Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and GauriLabs FZ-LLC (the "Processor") when you process personal data of your users through GLAB AI. It supplements, and does not replace, the Terms of Service.

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings set out in the EU General Data Protection Regulation (GDPR) 2016/679.

GauriLabs FZ-LLC commits to:

• Process personal data only on documented instructions from the Controller
• Ensure persons authorized to process the data are bound by confidentiality
• Implement appropriate technical and organizational security measures (Art. 32 GDPR)
• Not engage another processor without prior authorization from the Controller
• Assist the Controller in responding to data subject requests
• Notify the Controller of any personal data breach without undue delay (within 72 hours)
• Return or delete personal data upon termination of services

The Controller authorizes the following sub-processors. We will notify Controllers in writing of any intended changes 30 days in advance, giving the Controller the opportunity to object.

• MongoDB Atlas (AWS Mumbai, ap-south-1) — primary data storage
• Vercel (US/global edge) — application hosting
• Resend — transactional email
• Google Cloud / Vertex AI — when Gemini models are selected
• Groq — when Llama models are selected
• OpenAI, Anthropic, Mistral, xAI — when their models are selected
• NowPayments — cryptocurrency payment processing

Where personal data is transferred outside the EEA / UK / India, such transfers are made under appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission, or to jurisdictions with adequacy decisions.

The Controller has the right to audit the Processor's compliance with this DPA once per calendar year, with 30 days' written notice. Audits will be conducted in a manner that does not unreasonably disrupt the Processor's operations.

Each party's liability under this DPA is subject to the limitations in the Terms of Service. Notwithstanding, neither party limits liability for breaches of GDPR that result in fines or claims by data subjects to the extent caused by that party's own non-compliance.

This DPA remains in effect for the duration of the Terms of Service and for as long as the Processor processes personal data on behalf of the Controller. Upon termination, the Processor will, at the Controller's choice, return or delete all personal data within 30 days.

Enterprise customers requiring a signed DPA can request one by emailing ceo@gaurilabs.com with their entity legal name and registered address. We will return a counter-signed copy within 5 business days.