Skip to main content
TartarusAI
← back to home

// dpa

Data Processing
Addendum.

last updated · 2026-05-03

This addendum applies when you're a customer subject to GDPR, UK GDPR, or CCPA. It engages automatically with the Terms of Service; no separate signature required for Lite, Pro, or Pro+. Enterprise-tier customers get a counter-signed copy on request.

01 · Roles

You are the controller of personal data you submit to the service. TartarusAI is the processor. We process the categories of data described below for the sole purpose of delivering the service.

02 · Categories of data we process

  • Prompt content — what you type into the agent.
  • Response content — what the agent returns.
  • Account metadata — email, billing tier, sign-in IP.
  • Operational telemetry — error rate, latency, capacity (no prompt content).

We do not solicit special-category data. If you put protected health information, biometric identifiers, or similar sensitive data into a prompt, you're treating the agent the way you'd treat your IDE — at your discretion. Same as your terminal: don't paste anything you wouldn't paste into a competent contractor's session.

03 · Sub-processors

  • CryptoPay (self-hosted) — crypto invoice generation and confirmation. Receives invoice reference and email only.
  • Statuspage.io (Atlassian) — public uptime info only, no prompt or response content.

We give 30 days' notice via the dashboard before adding or replacing any sub-processor that handles prompt or response content. Enterprise customers can configure their account to refuse the new sub-processor; we'll work with you to find an alternative or refund the remaining term.

04 · Security measures

  • TLS 1.3 in transit for all data leaving your browser
  • Encryption at rest for any cached session data on our infra
  • Role-based access control with least-privilege on all internal tooling
  • NDA on file for every employee and contractor with infra access
  • Quarterly internal access review
  • SOC 2 Type 2 audit in progress; report available on request to Enterprise-tier customers when issued

05 · Breach notification

If we discover a confirmed breach affecting your data, we'll notify you within 72 hours via the email on file and on status.tartarusai.dev, with the categories affected, the timeline, and the remediation status.

06 · Data location and transfers

Inference is performed on infrastructure outside the major US hyperscaler stack. The specific region is documented in your dashboard and is fixed for the duration of your subscription unless we give you 30 days' notice.

For transfers from the EEA / UK / Switzerland, we rely on the European Commission's Standard Contractual Clauses (Module 2: controller-to-processor, 2021 version) and the UK Addendum, executed on request.

07 · Audit rights

Enterprise-tier customers can request the SOC 2 Type 2 report once issued. Other audits subject to reasonable notice, confidentiality, and a mutually agreed scope. We do not allow unsupervised on-site inspections of production infrastructure.

08 · Deletion

We delete your account data within 30 days of account closure (90 days max for billing reconciliation, then purged). Session content deletes per the policy in the privacy policy — 24h auto-purge of inactive sessions.

09 · Order of precedence

If anything in this DPA conflicts with the Terms of Service, this DPA controls for the categories of personal data covered here.

Contact

DPA / security questionnaires: [email protected]