Data Processing Agreement

Pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR")

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of and is supplementary to the service agreement between the data controller ("Controller") and TastyAPI ("Processor") for the provision of the TastyAPI food image analysis and nutritional data service (the "Services").

This DPA sets out the terms and conditions under which the Processor shall process Personal Data on behalf of the Controller in accordance with Article 28 GDPR.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

3. Subject Matter and Details of Processing

Subject matter: The Processor provides an API service that analyzes food images and returns structured nutritional data.

Duration: Processing shall continue for the duration of the main service agreement, plus a maximum of 30 days for data deletion following termination.

Nature and purpose: The Processor receives image data via API requests, transmits it to an AI inference provider for analysis, and returns structured nutritional information. Processing is ephemeral — image data is held in memory only for the duration of the API request and is not persisted to any storage.

Types of Personal Data Processed

  • Food images submitted via the API (which may incidentally contain personal data such as faces, hands, or background elements)
  • API authentication tokens
  • Customer account identifiers
  • API usage metadata (request counts, timestamps)

Categories of Data Subjects

  • End users of the Controller's application who submit food images for analysis

4. Obligations of the Controller

The Controller shall:

  1. Ensure it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf;
  2. Provide documented instructions to the Processor regarding the processing of Personal Data;
  3. Inform the Processor without undue delay if it becomes aware of any errors or irregularities in the processing;
  4. Ensure that end users are informed, through a privacy notice or equivalent disclosure, that food images may be transmitted to third-party processors for analysis;
  5. Be solely responsible for assessing whether the Services are appropriate for the types of Personal Data it intends to process.

5. Obligations of the Processor

The Processor shall:

  1. Process Personal Data only on documented instructions from the Controller, unless required by EU or Member State law;
  2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality;
  3. Implement appropriate technical and organizational measures as required by Article 32 GDPR;
  4. Respect the conditions for engaging Subprocessors as set out in Section 7;
  5. Assist the Controller in fulfilling Data Subject rights requests under Chapter III GDPR;
  6. Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR;
  7. At the choice of the Controller, delete or return all Personal Data after the end of the provision of Services;
  8. Make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits.

6. Data Retention and Deletion

Image data: Food images submitted via the API are processed entirely in memory. Images are streamed to the inference provider, a response is generated, and the image data is immediately discarded. No image data is written to persistent storage at any point.

Inference provider retention: Our inference subprocessor (Cerebras) does not retain API inputs or outputs. Data is processed for immediate response generation and then discarded. Cerebras does not use any submitted data for model training.

Account metadata: Customer identifiers, API tokens, and usage counters are stored in Cloudflare KV for the duration of the service agreement.

Post-termination deletion: Upon termination of the service agreement, the Processor shall delete all account metadata within 30 days, unless longer retention is required by applicable law.

Erasure requests: The Processor shall fulfil Data Subject erasure requests under Article 17 GDPR within 30 days of receiving notice from the Controller.

No model training: The Processor does not use Personal Data from paying clients for training, fine-tuning, or improving any machine learning models, whether internally or through subprocessors.

7. Subprocessors

The Controller provides general written authorization for the Processor to engage the following Subprocessors:

Subprocessor Role Location Data Processed
Cloudflare, Inc. Edge compute, KV token storage, DDoS protection Global (incl. EU nodes) API tokens, customer IDs, usage counters
Cerebras Systems, Inc. AI inference (image and text analysis) United States Food images (ephemeral, not retained)
Stripe, Inc. Payment processing United States Payment and billing data

The Processor shall inform the Controller in writing of any intended addition or replacement of Subprocessors at least 30 days before the change, giving the Controller the opportunity to object per Article 28(2) GDPR.

If the Controller objects to a new Subprocessor on reasonable data protection grounds, the Parties shall negotiate in good faith. If no resolution is reached within 30 days, the Controller may terminate the affected Services without penalty.

8. Technical and Organizational Measures

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • API authentication tokens are stored securely in Cloudflare KV

Ephemeral Processing

  • Image data exists only in memory for the duration of the API request
  • No image data is written to disk, database, or any persistent storage
  • No server-side logging of image content or API response payloads

Access Control

  • API access requires authenticated tokens with enforced usage limits and expiration
  • Internal access to infrastructure is restricted by role-based access controls

Infrastructure Security

  • The service runs on Cloudflare Workers with DDoS protection, network isolation, and edge-level security
  • Subprocessor infrastructure (Cerebras) is SOC 2 audited

Availability and Resilience

  • Cloudflare Workers provides automatic failover and global redundancy
  • API tokens and account data are stored in globally replicated KV storage

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject rights requests under Articles 15-22 GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

If the Processor receives a request from a Data Subject directly, it shall promptly redirect the Data Subject to the Controller and notify the Controller without undue delay.

Given the ephemeral nature of image processing (no retention), Data Subject rights relating to image data are satisfied by design — there is no stored data to access, rectify, port, or erase.

10. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach. Such notification shall include:

  1. A description of the nature of the breach, including categories and approximate number of Data Subjects concerned;
  2. The name and contact details of the Processor's contact point;
  3. A description of the likely consequences of the breach;
  4. A description of the measures taken or proposed to address the breach.

11. International Data Transfers

The Processor processes data using subprocessors located in the United States. The Processor ensures appropriate safeguards for any transfer of Personal Data outside the EEA:

  • Standard Contractual Clauses (SCCs): The EU Commission's Standard Contractual Clauses (2021/914), Module Two (Controller to Processor), are incorporated by reference and apply to all transfers.
  • Supplementary technical measures: Fully ephemeral processing with no data stored at rest at any subprocessor; TLS 1.2+ encryption in transit; no logging of image content or response payloads.
  • Transfer Impact Assessment: The ephemeral, stateless nature of processing — where no user content survives the API request lifecycle — materially limits the risk of government access, as there is no data at rest for any authority to compel disclosure of.

12. Audit Rights

The Controller or its appointed auditor may conduct audits of the Processor's processing activities, subject to:

  1. Reasonable advance written notice of at least 30 days;
  2. The audit being conducted during normal business hours;
  3. The auditor being bound by appropriate confidentiality obligations;
  4. The audit not unreasonably disrupting the Processor's operations.

Where subprocessors hold relevant certifications (e.g., SOC 2, ISO 27001), the Processor may provide these reports to satisfy audit requests.

13. Liability

Each Party's liability under this DPA shall be subject to the limitations set out in the main service agreement, except where prohibited by applicable data protection law.

The Processor shall be liable for damage caused by processing only where it has not complied with GDPR obligations specifically directed to processors, or where it has acted outside of or contrary to lawful instructions of the Controller (Article 82 GDPR).

14. Term and Termination

This DPA shall remain in force for the duration of the main service agreement. Upon termination:

  1. The Processor shall cease all processing of Personal Data on behalf of the Controller;
  2. At the Controller's choice, delete or return all Personal Data within 30 days;
  3. Provide written confirmation of deletion upon request.

15. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the main service agreement. Any disputes shall be submitted to the competent courts as agreed in the main service agreement.

16. Contact

For questions regarding this DPA or to exercise any rights described herein, please contact us at support@tastyapi.com.