Data Processing Addendum

Last updated: June 19, 2026

Draft — pending final legal review. This page is a summary template provided for evaluation by enterprise security and procurement teams. It is not a binding agreement until executed by both parties. To request an executable DPA (with EU Standard Contractual Clauses), contact [email protected].

This Data Processing Addendum ("DPA") supplements the Terms of Service between Bare Metal AI, Inc. ("Processor") and the customer ("Controller") and applies where Bare Metal AI processes personal data on the Controller's behalf in connection with the hosted services.

1. Roles & Scope

The Controller determines the purposes and means of processing; Bare Metal AI acts as Processor. This DPA applies only to the hosted services (accounts, web app, remote relay, billing). Inference content is processed locally on the Controller's own hardware and is not transmitted to or processed by Bare Metal AI; when the software runs offline or in air-gapped mode, no personal data is processed by Bare Metal AI at all.

2. Nature & Purpose of Processing

Bare Metal AI processes personal data solely to authenticate users and daemons, route inference requests to the Controller's GPUs, operate and monitor the service, and bill paid plans. The categories of data and data subjects, and the purposes of processing, are described in our Privacy Policy.

3. Controller & Processor Obligations

Bare Metal AI processes personal data only on documented instructions from the Controller, including as set out in the Terms and this DPA.
Personnel authorized to process personal data are bound by confidentiality.
The Controller is responsible for the lawfulness of the data it provides and instructions it gives.

4. Security

Bare Metal AI maintains appropriate technical and organizational measures, including TLS (HTTPS/WSS) in transit, AES-256-GCM encryption of chat history on the Controller's device, hashed credentials and API keys, and access controls. A summary is in our Privacy Policy.

5. Sub-processors

The Controller authorizes Bare Metal AI to engage the sub-processors listed at baremetalrt.ai/subprocessors. Bare Metal AI imposes data-protection obligations on each sub-processor and remains responsible for their performance, and will give notice before adding a new sub-processor.

6. International Transfers

Where personal data of EEA, UK, or Swiss data subjects is transferred, the parties will rely on the applicable EU Standard Contractual Clauses (and the UK Addendum), incorporated by reference into the executed DPA.

7. Data Subject Requests

Taking into account the nature of the processing, Bare Metal AI will assist the Controller, by appropriate measures, in responding to requests from data subjects to exercise their rights, and will promptly forward any such request it receives directly.

8. Deletion & Return

On termination, Bare Metal AI will delete or return personal data processed on the Controller's behalf, except as required to be retained by law. Account holders may delete their account and associated data at any time; usage metadata is retained for up to 90 days.

9. Audit & Breach Notification

Bare Metal AI will make available information reasonably necessary to demonstrate compliance with this DPA and will notify the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller's data.

Contact

Bare Metal AI, Inc. · [email protected]