Legal

Data Processing Agreement

Last updated: April 8, 2026 · Effective date: April 8, 2026

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service between you (“Customer” or “Controller”) and Liya Engine, Inc. (“Processor”). It applies where Liya Engine processes personal data on your behalf in connection with the Service.

1. Scope and Relationship

For the purposes of applicable data protection laws (including GDPR, UK GDPR, and CCPA), the Customer acts as the Controller and Liya Engine acts as the Processor with respect to personal data that the Customer submits to the Service. Liya Engine processes personal data only to provide the Service and does not independently determine the purposes or means of processing such data.

2. Subject Matter and Purpose of Processing

Liya Engine processes personal data submitted by the Customer through the API and platform in order to:

Execute AI inference requests, retrieval, and orchestration workflows as instructed by the Customer.
Maintain audit logs, error logs, and usage metadata required to operate and support the Service.
Apply safety guardrails and compliance filters as configured by the Customer.

3. Nature and Duration of Processing

Processing occurs on an ongoing basis for the duration of the Customer’s subscription and for 90 days following termination (to allow data export and deletion). Processing activities include storage, retrieval, transformation, and transmission of data as required to deliver the Service.

4. Types of Personal Data and Categories of Data Subjects

The types of personal data processed depend on what the Customer submits to the API. Typical categories include:

End-user identifiers: User IDs, session tokens, anonymized or pseudonymized identifiers.
Contact information: Names, email addresses (for Customer account management).
Query content: Text or structured data submitted in API requests, which may contain personal data depending on the Customer’s use case.
Healthcare domain: Where the Customer has obtained a BAA, the API may process Protected Health Information (PHI). See Section 13 (HIPAA).

Categories of data subjects may include the Customer’s end users, employees, contractors, or third-party individuals whose data the Customer submits through the API.

5. Processor Obligations

5.1 Processing on Instructions

Liya Engine will process personal data only on documented instructions from the Customer (including as set forth in the Terms of Service and this DPA) unless required to do otherwise by applicable law, in which case Liya Engine will notify the Customer to the extent permitted.

5.2 Confidentiality

Liya Engine will ensure that personnel authorized to process personal data are subject to appropriate confidentiality obligations.

5.3 Security Measures

Liya Engine implements technical and organizational security measures appropriate to the risk, including:

Encryption of data at rest using AES-256.
Encryption of data in transit using TLS 1.2 or higher.
Access controls based on least privilege, with MFA required for internal administrative access.
Audit logging of access to personal data.
Regular security assessments and vulnerability scanning.

For a full description of our security posture, see our Security page.

5.4 No Training on Customer Data

Liya Engine does not use Customer data submitted through the API to train, fine-tune, or improve our models or any third-party models.

6. Sub-Processors

Liya Engine uses the following categories of sub-processors to provide the Service. We will notify Customers of material additions or changes to this list with at least 14 days’ notice. Customers may object to new sub-processors in writing within that period.

Category	Purpose	Location
Cloud infrastructure provider	Compute, storage, and network infrastructure for running the platform	United States (primary); EU available on request
Web hosting	Hosting of the marketing website and web dashboard	United States / Global CDN
Error and performance monitoring	Application error tracking and performance diagnostics	United States
Payment processor	Billing and subscription management	United States

Specific sub-processor names are available on request by contacting [email protected].

7. Data Subject Rights Assistance

Taking into account the nature of the processing, Liya Engine will assist the Customer by appropriate technical and organizational measures, insofar as possible, in responding to data subject rights requests (access, rectification, erasure, portability, objection). Customers should direct end users’ rights requests to Liya Engine at [email protected].

8. Security Incident Notification

Liya Engine will notify the Customer without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting Customer data. Notification will be provided to the email address associated with your account and will include:

A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
The name and contact details of the data protection point of contact.
A description of the likely consequences.
The measures taken or proposed to address the breach.

9. Deletion and Return of Data

Upon termination of the Service, at the Customer’s request, Liya Engine will provide an export of Customer data in a standard format within 30 days. Following confirmation of a successful export (or expiry of the 90-day retention window), Liya Engine will securely delete Customer personal data from its systems, except where retention is required by applicable law.

10. Audit Rights

Liya Engine will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor appointed by the Customer, subject to reasonable advance notice (at least 30 days) and confidentiality obligations. Audit costs are borne by the Customer. Liya Engine may satisfy audit obligations through provision of third-party audit reports (e.g., SOC 2 Type II, when available).

11. International Data Transfers

Where Liya Engine transfers personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, such transfers are covered by the EU Standard Contractual Clauses (SCCs) as adopted by the European Commission. A copy of the applicable SCCs is available upon request to [email protected].

12. Compliance Assistance

Liya Engine will provide reasonable assistance to the Customer in ensuring compliance with applicable data protection obligations, including with respect to data protection impact assessments, prior consultation with supervisory authorities, and security measures.

HIPAA Notice: A Business Associate Agreement (BAA) is available for customers who need to process Protected Health Information (PHI) through the Liya Engine platform. The BAA must be fully executed before any PHI is submitted to the Service. To request a BAA, contact [email protected].

13. HIPAA

For Customers subject to the Health Insurance Portability and Accountability Act (HIPAA) who process Protected Health Information (PHI) through the Service, Liya Engine is prepared to serve as a Business Associate as defined under 45 C.F.R. § 160.103. A signed BAA is required prior to processing any PHI. The BAA sets out additional obligations and restrictions applicable to the handling of PHI.

To obtain a BAA, contact [email protected].

14. Contact

For questions about this DPA or to exercise rights thereunder, contact:

Liya Engine, Inc.
Email: [email protected]