Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and Nextgen Computing GmbH ("Processor"). By using the AI Router Switzerland API, the Controller agrees to this DPA.
This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR), where applicable.
1. Parties
Processor:
Nextgen Computing GmbH
Schönaustrasse 61, 5430 Wettingen, Switzerland
Controller:
The customer using the API under the Terms of Service.
2. Subject Matter
Provision of AI API services for natural language processing and inference. Input data (e.g., prompts) submitted by the Controller may contain personal data.
3. Nature and Purpose of Processing
The Processor performs the following processing activities:
- Transient processing of input data for AI inference
- Generation of outputs and return to the Controller
The Processor:
- does not store input data or outputs beyond the duration of each request
- does not use data for training
- does not enrich, analyze, or profile data
The Processor does not determine the purposes or means of processing and acts solely on behalf of the Controller.
4. Duration
Processing occurs only for the duration of each API request. No personal data is retained after completion of the request.
This DPA remains in effect for the duration of the service relationship.
5. Categories of Data and Data Subjects
The Processor processes data submitted by the Controller, which may include personal data relating to:
- end-users
- customers
- other individuals, depending on the Controller's use case
The Controller is responsible for determining whether submitted data contains personal data.
6. Instructions and Obligations of the Processor
The Processor shall:
- process personal data only on documented instructions (i.e., API requests)
- ensure confidentiality of personnel with access to data
- implement appropriate technical and organizational measures (TOMs)
- not retain personal data beyond the request lifecycle
- not use data for any purpose other than providing the service
- notify the Controller without undue delay upon becoming aware of a personal data breach
- assist the Controller in fulfilling data subject rights, where reasonably possible given the transient nature of processing
7. Obligations of the Controller
The Controller is responsible for:
- ensuring lawful collection and processing of personal data
- providing required notices to data subjects
- responding to data subject rights requests
8. Sub-processors
The Controller provides general authorization for the Processor to engage sub-processors.
The Processor may use third-party infrastructure providers (e.g., hosting and compute providers) to operate the service.
- A current list of sub-processors is available upon request
- The Processor will inform the Controller of any intended changes (addition or replacement)
- The Controller may object to such changes on reasonable data protection grounds
The Processor ensures that sub-processors are bound by data protection obligations equivalent to this DPA.
9. Technical and Organizational Measures (TOMs)
The Processor implements appropriate security measures, including:
- encryption in transit (TLS)
- access controls and authentication
- network isolation (containerized workloads)
- no persistent storage of API input data
10. International Data Transfers
Where personal data is processed outside Switzerland or the European Economic Area, the Processor ensures appropriate safeguards, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- safeguards recognized under Swiss data protection law
11. Data Subject Rights
Due to the transient nature of processing, the Processor does not retain personal data and cannot independently fulfill access, correction, or deletion requests.
The Controller remains responsible for handling such requests.
The Processor will provide reasonable assistance where possible.
12. Compliance and Audit
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA.
This obligation may be satisfied through documentation and written responses.
On-site audits are excluded unless required by applicable law.
13. Liability
Liability is governed by the Terms of Service.
14. Governing Law
This DPA is governed by Swiss law. Jurisdiction lies with the courts at the Processor's registered office in Switzerland.
Last updated: April 28, 2026