Back to docs
Enterprise document

Data Processing Agreement Overview

This overview explains how OneAI treats customer API data. A formal DPA can be attached to enterprise contracts.

Processor role

For customer API traffic, OneAI acts as infrastructure that routes, records, and governs requests according to customer configuration.

Customer data

Customer inputs, outputs, request metadata, usage, errors, API key ownership, and Agent OS execution records may be processed to deliver the service.

Provider routing

When customers select an upstream provider, that provider may process request data according to its own terms and data handling policies.

Security controls

Provider keys remain server-side, customer API keys are stored hashed, and production requests can be traced by requestId, API key, model, usage, and cost.

Subprocessors

Upstream model providers, database, hosting, payment, email/auth, and monitoring vendors may act as subprocessors depending on customer configuration and deployment.

International transfer

Customer data may be routed through infrastructure regions and upstream providers selected for the service. Enterprise contracts may define region and provider restrictions.

Deletion and export

Enterprise customers may request data export or deletion workflows. Self-serve controls can be expanded as part of enterprise onboarding.

Data categories

What may be processed

Identity

User email, organization membership, role, login provider, and account state.

API metadata

API key prefix/hash metadata, scopes, allowed IPs, budgets, status, and last-used timestamps.

Request data

Input/output payloads where logging is enabled, task type, model, provider, usage, latency, errors, and requestId.

Agent OS records

Agent plans, handoff contracts, approvals, proof artifacts, execution result metadata, and proof review state.

Billing data

Plan, status, billing identifiers, invoice/payment references, usage totals, and commercial policy overrides.