Data Processing Addendum
(EU/EEA & UK)
This Data Processing Addendum (“DPA”) forms part of the agreement between A2 Labs Inc. (d/b/a Makora Inc.) (“Processor,” “we,” “us”) and the customer identified in the underlying order or terms of service (“Customer,” “Controller,” “you”) (together, the “Addendum”) under which we provide an inference platform hosting and serving open-source models (the “Service”).
This DPA reflects the parties’ agreement on the processing of Personal Data in accordance with Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, the Swiss FADP, and other applicable Data Protection Laws.
Effective date: June 11, 2026
This DPA is incorporated into and forms part of the Terms of Service; acceptance of the Terms of Service constitutes acceptance of this DPA, and no separate signature is required.
1. Definitions
Capitalized terms not defined here have the meaning given in the GDPR or the Agreement.
“Data Protection Laws” means all laws applicable to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, and the Swiss FADP.
“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” “Personal Data Breach,” and “Special Categories of Personal Data” have the meanings given in the GDPR.
“Customer Personal Data” means Personal Data contained in the Inputs and Outputs and any other Personal Data we process on Customer’s behalf under the Agreement.
“SCCs” means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914.
“UK Addendum” means the International Data Transfer Addendum issued by the UK ICO under s.119A Data Protection Act 2018.
“Sub-processor” means any third party engaged by us to process Customer Personal Data.
2. Roles and Scope
2.1 With respect to Customer Personal Data, the parties agree that Customer is the Controller (or a Processor acting on behalf of a third-party controller) and we are the Processor (or Sub-processor).
2.2 We will process Customer Personal Data only as a Processor, in accordance with Customer’s documented instructions, including as set out in this DPA and the Agreement, and as necessary to provide the Service.
2.3 This DPA applies only to the extent we process Customer Personal Data subject to Data Protection Laws. Details of the processing are set out in Annex I.
Where Customer is itself a processor for an upstream controller, Customer warrants that it has authority to engage us as a sub-processor and to issue the instructions in this DPA.
Customer Instructions
3.1 We will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by EU/Member-State law to which we are subject; in such a case, we will inform Customer of that legal requirement before processing, unless prohibited by law.
3.2 The Agreement, this DPA, Customer’s configuration of the Service (including tier selection), and Customer’s use of the Service constitute Customer’s complete and final documented instructions.
3.3 We will inform Customer if, in our opinion, an instruction infringes Data Protection Laws. For clarity, this obligation does not require us to provide legal advice and is limited to notifying Customer where an instruction is manifestly unlawful.
Data Retention, Deletion, and Zero Data Retention (ZDR)
4.1 Tier-based processing. The retention applied to Customer Personal Data contained in Inputs and Outputs depends on Customer’s subscription tier:
| Tier | Input/Output Retention | Used for Model Training | Default Retention Window |
|---|---|---|---|
| Starter | Retained | No | 30 days |
| Developer | Retained | No | 30 days |
| Developer Pro | Zero Data Retention | No | Not durably retained (transient processing; on-host cache evicted on a rolling, space-available basis — see §4.2) |
| Pay-as-you-go | Zero Data Retention | No | Not durably retained (transient processing; on-host cache evicted on a rolling, space-available basis — see §4.2) |
4.2 ZDR commitment. For Developer Pro and Pay-as-you-go, we process Inputs and Outputs transiently — solely to generate and return a response — and do not write them to our durable application storage (such as databases, long-term object storage, or backups). To improve performance, an inference cache (for example, a prefix/context cache) may hold such content, or values derived from it, in volatile memory or, in some configurations, on local solid-state (SSD) storage attached to the inference host; any such on-disk cache content is encrypted at rest through full-disk encryption and is not part of our durable retained-content stores or backups. Cached content is evicted on a rolling, space-available basis; we do not currently commit to deletion within a fixed time window, and cached content may remain on the inference host until evicted to make room for new data. ZDR content is never used to train, fine-tune, or improve any model.
4.3 No training on any tier. We do not use Customer Personal Data from any tier to train, fine-tune, or improve models.
4.4 Operational metadata. For all tiers, including ZDR tiers, we retain limited operational metadata (timestamps, token counts, model/endpoint, latency, status, request and account identifiers) that does not include the substance of Inputs/Outputs, for billing, security, and legal-compliance purposes for 12 months.
4.5 Deletion on termination. Upon termination or expiry of the Agreement, we will delete or return all Customer Personal Data (other than ZDR content, which is not stored) within 30 days, and delete existing copies unless EU/Member-State law requires storage. Backup copies are deleted on our rolling backup cycle of no more than 30 days.
Confidentiality
We ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and are trained on their data-protection responsibilities, and that access is limited to personnel who need it to provide the Service.
Security Measures
6.1 We implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as further described in Annex II, including encryption in transit and at rest, access controls, network security, logging and monitoring, and regular testing of measures.
6.2 We will not materially decrease the overall security of the Service during the term of the Agreement.
Makora maintains a SOC 2 Type II report. The measures in Annex II have been verified by the Company’s security team as reflecting its actual controls.
Sub-processing
7.1 Customer provides general authorization for us to engage Sub-processors to process Customer Personal Data, subject to this Section. A current list is available at https://makora.com/subprocessors and in Annex III.
7.2 We will impose on each Sub-processor data-protection obligations no less protective than those in this DPA, by way of a written contract, and remain liable for each Sub-processor’s performance.
7.3 We will give Customer at least 30 days’ prior notice of any intended addition or replacement of a Sub-processor (via email subscription or the subprocessor page). Customer may object on reasonable, documented data-protection grounds within that period. If the parties cannot resolve the objection, Customer may, as its sole remedy, terminate the affected portion of the Service.
Data Subject Rights
8.1 Taking into account the nature of the processing, we will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under Data Protection Laws.
8.2 If we receive a request from a Data Subject relating to Customer Personal Data, we will, where legally permitted, promptly forward it to Customer and will not respond directly except on Customer’s instruction. Customer, as Controller, is responsible for substantively responding to Data Subject requests concerning Inputs/Outputs.
Personal Data Breach
9.1 We will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
9.2 The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed. We will provide reasonable assistance to Customer in meeting its breach-notification obligations to supervisory authorities and Data Subjects.
Data Protection Impact Assessments and Prior Consultation
We will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with supervisory authorities that Customer reasonably considers required under Articles 35–36 GDPR, taking into account the nature of processing and information available to us.
International Transfers
11.1 Customer authorizes us to transfer Customer Personal Data outside the EEA, UK, and Switzerland as necessary to provide the Service, subject to appropriate safeguards.
11.2 SCCs. Where we process Customer Personal Data originating in the EEA in a country without an adequacy decision, the SCCs are incorporated by reference and apply as follows: - Module Two (Controller-to-Processor) applies where Customer is a Controller; - Module Three (Processor-to-Processor) applies where Customer is itself a Processor; - Clause 7 (docking) applies; - Clause 9: Option 2 (general written authorization), with the notice period in Section 7.3; - Clause 11 optional redress: does not apply; - Clause 17 governing law: the law of Ireland; - Clause 18 forum: the courts of Ireland; - Annexes I–III to the SCCs are populated by Annexes I–III of this DPA.
11.3 UK transfers. The UK Addendum is incorporated and applies to transfers subject to the UK GDPR, with the SCCs as the “Approved EU SCCs”; the information in Tables 1–3 is drawn from the Annexes, and Table 4 “ending this Addendum” is selected as “neither party.”
11.4 Swiss transfers. For transfers subject to the Swiss FADP, the SCCs apply with references to the GDPR interpreted as the FADP, the competent authority is the FDPIC, and references to EU Member-State courts include Switzerland.
The SCC governing law and forum are Ireland, and the module selections above apply, as confirmed by the parties.
Audits and Compliance
12.1 We will make available to Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates.
12.2 To minimize disruption, Customer agrees that this obligation is satisfied in the first instance by our provision of relevant third-party audit reports and certifications (e.g., SOC 2 Type II). On-site audits are limited to once per 12 months, require 30 days’ notice, occur during business hours, are subject to confidentiality, and exclude access to other customers’ data.
Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits liability that cannot be limited under Data Protection Laws.
Term and Termination
This DPA takes effect on the Effective date and continues until we have ceased all processing of Customer Personal Data. Termination of the Agreement automatically terminates this DPA, subject to surviving obligations (including deletion under Section 4.5).
Order of Precedence
In case of conflict, the following order applies: (1) the SCCs/UK Addendum; (2) this DPA; (3) the Privacy Policy; (4) the remainder of the Agreement.
Governing Law
This DPA is governed by the law specified in the Agreement, except where Data Protection Laws or the SCCs require otherwise (see Section 11). Transfer mechanisms are governed by Irish law as stated in Section 11. The Agreement’s general governing law is the State of Delaware, USA.
Annex I — Description of Processing
A. List of Parties
Data Exporter (Controller): Customer, as identified in the Agreement. Contact: [Customer admin contact — completed by Customer at signing].
Data Importer (Processor): A2 Labs Inc. (d/b/a Makora Inc.), 11 E Loop Rd, Suite #381, New York, NY 10044. Contact: privacy@makora.com. Activities: providing a hosted open-source model inference platform.
B. Description of Transfer
Categories of Data Subjects: Customer’s end users, employees, and any individuals whose personal data Customer includes in Inputs.
Categories of Personal Data: Identifiers and any personal data Customer chooses to include in Inputs/Outputs; account and usage metadata. Customer controls and is responsible for minimizing what personal data is placed into Inputs.
Special Categories: None intended. Customer should not submit special-category data without appropriate safeguards; if it does, such data is processed only transiently and per the applicable tier, and the safeguards in Annex II apply.
Frequency: Continuous, for the duration of the Agreement.
Nature and Purpose: Hosting and serving model inference requests; account management; billing; security.
Retention: Per Section 4 (ZDR tiers: not stored; non-ZDR tiers: 30 days; metadata: 12 months).
Sub-processor processing: See Annex III; for ZDR tiers, only transient processing, no persistent storage.
C. Competent Supervisory Authority
The Irish Data Protection Commission (DPC)*, as lead authority, on the assumption Ireland is the SCC forum.
Annex II — Technical and Organizational Measures
These measures have been verified by the Company’s security team as reflecting its actual controls as of the Effective date.
Encryption: In transit, TLS 1.3 for external connections to public servers and WireGuard (via Tailscale) for internal traffic, supplemented within a single data centre by cloud-provider network isolation (e.g., virtual private cloud). At rest, AES-256 for any persisted data, including the automatic encryption provided by
Azure Database for PostgreSQL flexible server. ZDR-tier content is not written to durable storage; transiently held on-host inference-cache content (including any spill to local SSD, which is encrypted at rest through full-disk encryption) is evicted on a rolling, space-available basis (see Section 4.2).
Access control: Role-based access, least privilege, SSO + MFA for internal systems, periodic access reviews. Direct access to production hardware and raw traffic (by developers who deploy and maintain inference software) is strictly PKI-based and restricted through a global ACL in the VPN provider (Tailscale) combined with OS-level controls limiting access to predefined users.
Network security: Firewalls/WAF, network segmentation, DDoS protection, secrets management.
Logging & monitoring: Centralized logging of access and admin actions; alerting on anomalies; metadata-only telemetry.
Tenant isolation: Logical separation of customer data and request routing.
Resilience: Backups (max 30-day rolling cycle), documented disaster-recovery, defined RPO/RTO.
Secure development: Code review, dependency scanning, vulnerability management, penetration testing annually.
Personnel: Confidentiality agreements, security training, background checks where permitted.
Incident response: Documented IR plan with controller-notification without undue delay after becoming aware of a Personal Data Breach.
Sub-processor management: Due diligence and contractual data-protection flow-down.
Deletion: Defined deletion workflows per Section 4.
Annex III — Authorized Sub-processors
All sub-processor rows reflect the infrastructure team’s confirmed answers (AWS and TensorWave for inference compute; Stripe for payments; Microsoft Azure for storage, CDN/WAF, logging, and transactional email; PostHog for analytics).
| Sub-processor | Purpose | Location | Notes |
|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | Compute & inference infrastructure | United States | Transient processing for ZDR tiers; no durable storage of ZDR content |
| TensorWave, Inc. | GPU compute & inference infrastructure | United States | Transient processing for ZDR tiers; no durable storage of ZDR content |
| Stripe, Inc. | Payment processing | US / EU | Billing data only |
| Microsoft Azure (Azure Database for PostgreSQL — flexible server) | Storage of account & non-ZDR retained content | United States (East 2) | No ZDR content stored |
| Microsoft Azure (CDN / WAF / DDoS protection) | Edge delivery, WAF, DDoS protection | United States (East 2) | Transient only |
| Microsoft Azure (logging / metrics) | Logging & metrics (metadata only) | United States (East 2) | No Input/Output content |
| Microsoft Azure (transactional email) | Account & security notifications | United States | Account data only |
| PostHog, Inc. | Dashboard / website analytics | United States | No Input/Output content |


