Legal

Data Processing Agreement

Between you (the Controller) and InterIP Networks BV (“Tokonomix”, the Processor). Effective 2026-06-01. Supersedes any prior DPA for the Tokonomix API service.

1. Definitions

Controller
— the entity that has agreed to the Tokonomix Terms of Service and is using the Tokonomix API.
Processor
InterIP Networks BV, a Dutch private limited company operating the Tokonomix API service.
Personal Data
— any information relating to an identified or identifiable natural person within the meaning of GDPR Art. 4(1).
Processing
— any operation performed on Personal Data, as defined in GDPR Art. 4(2).
GDPR
— Regulation (EU) 2016/679 of the European Parliament and of the Council.
Sub-processor
— any third party engaged by the Processor to carry out processing activities on behalf of the Controller.
Supervisory Authority
— the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

2. Subject-matter and Duration

This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the Controller’s use of the Tokonomix API (“Service”). This DPA comes into force on acceptance of the Terms of Service and remains in force for the duration of the service agreement. Upon termination, clauses relating to deletion (Section 11) and audit (Section 12) survive for the statutory retention period.

3. Nature and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller for the following purposes:

  • Routing API requests containing end-user prompts to AI model providers (Anthropic, OpenAI, Google)
  • Aggregating and returning model responses to the Controller
  • Generating usage records and invoices for the Controller
  • Operating rate-limiting, abuse-prevention, and security measures
  • Retaining verbose request logs (7-day hot retention, GDPR Art. 5(1)(e))

The Processor does not use end-user prompts for training its own models or for any purpose beyond fulfilling the Controller’s API request.

4. Categories of Data

The Controller may submit Personal Data in the following categories through the API:

  • Account data: email address, display name, account tier (Controller’s own data)
  • End-user prompts: free-text content which may include names, contact details, health information, or other personal data if submitted by the Controller’s end users — the Controller bears responsibility for minimising PII in prompts
  • Usage metadata: API key prefix, timestamps, token counts, model selection, latency — no personal identifiers beyond account ID
  • Payment data: processed directly by Mollie B.V. under their own DPA; Tokonomix does not see raw card numbers

Special categories of data (GDPR Art. 9) should not be submitted via the API. The Controller acknowledges this obligation and must implement technical measures to prevent inadvertent submission.

5. Obligations of the Processor

The Processor undertakes to:

  1. Process Personal Data only on documented instructions from the Controller (i.e. the API request itself), unless required by Union or Member State law.
  2. Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement the technical and organisational measures set out in Section 8 of this DPA.
  4. Not engage sub-processors without prior specific or general written authorisation of the Controller, subject to Section 6.
  5. Take all measures required pursuant to GDPR Art. 32 (security of processing).
  6. Assist the Controller in ensuring compliance with Articles 32–36 GDPR.
  7. At the choice of the Controller, delete or return all Personal Data after the end of service provision, and delete existing copies unless Union or Member State law requires storage.
  8. Make available all information necessary to demonstrate compliance with GDPR Art. 28 and allow for audits.
  9. Inform the Controller immediately if an instruction would infringe GDPR.

6. Sub-processors

The Controller hereby grants general authorisation to engage sub-processors as listed on the Tokonomix Sub-processor List. The Processor will give the Controller at least 30 days’ prior written notice of any intended changes to the sub-processor list (additions or replacements). The Controller may object within 30 days; failure to object constitutes acceptance.

The Processor imposes the same data protection obligations on sub-processors as those in this DPA by way of a written contract (GDPR Art. 28(4)).

7. Cross-border Transfers

When the Processor routes prompts to AI model providers (Anthropic Inc., OpenAI OpCo LLC, Google LLC) located in the United States, such transfers are subject to:

  • Module 2 (Controller → Processor) of the EU Standard Contractual Clauses (European Commission Decision 2021/914) governs the relationship between Controller and Tokonomix where the Controller is established in the EU/EEA and Tokonomix routes to US-based processors.
  • Module 3 (Processor → Sub-processor) SCCs govern Tokonomix’s onwards transfer to US-based AI providers.
  • In both cases, supplementary measures include: Vault transit encryption in-flight, TLS 1.3 transport, and the right to retrieve and delete prompt content.

Controllers who require Zero Data Retention (ZDR) agreements with AI providers directly should contact us at mailbot@zelixai.ai. ZDR-mode is on the roadmap (Tokonomix API roadmap item T-ZDR).

8. Security Measures (Annex II)

The Processor maintains the following technical and organisational measures (GDPR Art. 32):

Encryption at rest
PostgreSQL 16 with OS-level AES-256 encryption. BYOK (Bring Your Own Key) provider keys encrypted via HashiCorp Vault transit encryption engine (cipher: AES-256-GCM).
Encryption in transit
All external API calls over TLS 1.2+ (enforced 1.3 for AI provider endpoints). Apache reverse proxy with HSTS and OCSP stapling.
Access control
Role-based access control (RBAC). Admin authentication requires TOTP 2FA. API keys use SHA-256 hashing with timing-safe comparison. Separate DB users with minimal grants per service layer.
Audit logging
Immutable audit log in api_audit_log table. All key-lifecycle and account-lifecycle events recorded with actor, action, timestamp, and metadata.
Data minimisation
Verbose request logs auto-purged after 7 days. Usage metadata (anonymised token counts) retained for 7 years for accounting obligations.
Incident management
Security incidents are assessed within 72 hours of discovery. Breach notification procedure detailed in Section 9.

9. Breach Notification

In the event of a personal data breach (GDPR Art. 4(12)), the Processor will:

  1. Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, to the email address on file for the Controller’s account.
  2. Provide, at minimum: nature of the breach, categories and approximate number of data subjects concerned, categories and approximate number of records concerned, likely consequences, and measures taken or proposed.
  3. Assist the Controller with their obligation to notify the supervisory authority (Autoriteit Persoonsgegevens) and affected data subjects.

Breach notifications go to: mailbot@zelixai.ai.

10. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject requests (GDPR Arts. 15–22) insofar as the data is held by the Processor:

  • Right of access (Art. 15) / Data portability (Art. 20): Controllers can use POST /api/account/export to retrieve a JSON dump of all account data immediately.
  • Right to erasure (Art. 17): Controllers can use POST /api/account/delete to pseudonymise and delete PII. Accounting records (credit ledger) are retained for 7 years per Dutch accounting law (Boekhoudwet art. 52); the account identifier is anonymised.
  • Right to rectification (Art. 16): Contact mailbot@zelixai.ai — display name and email can be corrected via the dashboard.
  • Right to restriction (Art. 18): Contact mailbot@zelixai.ai — Processor will suspend processing within 48 hours.

11. Deletion and Return

Upon termination of the service agreement or at the Controller’s request, the Processor will pseudonymise the account record and delete PII (verbose logs, BYOK ciphertexts, API keys) within 30 days. Usage metadata and credit ledger entries are retained for 7 years per Dutch accounting law, with the account identifier anonymised (replaced with a non-reversible hash). The Controller may request a data export prior to deletion via POST /api/account/export.

12. Audit Rights

The Controller (or their designated auditor) has the right to carry out audits and inspections of the Processor’s processing activities, subject to reasonable advance notice (10 business days) and confidentiality obligations. The Processor will provide all information reasonably necessary to demonstrate compliance with GDPR Art. 28. Costs of audits beyond a standard annual review are borne by the Controller.

13. Liability

Liability under this DPA is subject to the liability limitations in the Tokonomix Terms of Service. Each party shall be liable for damage caused by processing that infringes the GDPR, in accordance with GDPR Art. 82. A party is exonerated if it proves it bears no responsibility for the event giving rise to the damage.

14. Governing Law and Jurisdiction

This DPA is governed by the laws of the Netherlands. The courts of Rotterdam (Rechtbank Rotterdam) shall have exclusive jurisdiction over disputes arising from this DPA, except where mandatory consumer protection law of the Controller’s jurisdiction applies.

15. Acceptance

By using the Tokonomix API, the Controller agrees to this DPA on behalf of themselves and, to the extent permitted by law, on behalf of their users. This DPA forms part of the Tokonomix Terms of Service.

Effective 2026-06-01. Questions: mailbot@zelixai.ai

EU Representative: gdpr-rep.eu (external DPaaS service — pending activation; required if InterIP Networks BV exceeds 30 EU staff or targets EU consumers at scale).