Effective Date: January 1, 2026
This Data Processing Addendum ("DPA") supplements and forms part of the Terms of Service, Enterprise Agreement, or other written agreement (the "Agreement") between Cobble Network, Inc., doing business as Cobble ("Cobble," "Processor," "we," "our," or "us") and the customer identified in the applicable Order Form or Service Agreement ("Customer," "Controller," or "you").
This DPA applies whenever Cobble Processes Personal Data on behalf of Customer while providing the Services.
Capitalized terms not otherwise defined in this DPA have the meanings assigned to them in the Agreement. Cobble and Customer are each referred to individually as a "Party" and collectively as the "Parties."
By accepting the Agreement, creating an enterprise account, executing an Order Form, or using the Services, Customer agrees to this Data Processing Addendum.
1. Definitions
For purposes of this DPA:
- "Customer Data" means all data, including Personal Data, submitted to the Services by or on behalf of Customer, including Inputs and Outputs as defined in the Agreement.
- "Data Protection Laws" means all applicable U.S. federal and state privacy and data protection laws governing the Processing of Personal Data under this DPA, including, as applicable, the California Consumer Privacy Act as amended ("CCPA"), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and the Texas Data Privacy and Security Act.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates, including a "consumer" as defined under applicable Data Protection Laws.
- "Personal Data" means information within Customer Data that identifies, relates to, describes, or is reasonably capable of being associated with an identified or identifiable natural person, as defined under applicable Data Protection Laws.
- "Personal Data Breach" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Cobble on behalf of Customer.
- "Process" / "Processing" means any operation performed on Personal Data, whether or not by automated means, including collection, use, storage, disclosure, transmission, and deletion.
- "Subprocessor" means a third party engaged by Cobble to Process Personal Data on behalf of Customer in connection with the Services.
2. Scope & Roles of the Parties
2.1 Roles
When providing the Services, Cobble acts as a Data Processor, Service Provider, contractor, or equivalent role under applicable Data Protection Laws, Processing Customer Data solely on Customer's documented instructions.
Customer is the Data Controller, Business, or equivalent legal role under applicable Data Protection Laws and determines:
- what Personal Data is submitted;
- why it is processed;
- how it is collected;
- who may access it; and
- how long it should be retained.
Nothing in this DPA transfers ownership or control of Customer Data to Cobble.
2.2 Customer Responsibilities
Customer represents and warrants that it has, and will maintain, all rights, consents, notices, and lawful bases required under applicable Data Protection Laws to submit Personal Data to the Services and to instruct Cobble to Process it as described in this DPA. Customer shall not submit categories of data prohibited or restricted by the Agreement (including biometric data, consumer health data, and protected health information) except as expressly permitted under a separately executed agreement.
3. Processing Instructions
3.1 Scope of Processing
Cobble will Process Customer Data only for the purposes of:
- providing the Services;
- authenticating users;
- routing inference requests;
- generating model outputs;
- maintaining platform security;
- preventing fraud and abuse;
- providing customer support;
- complying with applicable law; and
- any additional documented instructions provided by Customer through the Services.
Cobble will not Process Customer Data for unrelated purposes without Customer's authorization unless required by law.
3.2 Documented Instructions
The Agreement, this DPA, Customer account settings, API configuration, retention settings, and documented support requests collectively constitute Customer's processing instructions. Cobble will Process Customer Data only in accordance with those instructions unless legally required to do otherwise.
3.3 Unlawful Instructions
If Cobble believes an instruction violates applicable Data Protection Laws, Cobble will notify Customer and may suspend the relevant Processing until the instruction is modified or withdrawn.
4. Cobble's Privacy Commitments
Cobble is designed around a privacy-first architecture. Unless otherwise agreed in writing:
- Customer prompts remain Customer Data;
- AI outputs remain Customer Data;
- Cobble does not sell Customer Data or share it for cross-context behavioral advertising;
- Cobble does not use Customer Data to train or fine-tune foundation models;
- Cobble does not profile Customer Data for advertising purposes; and
- Cobble does not claim ownership of Customer Data.
Where temporary retention is necessary for debugging, abuse detection, billing verification, or security investigations, Customer Data will be retained only for the minimum period reasonably necessary to perform those functions.
5. Inference Data Handling
Unless Customer explicitly enables logging or retention features, inference requests are processed in memory and are not retained after completion, except for transient processing required to deliver the response and the limited operational retention described in the Agreement (queued and batch workloads, security logging, and abuse detection).
Cobble does not use Customer prompts, completions, embeddings, uploaded documents, or other Customer Data to train or fine-tune foundation models, and Customer Data remains isolated from all generalized model training pipelines unless Customer expressly opts in pursuant to the Agreement.
Customer maintains ownership and control of its Inputs and Outputs, subject only to applicable third-party model licenses.
Where Customer enables optional persistence features — such as conversation history, saved generations, datasets, fine-tuning uploads, or observability tools — retention of the associated Customer Data occurs at Customer's direction and remains subject to Customer's account settings and configuration.
6. Confidentiality
Cobble ensures that personnel with access to Customer Data are:
- bound by written confidentiality obligations;
- trained regarding security and privacy;
- granted access only on a least-privilege, need-to-know basis; and
- subject to appropriate internal security controls.
7. Security Measures
Cobble maintains reasonable administrative, technical, and physical safeguards designed to protect Customer Data against:
- unauthorized access;
- accidental disclosure;
- alteration;
- destruction;
- misuse; and
- unlawful processing.
Security measures may include:
- encryption of data in transit;
- encryption of data at rest where applicable;
- access logging;
- authentication and access controls;
- infrastructure monitoring;
- intrusion detection;
- vulnerability management;
- disaster recovery procedures; and
- regular security reviews.
Because security practices evolve continuously, Cobble may update these safeguards from time to time, provided that the overall level of protection is not materially reduced during the term of the Agreement.
8. Data Subject Requests
Taking into account the nature of the Processing, Cobble will provide reasonable assistance, including appropriate technical and organizational measures where feasible, to enable Customer to respond to Data Subject requests involving:
- access;
- correction;
- deletion;
- portability;
- restriction of processing;
- opt-out rights; or
- other rights granted under applicable Data Protection Laws.
If Cobble receives a request directly from a Data Subject relating to Customer Data, Cobble will, to the extent legally permitted, promptly forward the request to Customer and will not respond directly without Customer's authorization unless legally required to do so.
9. Security Incidents
If Cobble becomes aware of a Personal Data Breach affecting Customer Data, Cobble will notify Customer without undue delay after confirming the incident, and in any event within the time period required by applicable Data Protection Laws.
Such notice will include reasonably available information concerning:
- the nature of the incident;
- the categories of affected data;
- the known or suspected impact;
- mitigation measures already taken; and
- recommended actions where appropriate.
Cobble will take reasonable steps to contain, investigate, and remediate the Personal Data Breach and will provide Customer with reasonable cooperation. Cobble's notification of, or response to, a Personal Data Breach is not an acknowledgment of fault or liability.
10. Subprocessors
10.1 Authorization
Customer provides general authorization for Cobble to engage carefully selected Subprocessors that are reasonably necessary to provide the Services, including providers of:
- cloud infrastructure;
- inference and model hosting;
- payment processing;
- authentication;
- monitoring;
- customer support;
- communications;
- security services; and
- content delivery.
10.2 Subprocessor Obligations
Cobble will enter into written agreements with each Subprocessor imposing data protection obligations substantially similar to those in this DPA, and remains responsible for the performance of its Subprocessors to the extent required by applicable law and its contractual obligations.
10.3 Subprocessor List & Changes
Customer may access an up-to-date list of Subprocessors through Cobble's Trust Center or documentation. <!-- TODO: insert Trust Center / subprocessor list URL -->
Cobble will provide Customer with a mechanism to receive notice of new Subprocessors before their engagement. Customer may object to a new Subprocessor on reasonable data-protection grounds by notifying Cobble in writing within fifteen (15) days of notice. The Parties will work together in good faith to resolve the objection; if no resolution is reasonably available, Customer may terminate the affected Services and receive a pro-rata refund of any prepaid, unused fees for those Services.
11. CCPA & State Privacy Law Service Provider Terms
To the extent the CCPA or similar Data Protection Laws apply to Personal Data Processed under this DPA, Cobble certifies that it will:
- not sell Personal Data or share Personal Data for cross-context behavioral advertising;
- not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in this DPA and the Agreement, or as otherwise permitted by applicable law;
- not retain, use, or disclose Personal Data outside of the direct business relationship between the Parties;
- not combine Personal Data received from Customer with personal information received from other sources, except as permitted by applicable Data Protection Laws;
- comply with applicable obligations under the Data Protection Laws and provide the same level of privacy protection as required of Customer; and
- notify Customer if it determines that it can no longer meet its obligations under applicable Data Protection Laws.
Customer may take reasonable and appropriate steps permitted under applicable Data Protection Laws to ensure that Cobble uses Personal Data consistently with Customer's obligations, and to stop and remediate unauthorized use of Personal Data.
12. Deidentified & Aggregated Data
Cobble may create aggregated or deidentified data derived from the operation of the Services (such as usage statistics, token counts, and performance metrics) that does not identify Customer or any Data Subject. Where Cobble processes deidentified data, Cobble will maintain and use it only in deidentified form and will not attempt to reidentify it, except as permitted by applicable Data Protection Laws to test the effectiveness of deidentification.
13. Government & Law Enforcement Requests
If Cobble receives a subpoena, warrant, or other governmental or law enforcement request seeking Customer Data, Cobble will, unless legally prohibited:
- promptly notify Customer of the request;
- redirect the requesting party to Customer where reasonable; and
- disclose only the minimum Customer Data necessary to comply with the request.
14. Data Location
The Services are offered solely within the United States, and Cobble Processes Customer Data within the United States and authorized U.S. territories, consistent with the geographic restrictions in the Agreement. Customer shall not submit Personal Data relating to individuals located in jurisdictions restricted under the Agreement, and this DPA does not incorporate international transfer mechanisms (such as standard contractual clauses) applicable to such jurisdictions.
15. Audits & Compliance Information
Upon Customer's written request, no more than once per twelve (12) month period (except following a Personal Data Breach affecting Customer Data or where required by applicable Data Protection Laws), Cobble will make available information reasonably necessary to demonstrate compliance with this DPA, which may include:
- responses to written security questionnaires;
- summaries of third-party audit reports, assessments, or certifications, where available; and
- documentation of relevant security policies and practices.
Where such materials are insufficient to satisfy a requirement of applicable Data Protection Laws, the Parties will discuss in good faith a mutually agreeable audit approach, conducted at Customer's expense, upon reasonable advance notice, during normal business hours, without disrupting Cobble's operations, and subject to Cobble's confidentiality and security requirements. Audits shall not extend to other customers' data or to Subprocessor facilities not under Cobble's control.
16. Deletion & Return of Customer Data
Upon termination or expiration of the Agreement, or upon Customer's written request, Cobble will delete Customer Data in its possession, or return it to Customer in a commonly used format where technically feasible, except where:
- retention is required by applicable law;
- the data resides in routine backups, in which case it will be deleted in accordance with Cobble's backup lifecycle and remain protected under this DPA until deleted; or
- the data has been aggregated or deidentified in accordance with Section 12.
Given Cobble's default minimal-retention architecture, most Customer Data submitted for standard inference is not persistently stored and therefore requires no deletion action at termination.
17. Term, Precedence & General
17.1 Term
This DPA takes effect upon Customer's acceptance of the Agreement (or execution of this DPA, if separately executed) and remains in effect for as long as Cobble Processes Customer Data on behalf of Customer.
17.2 Order of Precedence
In the event of a conflict between this DPA and the Agreement with respect to the Processing of Personal Data, this DPA controls. In all other respects, the order of precedence stated in the Agreement applies.
17.3 Liability
Each Party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, and any claims under this DPA are counted toward, and not in addition to, the aggregate liability cap in the Agreement.
17.4 Changes to This DPA
Cobble may update this DPA from time to time to reflect changes in applicable Data Protection Laws or the Services, provided that updates do not materially reduce the protections afforded to Customer Data. Material changes will be communicated in accordance with the notice provisions of the Agreement.
Annex A — Details of Processing
Subject matter of Processing. Provision of AI inference, routing, and related infrastructure services as described in the Agreement.
Duration of Processing. The term of the Agreement, plus any limited period required for deletion or legally required retention.
Nature and purpose of Processing. Receiving, transmitting, and transiently processing Customer Data to generate model outputs; authenticating users; routing requests; securing the platform; preventing fraud and abuse; providing support; and billing.
Categories of Personal Data. Determined and controlled by Customer. May include: account and contact information (names, email addresses); billing information; authentication data; usage metadata; and any Personal Data contained in Inputs submitted to the Services. Sensitive categories (including biometric data, consumer health data, and PHI) are prohibited except as expressly permitted under a separately executed agreement.
Categories of Data Subjects. Determined and controlled by Customer. May include: Customer's employees, contractors, and authorized users; Customer's own customers and end users; and other individuals whose Personal Data is contained in Inputs.
Retention. As described in Sections 4, 5, and 16 of this DPA and the data retention provisions of the Agreement: ephemeral by default for standard inference, with limited operational and security retention, and Customer-controlled retention for optional persistence features.
