Last updated: January 1, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between RouterShift ("Processor" or "we") and the customer ("Controller" or "you"). This DPA governs the processing of Personal Data that you provide to us through your use of the RouterShift API gateway and related services (the "Services"). This DPA applies where and to the extent that RouterShift processes Personal Data on your behalf as a Processor, and where the GDPR, UK GDPR, CCPA, or other applicable data protection laws apply.
"Personal Data" means any information relating to an identified or identifiable natural person processed by RouterShift on your behalf in connection with the Services. "Processing" means any operation performed on Personal Data, whether or not by automated means. "Sub-processor" means any third-party engaged by RouterShift to process Personal Data on your behalf. "Data Protection Laws" means all applicable privacy and data protection laws, including the GDPR, UK GDPR, CCPA, and their implementing regulations. Capitalized terms not defined in this DPA have the meanings given in the Terms of Service.
RouterShift processes Personal Data solely for the purpose of providing, maintaining, and improving the API gateway services. Processing activities include: (a) routing API requests to third-party AI model providers as directed by you; (b) logging API requests for debugging, billing, and abuse prevention; (c) generating usage analytics and billing records; (d) authenticating API keys and managing user accounts. The categories of Personal Data processed depend on your use of the Services and may include: API request payloads (which may contain personal data embedded in prompts), API key identifiers, email addresses (for account management), IP addresses (for rate limiting and security), and payment information (processed by our payment processor, not stored by us).
As the Controller, you are responsible for: (a) determining the purposes and means of processing Personal Data through the Services; (b) ensuring you have a lawful basis for processing any Personal Data you submit to the Services, including obtaining necessary consents; (c) providing appropriate notice to data subjects about your use of RouterShift as a processor; (d) not submitting special categories of personal data (as defined in GDPR Article 9) or data relating to criminal convictions unless explicitly agreed in writing; (e) complying with your own obligations under applicable Data Protection Laws, including data subject rights requests.
RouterShift shall: (a) process Personal Data only on your documented instructions, including those in this DPA and the Terms of Service; (b) ensure that persons authorized to process Personal Data are bound by confidentiality obligations; (c) implement and maintain appropriate technical and organizational measures as described in Section 6 of our Privacy Policy (Security Measures); (d) assist you in responding to data subject rights requests where possible, forward any such requests we receive directly to you promptly; (e) assist you in complying with your obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and information available to us; (f) delete or return all Personal Data to you upon termination of the Services, except where retention is required by applicable law; (g) make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you (subject to reasonable notice, scope limitations, and confidentiality).
You authorize RouterShift to engage the following categories of sub-processors: (a) cloud infrastructure providers (for hosting and compute); (b) third-party AI model providers (to whom API requests are routed as part of the Services); (c) payment processors (for billing and payments); (d) email service providers (for transactional emails); (e) monitoring and analytics providers. A current list of sub-processors is available at routershift.com/subprocessors. RouterShift will inform you of any intended changes to sub-processors by updating this list. You may object to a new sub-processor within 14 days of notification by terminating the Services. RouterShift enters into written agreements with all sub-processors containing data protection obligations no less protective than those in this DPA. RouterShift remains liable for the acts and omissions of its sub-processors.
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), the United Kingdom, or your country of residence. Where such transfers occur, they are governed by: (a) Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision 2021/914/EU for transfers to third countries); (b) the UK International Data Transfer Addendum to the EU SCCs, where UK GDPR applies; and/or (c) other valid transfer mechanisms recognized under applicable Data Protection Laws. The SCCs are incorporated by reference into this DPA. For the purposes of the SCCs: Module Two (Controller to Processor) applies; the optional docking clause is included; the governing law is Ireland; and disputes shall be resolved by the courts of Ireland.
RouterShift retains Personal Data as follows: (a) API request logs (including prompts and responses) for 90 days, after which they are aggregated or deleted; (b) billing and payment records for the period required by applicable tax and accounting regulations (typically 7 years); (c) account information for the duration of your account plus 30 days after account deletion, after which it is anonymized or deleted. Upon termination, RouterShift will delete all Personal Data within 30 days, except where retention is required by law. You may request earlier deletion of specific Personal Data by contacting privacy@routershift.com. Deletion does not apply to data that has been aggregated, anonymized, or is necessary for the establishment, exercise, or defense of legal claims.
RouterShift maintains a security incident response plan. In the event of a Personal Data Breach, RouterShift shall: (a) notify you without undue delay, and in any event within 72 hours of becoming aware of the breach; (b) provide you with a description of the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach; (c) cooperate with you in investigating and mitigating the breach; (d) assist you in notifying supervisory authorities and data subjects where required. Notification will be sent to the email address associated with your account. You are responsible for keeping this contact information current.
This DPA enters into effect on the date you accept the Terms of Service and continues until termination of your account or termination of the DPA in accordance with its terms. Either party may terminate this DPA with immediate effect if the other party commits a material breach that is not remedied within 30 days of written notice. Upon termination, RouterShift shall, at your choice, delete or return all Personal Data to you, and delete all existing copies unless retention is required by applicable law. The obligations in this DPA that by their nature should survive termination shall survive, including confidentiality, data security, and limitation of liability provisions.