Last updated: April 2026
Parties
This Data Processing Agreement ("DPA") is entered into between:
- Controller ("Customer"): The entity that has agreed to the Seracade Terms of Service and directs the processing of Personal Data through the Service.
- Processor ("Seracade"): The operator of the Seracade service, acting on behalf of the Controller to process Personal Data as described in this DPA.
This DPA supplements and forms part of the Seracade Terms of Service.
Definitions
- Personal Data: Any information relating to an identified or identifiable natural person that is processed by Seracade on behalf of the Controller through the Service.
- Processing: Any operation performed on Personal Data, including collection, recording, storage, retrieval, use, transmission, and erasure.
- Sub-processor: A third party engaged by Seracade to process Personal Data on behalf of the Controller.
- Data Subject: An identified or identifiable natural person whose Personal Data is processed under this DPA.
- Service: The Seracade LLM cost optimization proxy, audit, and reporting functionality provided to the Controller.
Scope of Processing
Seracade processes the following categories of data on behalf of the Controller:
- API request and response bodies: Forwarded through the proxy and logged to Cloudflare KV for audit purposes. These may contain Personal Data depending on the Controller's use case.
- API key hashes: SHA-256 hashes of the Controller's API keys, used solely for customer identification and log grouping. Raw API keys are never persisted.
- Email addresses: Provided by the Controller for audit report delivery.
Processing is performed for the following purposes:
- LLM cost audit and spend analysis
- Model quality comparison via replay
- Routing optimization recommendations
Duration of processing: the active service period plus 90 days for log expiration.
Processor Obligations
Seracade shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organizational security measures as described in the Security Overview.
- Not engage any Sub-processor without prior written consent of the Controller. Current Sub-processors are listed in Section 5.
- Assist the Controller in responding to Data Subject rights requests, including access, rectification, erasure, and portability.
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, and data protection impact assessments.
- At the Controller's choice, delete or return all Personal Data upon termination of the Service, and delete existing copies unless storage is required by applicable law.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits by the Controller or an appointed auditor.
Sub-processors
The Controller authorizes the use of the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, Workers compute, KV storage | US / Global edge |
| Resend, Inc. | Transactional email delivery | US |
| OpenRouter | Model replay during audit (if applicable) | US |
Seracade will notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object to any new Sub-processor by providing written notice within that period.
Data Retention
- Request/response logs: 90 days. Auto-expire via Cloudflare KV TTL. No manual intervention required.
- Audit reports: 365 days from generation date.
- Account metadata (email, key hashes): Duration of active service.
All retention periods run automatically. The Controller may request early deletion at any time.
Data Subject Rights
The Controller is responsible for responding to Data Subject requests (access, rectification, erasure, restriction, portability, and objection).
Seracade will assist the Controller in fulfilling these requests. The Controller or any Data Subject may request deletion of Personal Data at any time by contacting support@seracade.com.
Seracade will respond to deletion requests within 5 business days.
Security Measures
Seracade implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit: All data transmitted over TLS 1.3 via Cloudflare's edge network.
- Encryption at rest: Cloudflare KV encrypts stored data at rest.
- No raw API key persistence: Only SHA-256 hashes are stored. Raw keys are forwarded over TLS and immediately discarded.
- Zero install architecture: No code runs on the Controller's infrastructure. No supply chain attack surface.
- Edge compute isolation: Each request executes in an isolated Cloudflare Workers environment.
Full details are available at seracade.com/security.
Breach Notification
Seracade will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data breach.
Notification will include:
- The nature of the breach, including categories and approximate number of Data Subjects affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach and mitigate its effects.
- The contact point for further information.
International Transfers
Seracade processes data on Cloudflare's global edge network, which may result in Personal Data being processed outside the Controller's jurisdiction.
- Cloudflare maintains its own DPA and Standard Contractual Clauses (SCCs) for international transfers.
- Resend processes data in the United States.
- OpenRouter processes data in the United States.
Where transfers are made to countries without an adequacy decision, Seracade relies on the Sub-processors' own transfer mechanisms (SCCs, DPAs, or equivalent safeguards).
Governing Law
This DPA shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of laws provisions.
Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of the State of Delaware.