Data Processing Addendum

Last updated: June 29, 2026

This is Tokmeter's standard DPA, available for review without execution. To countersign, download the PDF, sign, and email it to privacy@tokmeter.ai.

1. Roles and scope

Customer is the Controller and Tokmeter is the Processor of Personal Data processed to provide the Services described in the Order. For the limited purposes of CCPA/CPRA, Tokmeter acts as a Service Provider.

2. Subject matter, duration, nature and purpose

Subject matter: providing AI cost monitoring, budgeting, and gateway services. Duration: the term of the Order plus retention periods set out in the Privacy Policy. Nature: storage, processing, and transmission of Personal Data to provide the Services. Purpose: as instructed by Customer through use of the Services and the Documentation.

3. Categories of Data Subjects and Personal Data

Data Subjects: Customer's authorized users, billing contacts, and end users whose data Customer chooses to submit to the Services. Personal Data: account identifiers, work contact information, IP address (hashed), authentication metadata, and any content Customer submits.

4. Sub-processors

Tokmeter's current Sub-processors are listed at /legal/subprocessors. Customer authorizes Tokmeter to engage Sub-processors on the same data-protection terms. Tokmeter will provide 30 days' notice before engaging a new Sub-processor that materially changes data handling; Customer may object on reasonable data-protection grounds.

5. International transfers

Where applicable, transfers from the EEA, UK, or Switzerland are governed by the EU Standard Contractual Clauses (2021/914), Module 2 (Controller-to-Processor), and the UK International Data Transfer Addendum. The Annexes are deemed populated with the information set out in this DPA, the Order, and the Privacy Policy.

6. Security

Tokmeter implements the technical and organizational measures listed in Annex A: encryption in transit (TLS 1.2+) and at rest (AES-256 envelope), role-based access control, audit logging, least-privilege service credentials, dependency vulnerability scanning, and incident response procedures.

7. Personal Data Breach

Tokmeter will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a confirmed Personal Data Breach affecting Customer Data, with the information required under GDPR Article 33(3) to the extent then available.

8. Data Subject Requests

Tokmeter will (a) promptly forward Data Subject Requests received directly to Customer and (b) provide reasonable assistance for Customer to respond, including the self-service export tools at /privacy/requests.

9. Audits

Tokmeter will respond to reasonable, written security and compliance questionnaires no more than once per year (more frequently following a Personal Data Breach), and will make available current third-party audit reports under NDA when available.

10. Return and deletion

Within 30 days of termination Tokmeter will, at Customer's election, return or delete all Customer Personal Data, subject to applicable law and limited residual backups deleted on a rolling schedule not exceeding 90 days.

Annex A — Technical and organizational measures

• Network: TLS 1.2+, HSTS, strict CSP, edge DDoS protection.
• Application: parameterized queries, RLS on all tenant data, signed webhooks, secret rotation.
• Identity: SSO/SAML available on Enterprise; admin MFA; HIBP leaked-password check.
• Operations: structured audit logs, alerting on auth/role changes, on-call rotation.
• Vendor management: written DPAs with every Sub-processor.

Need this as a signable PDF or want to negotiate specific terms? Email privacy@tokmeter.ai.