PARSERELAY ← parserelay.app

ParseRelay — Data Processing Addendum

Operator / Processor: ParseRelay (parserelay.app) (“ParseRelay,” “we,” “us”). Contact: legal@parserelay.app Effective date: June 15, 2026 Last updated: June 15, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between ParseRelay and the customer that accepts it (“Customer,” “you”). It applies where ParseRelay processes personal data on the Customer’s behalf in providing the Service, and it gives effect to Article 28 of the EU/UK General Data Protection Regulation (“GDPR”) and equivalent requirements. It should be read together with the Privacy Policy. Where this DPA conflicts with the Terms of Service on the processing of personal data, this DPA governs.

1. Definitions

1.1. Terms such as controller, processor, personal data, processing, data subject, sub-processor, personal data breach, and supervisory authority have the meanings given in the GDPR. Applicable Data Protection Law means the GDPR, the UK GDPR, the Swiss FADP, Canada’s PIPEDA, and any other data-protection law applicable to the processing.

1.2. Customer Personal Data means personal data contained in the documents and related Submitted Content that the Customer submits to the Service, and which ParseRelay processes on the Customer’s behalf.

2. Roles and scope

2.1. For Customer Personal Data, the Customer is the controller (or itself a processor acting for a third-party controller) and ParseRelay is the processor. ParseRelay processes Customer Personal Data only to provide the Service and only on the Customer’s documented instructions, including as set out in Annex A.

2.2. For account data and operational metadata that ParseRelay determines the purposes and means of (billing, metering, abuse prevention, security, and legal compliance), ParseRelay acts as an independent controller, as described in the Privacy Policy. That processing is outside the scope of this DPA’s processor obligations.

2.3. The Customer is responsible for the lawfulness of the Customer Personal Data it submits and of the instructions it gives, including having a lawful basis and providing any required notices to and consents from data subjects.

3. Processing instructions

3.1. ParseRelay will process Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law — in which case ParseRelay will, where legally permitted, inform the Customer first.

3.2. The Customer’s instructions are this DPA, the Terms of Service, the Privacy Policy, and the Customer’s use of the Service’s features and configuration (including engine, model selection, schema, and bring-your-own-key choices). ParseRelay will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

4. Confidentiality

4.1. ParseRelay will ensure that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality and process the data only as instructed.

5. Security

5.1. ParseRelay will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as required by GDPR Article 32. The current measures are summarized in Annex C.

6. Sub-processors

6.1. The Customer provides a general authorization for ParseRelay to engage sub-processors to provide the Service. The current sub-processors are listed in Annex B (and in Section 5 of the Privacy Policy).

6.2. ParseRelay will impose on each sub-processor data-protection obligations substantially equivalent to those in this DPA, to the extent applicable to the services the sub-processor provides, and remains responsible to the Customer for its sub-processors’ performance of those obligations.

6.3. ParseRelay will give the Customer reasonable prior notice of the addition or replacement of a sub-processor (for example, by updating the list and, where the Customer has subscribed to notifications, by email). The Customer may object on reasonable data-protection grounds within 30 days; the parties will work in good faith to resolve the objection, and if they cannot, the Customer may terminate the affected part of the Service.

6.4. Where the Customer supplies its own model key (bring-your-own-key), the chosen model provider acts under the Customer’s own account and terms; that provider is the Customer’s sub-processor or independent controller, not ParseRelay’s, as described in the Privacy Policy.

7. Assistance with data-subject rights

7.1. Taking into account the nature of the processing, ParseRelay will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. Because ParseRelay deletes scan content within a short period (see the Privacy Policy) and holds it only transiently, ParseRelay will refer to the Customer any request it receives directly that relates to Customer Personal Data.

8. Assistance with security, breach, and impact assessments

8.1. Taking into account the nature of processing and the information available to it, ParseRelay will assist the Customer in ensuring compliance with its obligations under GDPR Articles 32 to 36, including security, breach notification, data protection impact assessments, and prior consultation with a supervisory authority.

9. Personal data breach

9.1. ParseRelay will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations (which under the GDPR may include notifying the supervisory authority within 72 hours and, where required, the affected data subjects).

10. International transfers

10.1. The Customer authorizes ParseRelay and its sub-processors to transfer Customer Personal Data internationally as needed to provide the Service. Where such transfers are subject to Applicable Data Protection Law, they are made under a valid transfer mechanism — for example, the EU Standard Contractual Clauses (and the UK Addendum / Swiss adaptations as applicable) incorporated into the relevant sub-processor’s terms, or an adequacy decision or framework where available. Section 8 of the Privacy Policy describes where the model sub-processors are located, including providers outside the EEA and the United States.

11. Deletion or return

11.1. On termination of the Service, or earlier on the Customer’s request, ParseRelay will delete Customer Personal Data in its systems in the ordinary course and within the retention periods described in the Privacy Policy, except to the extent retention is required by law. Given the short retention of scan content, the Service does not maintain a long-term store of Customer Personal Data to return.

12. Audits and information

12.1. ParseRelay will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. To limit operational disruption and protect the confidentiality and security of other customers, audits will be conducted on reasonable prior notice, no more than once per year (absent a specific regulatory requirement or a known incident), during business hours, subject to confidentiality, and may be satisfied first by ParseRelay providing relevant documentation or third-party reports where available.

13. General

13.1. This DPA is effective for as long as ParseRelay processes Customer Personal Data on the Customer’s behalf. If any provision is found invalid, the remainder stays in effect. The Terms of Service govern liability, and nothing in this DPA expands the aggregate liability caps set out there, except as required by Applicable Data Protection Law.

13.2. A Customer that requires a counter-signed copy of this DPA, or modifications to meet a specific regulatory requirement, may contact legal@parserelay.app.

Annex A — Details of the processing

Annex B — Sub-processors

The current sub-processors are those listed in Section 5 of the Privacy Policy: Mistral AI, z.ai (Zhipu AI), OpenAI, and Anthropic (model extraction); Cloudflare (runtime / hosting and routing); Supabase (authentication and account/metadata storage); and Polar (merchant of record / payments). Each provider’s terms are linked there.

Annex C — Technical and organizational measures

Current measures include, as described in the Privacy Policy:

Measures evolve as the Service matures; ParseRelay may update them provided the level of protection is not materially reduced.