Last updated April 09, 2026
This Data Processing Addendum ("DPA") supplements the APIANT Terms of Service (the "Agreement") between Apiant, Inc. ("APIANT," "we," "us," or "our") and the customer ("Customer," "you," or "your") and governs the processing of personal data by APIANT on behalf of Customer in connection with the Services, including data processed through Customer's MCP (Model Context Protocol) server infrastructure.
This DPA applies to the extent that APIANT processes personal data on behalf of Customer as a data processor (or service provider, as applicable under US state privacy laws). In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of personal data.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by APIANT on behalf of Customer through the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by APIANT to process Personal Data on behalf of Customer.
"Data Protection Laws" means all applicable laws and regulations relating to data privacy and data protection, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and any other applicable US state privacy laws.
"MCP Server Infrastructure" means the MCP-compatible server(s) that Customer deploys on Customer's dedicated APIANT infrastructure (including Customer's own domain name(s)), through which Customer's end users may interact with the Platform via third-party AI platforms.
2.1 With respect to Personal Data processed through the Services, Customer is the data controller (or business, as applicable) and APIANT is the data processor (or service provider, as applicable).
2.2 APIANT processes Personal Data solely on behalf of and in accordance with Customer's documented instructions. Customer's use of the Services, including configuration of automations and data processed through Customer's MCP Server Infrastructure, constitutes documented instructions for the purposes of this DPA.
2.3 APIANT shall not process Personal Data for any purpose other than providing the Services, unless required to do so by applicable law. In such case, APIANT shall inform Customer of that legal requirement before processing, unless the law prohibits such notification.
When Customer uses the Platform directly, APIANT may process the following categories of Personal Data as determined by Customer's configuration:
When data is processed through Customer's MCP Server Infrastructure, APIANT (as the underlying platform provider) may process:
APIANT does not receive or process the full text of end user conversations with AI platforms. Only the structured tool call data necessary to execute the requested action is processed on Customer's APIANT-powered server.
4.1 APIANT retains Personal Data processed through the Services for the duration of the Agreement, unless Customer requests earlier deletion.
4.2 For data processed through MCP Server Infrastructure specifically:
4.3 Within thirty (30) days following the expiration or termination of the Agreement, APIANT shall delete or return all Personal Data in its possession or control, except to the extent that retention is required by applicable law.
4.4 Customer may request deletion of Personal Data at any time by contacting privacy@apiant.com. APIANT shall comply with such requests within thirty (30) days, subject to any legal retention obligations.
APIANT does not use Personal Data, User Data, tool call parameters, tool call responses, or any other Customer data to train artificial intelligence models, machine learning models, or any form of automated decision-making system. This applies to all data processed through the Platform, MCP Server Infrastructure, and any other component of the Services.
6.1 Customer authorizes APIANT to engage the following Sub-processors to assist in providing the Services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | United States |
| Recurly | Billing and payment processing | United States |
| Google (Google Analytics) | Website analytics | United States |
| HubSpot | Customer relationship management and communications | United States |
| Smartlook | Session recording and UX analytics (website only, not Platform data) | EU (Czech Republic) |
| Splunk | Platform performance monitoring and logging | United States |
6.2 APIANT shall notify Customer of any intended changes to Sub-processors by updating this DPA. Customer may object to a new Sub-processor by contacting legal@apiant.com within thirty (30) days of notification.
6.3 APIANT shall enter into written agreements with each Sub-processor imposing data protection obligations no less protective than those set forth in this DPA.
APIANT implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
8.1 APIANT shall assist Customer in fulfilling data subject requests under applicable Data Protection Laws, including requests for access, rectification, erasure, restriction, portability, and objection to processing.
8.2 If APIANT receives a request directly from a data subject regarding Personal Data processed on behalf of Customer, APIANT shall promptly redirect the data subject to Customer and notify Customer of the request, unless prohibited by law.
8.3 APIANT shall provide reasonable cooperation and assistance to Customer in responding to data subject requests, taking into account the nature of the Processing.
9.1 APIANT's primary infrastructure is located in the United States. By using the Services, Customer authorizes the transfer of Personal Data to the United States.
9.2 To the extent that any transfer of Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States constitutes a restricted transfer under applicable Data Protection Laws, such transfer shall be subject to the Standard Contractual Clauses (SCCs) adopted by the European Commission (Module Two: Controller to Processor), which are hereby incorporated by reference.
9.3 Customer may request a copy of the applicable transfer mechanism by contacting legal@apiant.com.
10.1 To the extent APIANT processes Personal Data subject to the CCPA or other US state privacy laws, APIANT acts as a "service provider" (as defined under the CCPA) or equivalent role under applicable state law.
10.2 APIANT shall not sell or share (as defined under the CCPA) Personal Data received from Customer.
10.3 APIANT shall not retain, use, or disclose Personal Data for any purpose other than providing the Services, including any commercial purpose other than providing the Services.
10.4 APIANT shall not combine Personal Data received from Customer with personal information received from other sources, except as permitted by applicable law to provide the Services.
10.5 APIANT certifies that it understands and will comply with the restrictions set forth in this Section 10.
11.1 APIANT shall make available to Customer, upon reasonable request and no more than once per twelve (12) month period, information necessary to demonstrate compliance with this DPA.
11.2 Customer may conduct an audit of APIANT's data processing activities, or appoint a qualified third-party auditor to do so, upon thirty (30) days' written notice. Such audits shall be conducted during normal business hours and shall not unreasonably disrupt APIANT's operations. Customer shall bear the costs of any such audit.
This DPA shall remain in effect for the duration of the Agreement. The obligations of APIANT under this DPA with respect to Personal Data in its possession or control shall survive termination of the Agreement until all Personal Data has been deleted or returned in accordance with Section 4.
For questions or requests related to this DPA, please contact:
Apiant, Inc.
196 W Ashland St, Doylestown
Doylestown, PA 18901
United States
Email: privacy@apiant.com
Legal: legal@apiant.com
"The Deep Integration Gap: Bridging the Divide Between Open APIs and Business Needs"
Your download link is on its way.
