Data processing addendum
This Data Processing Addendum (“DPA”) supplements the wylon Terms of Service and describes the technical and organizational measures wylon applies when processing personal data on your behalf. It is designed to satisfy GDPR Art. 28, UK-GDPR, and China PIPL cross-border-transfer requirements.
Last updated: 2026-04-22.
1. Definitions
- Customer — the organization that has entered into the Terms with wylon (acting as data controller).
- wylon — the data processor acting on Customer’s documented instructions.
- Customer Data — inputs (prompts, files, embeddings) and outputs transmitted through the Service.
- Personal Data has the meaning given under applicable data-protection law.
- Sub-processor — a third party engaged by wylon to process Customer Data.
2. Scope & roles
Customer is the controller of Personal Data contained in Customer Data; wylon is the processor. Each party will comply with its respective obligations under applicable data-protection law. wylon processes Customer Data only to provide the Service and following Customer’s documented instructions (including these Terms and dashboard configuration).
3. Details of processing
| Item | Description |
|---|---|
| Subject matter | Provision of AI inference (real-time and batch) and related APIs. |
| Duration | Term of the Terms plus any retention period described in the Privacy Policy. |
| Nature & purpose | Processing Customer inputs to produce model outputs, billing, security, and support. |
| Data subjects | Customer end-users, employees, or any individuals referenced in inputs. |
| Categories | Determined by Customer. May include contact data, content submitted to the API, business communications. |
4. Customer Data
Customer retains all rights to Customer Data. wylon does not use Customer Data to train its foundation models. Customer is solely responsible for ensuring it has a lawful basis to submit Personal Data and for redacting sensitive categories that are not needed for the prompt.
5. Sub-processors
Customer authorizes wylon to engage sub-processors listed in the Privacy Policy. wylon imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains liable for their acts and omissions. We notify Customer at least 30 days before adding or replacing a sub-processor; Customer may object for documented data-protection reasons.
6. Security measures
- Encryption: TLS 1.2+ in transit, AES-256 at rest.
- Access control: role-based, SSO + MFA, least-privilege, quarterly access reviews.
- Isolation: per-tenant logical isolation; batch jobs run on a separate execution queue.
- Logging: immutable audit logs of administrative actions for 365 days.
- Operations: change management, secure SDLC, vulnerability scanning, annual pentests, bug bounty.
- Resilience: daily backups, documented disaster-recovery plan with RPO 24h / RTO 4h.
7. Data residency
Customer Data is processed and stored within mainland China availability zones by default and is not transferred abroad. Where a Customer has a cross-border transfer requirement, wylon will, in line with the PRC Personal Information Protection Law and applicable regulatory requirements, execute a separate standard contract or evaluate an alternative compliance mechanism with the Customer before any such transfer.
8. Personal-data breach
wylon notifies Customer without undue delay (and in any event within 72 hours of confirmation) of any personal-data breach affecting Customer Data, providing the nature of the breach, categories of data, approximate number of data subjects, likely consequences, and measures taken. Customer is responsible for notifying regulators and data subjects where legally required.
9. Assistance to Customer
wylon assists Customer, taking into account the nature of processing, with:
- Responding to data-subject rights requests (access, deletion, portability, objection).
- Conducting Data Protection Impact Assessments.
- Consultations with supervisory authorities, where reasonably required.
10. Audits
wylon makes available its latest SOC 2 Type II report, ISO 27001 certificate, and summary pentest results on request under NDA. Customer may request an on-site audit once per year at its own cost, with 30 days’ notice, limited to information necessary to demonstrate compliance.
11. Return & deletion
On termination of the Service, Customer may export its data from the dashboard for up to 30 days. After that period, wylon deletes or irreversibly anonymizes Customer Data within 90 days, except where retention is required by law (e.g., tax, billing records).
12. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms. Nothing in this DPA limits rights or remedies that cannot be limited under applicable data-protection law.
13. Governing law & miscellaneous
This DPA is governed by the law that governs the Terms. If any provision conflicts with mandatory law in the data subject’s jurisdiction, that mandatory law prevails to the extent of the conflict. In the event of conflict between this DPA and the Terms, this DPA controls with respect to Personal Data processing.
14. Contact
To execute a countersigned copy of this DPA, request a sub-processor list, or report a data-protection concern, email dpo@wylon.cn.
