Data Processing Agreement Overview
This overview explains how OneAI treats customer API data. A formal DPA can be attached to enterprise contracts.
Processor role
For customer API traffic, OneAI acts as infrastructure that routes, records, and governs requests according to customer configuration.
Customer data
Customer inputs, outputs, request metadata, usage, errors, API key ownership, and Agent OS execution records may be processed to deliver the service.
Provider routing
When customers select an upstream provider, that provider may process request data according to its own terms and data handling policies.
Security controls
Provider keys remain server-side, customer API keys are stored hashed, and production requests can be traced by requestId, API key, model, usage, and cost.
Subprocessors
Upstream model providers, database, hosting, payment, email/auth, and monitoring vendors may act as subprocessors depending on customer configuration and deployment.
International transfer
Customer data may be routed through infrastructure regions and upstream providers selected for the service. Enterprise contracts may define region and provider restrictions.
Deletion and export
Enterprise customers may request data export or deletion workflows. Self-serve controls can be expanded as part of enterprise onboarding.
What may be processed
User email, organization membership, role, login provider, and account state.
API key prefix/hash metadata, scopes, allowed IPs, budgets, status, and last-used timestamps.
Input/output payloads where logging is enabled, task type, model, provider, usage, latency, errors, and requestId.
Agent plans, handoff contracts, approvals, proof artifacts, execution result metadata, and proof review state.
Plan, status, billing identifiers, invoice/payment references, usage totals, and commercial policy overrides.