requests

Because prompt and completion content from Covered Processing is not retained on durable media under Section 5, many access or erasure requests relating solely to that content may not be actionable after processing completes. Wafer will assist Customer, taking into account the nature of processing and Wafer's role, with reasonable requests where assistance is technically feasible and required by Applicable Data Protection Law.

10. Personal data breach

Wafer will notify Customer without undue delay, and in any event within 72 hours after Wafer becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Customer Personal Data in Wafer's custody (to the extent Wafer is legally permitted to notify). Wafer will provide information reasonably available to help Customer meet its obligations.

11. Audit and assurance

Wafer maintains internal security practices and may engage third-party assessments over time. Upon Customer's reasonable written request and subject to confidentiality and reasonable scheduling, Wafer may make available a summary of controls or completed questionnaires relevant to Covered Processing. Where a recognized third-party audit report (for example SOC 2) becomes available to Wafer for sharing under confidentiality terms, Wafer may provide it under the same conditions.

12. Return and deletion

Upon termination or expiry of the Provider Agreement (or earlier on Customer's written request), Wafer will delete or return Customer Personal Data in Wafer's possession as described in the Provider Agreement, except where retention is required by law or for legitimate operational metadata retained under Section 5.

13. Liability and precedence

Liability caps and exclusions are governed by the Provider Agreement. If there is a conflict between this DPA and the Provider Agreement concerning processing of Customer Personal Data under Covered Processing, this DPA controls. If there is a conflict between this DPA and Wafer's Terms of Service as they apply to Customer, this DPA controls for processor matters.

Annex A — Sub-processors (infrastructure)

Wafer uses the following categories of infrastructure providers in connection with Wafer inference services. For Covered Processing, Wafer uses these providers only in U.S. regions. Providers host or supply compute and networking under written agreements requiring confidentiality and appropriate security; bare-metal arrangements are structured so the hardware vendor does not access customer workload content as part of standard service.

  • TensorWave, Inc.
  • Vultr Holdings, LLC
  • Amazon Web Services, Inc. (and affiliates)
  • DigitalOcean, LLC
  • Nebius B.V. (and affiliates)

Customer acknowledges that Wafer may use additional ordinary business sub-processors that do not access Customer Personal Data from Covered Processing in a material way (for example corporate productivity or billing tools); Wafer will provide notice or updates as required by the Provider Agreement for those categories where relevant.

Annex B — Technical and organizational measures (summary)

  • Encryption of data in transit (TLS) between Customer and Wafer service endpoints.
  • Access controls limiting production access to authorized personnel on a need-to-know basis.
  • Logging and monitoring appropriate to detect security issues and abuse; for Covered Processing, prompt and completion bodies are not retained at rest under Section 5.
  • Vendor diligence and contractual security requirements for infrastructure sub-processors in Annex A.
  • Incident response procedures, including breach notification under Section 10.

Questions about this DPA: emilio@wafer.ai.