Data Processing Addendum
Last updated: 2026-05-23
This Data Processing Addendum (“DPA”) forms part of the agreement between ANUBRIS (Pvt) Ltd. (“Processor”, “we”), operator of AllRoutes.ai, and the customer entity identified on the applicable order form (“Controller”, “Customer”) for the provision of the AllRoutes.ai unified AI gateway (the “Service”). It reflects the parties’ agreement on the processing of Customer Personal Data in compliance with the EU General Data Protection Regulation 2016/679 (“GDPR”) and equivalent laws.
1. Definitions
Capitalised terms not defined here have the meaning given in the GDPR. “Customer Personal Data” means personal data that Processor processes on behalf of Controller through the Service. “Sub-processor” means any third party engaged by Processor to process Customer Personal Data.
2. Subject matter
The subject matter of the processing is the operation of the Service, including routing API requests to upstream AI providers, recording request metadata for billing and observability, and surfacing usage analytics to the Controller.
3. Duration
This DPA takes effect on the date the Controller accepts the order form and remains in force for as long as Processor processes Customer Personal Data under the agreement, plus any post-termination retention period required by law.
4. Nature and purpose
Processing is performed for the sole purpose of providing, securing, billing, and improving the Service in accordance with the Controller’s documented instructions, which include the agreement and the configuration the Controller sets in the dashboard.
5. Categories of data subjects and personal data
Data subjects: the Controller’s personnel, agents, and end users who interact with the Service. Categories of personal data: identification data (name, email, authentication identifiers), commercial data (workspace, role, billing identifiers), and technical metadata (timestamps, IP address, request token counts, latency, HTTP status). Processor does not store the bodies of AI prompts or responses transmitted through the gateway.
6. Sub-processors
The Controller authorises Processor to engage Sub-processors to provide the Service, including hosting, payment processing, transactional email, and customer support tooling. Processor maintains a current list of Sub-processors and will give the Controller at least 30 days’ prior notice of any new Sub-processor, during which the Controller may object on reasonable data-protection grounds.
7. Security measures
Processor implements appropriate technical and organisational measures to protect Customer Personal Data, including AES-256-GCM encryption at rest for sensitive credentials, TLS 1.2+ in transit, bcrypt (cost factor 12) password hashing, SHA-256 token hashing, HMAC-signed webhooks, role-based access controls, least-privilege employee access, mandatory MFA on production systems, and quarterly review of access and audit logs.
8. Data subject rights
Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures so the Controller can fulfil its obligation to respond to data subject requests under Articles 15–22 GDPR. Self-service export and deletion are available from the dashboard for most request types.
9. Notification of personal data breaches
Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, providing sufficient information to enable the Controller to meet its own notification obligations.
10. Audit rights
Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA. The Controller may, on reasonable prior notice and no more than once per year (or more often where required by a supervisory authority or following a material incident), audit Processor’s relevant systems and procedures, at the Controller’s expense and subject to confidentiality.
11. International transfers
Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not subject to an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum as applicable. Processing primarily takes place in the European Union (Hetzner Cloud) and at Processor’s offices in Lahore, Pakistan.
12. Termination
On termination of the agreement, Processor will, at the Controller’s election, delete or return all Customer Personal Data within 30 days, except to the extent retention is required by applicable law (e.g. tax records). Aggregated and anonymised data that does not identify the Controller or any data subject may be retained.
By signing the order form, the Customer enters this DPA. Questions can be directed to [email protected]. See also the Privacy Policy.