Data Processing Addendum

This DPA governs Outlay's processing of personal data on your behalf.

Template / draft. This is a starting point published for your review — it is not legal advice and is not yet a counsel-reviewed, executable contract. For a signed DPA (or to redline this one), email [email protected].

1. Roles & definitions

"Customer" is the controller of the personal data; "Outlay" (the provider of the Outlay service, the "Service") acts as processor on Customer's documented instructions. "Personal data," "processing," "controller," "processor," and "data subject" have the meanings given under applicable data-protection law (incl. the GDPR/UK GDPR and CCPA where relevant). This DPA forms part of the agreement between the parties for use of the Service.

2. Scope & nature of processing

The Service routes Claude API requests to cost-efficient models. In the default self-hosted / thin-client deployment, prompt content, model outputs, and Customer's API keys are not transmitted to or processed by Outlay — they pass from Customer's infrastructure directly to Anthropic using Customer's key, and any task classification runs locally on Customer's own infrastructure (no Outlay system inspects prompt content). (In the optional hosted-gateway deployment, Customer's request content and API key are processed in memory solely to route the request — read by Outlay's classifier to select a model — and are not persisted; Outlay acts as processor for that processing and does not store prompt content or model outputs.) In both deployments, Outlay additionally processes only:

account data (e.g. the email address and company of authorized users);
operational metadata (task category, token counts, model identifiers, cost/savings figures, status and routing flags) — including any opt-in per-request metadata Customer chooses to send; and
aggregate usage figures used to calculate billing.

Duration of processing is the term of the agreement; the subject matter is provision of the Service; categories of data subjects are Customer's authorized users.

3. Customer instructions

Outlay processes personal data only on Customer's documented instructions (including via the Service's configuration), unless required by law, in which case Outlay will inform Customer where legally permitted.

4. Confidentiality

Outlay ensures persons authorized to process the personal data are bound by appropriate confidentiality obligations.

5. Security

Outlay implements appropriate technical and organizational measures, including TLS in transit, encryption at rest, hashed credentials, scoped/revocable API keys, least-privilege access, and (in the default self-hosted deployment) an architecture in which prompt content never reaches Outlay. Current measures are described at /security.

6. Subprocessors

Customer authorizes Outlay to engage the subprocessors listed at /legal/subprocessors. Outlay imposes data-protection obligations on subprocessors no less protective than this DPA, remains responsible for their performance, and will give Customer notice of intended changes with a reasonable opportunity to object.

7. Data subject rights

Taking into account the nature of the processing, Outlay assists Customer with appropriate technical and organizational measures, insofar as possible, to respond to data-subject requests (access, rectification, erasure, portability, objection).

8. Personal data breach

Outlay notifies Customer without undue delay after becoming aware of a personal data breach affecting Customer's personal data, with information reasonably available to assist Customer's own obligations.

9. Deletion & return

On termination, and at Customer's choice, Outlay deletes or returns the personal data it processes on Customer's behalf, except where retention is required by law. Customer may also export data and request deletion during the term.

10. International transfers

Where processing involves transfers of personal data subject to GDPR/UK GDPR to a country without an adequacy decision, the parties agree the applicable Standard Contractual Clauses (and UK Addendum, where relevant) are incorporated by reference and completed with the details in this DPA and the subprocessors page.

11. Audit & information

Outlay makes available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable request and subject to confidentiality, supports audits consistent with applicable law.

12. General

If there is a conflict between this DPA and the agreement on data-protection matters, this DPA prevails. Liability is subject to the limitations in the agreement.

To execute or redline this DPA, contact [email protected]. · Security · Subprocessors