LegalData Processing Agreement

Data Processing Agreement

Effective: June 1, 2026Regulation: GDPR · CCPA · UK GDPRContact: legal@tokenistt.com

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller") and Tokenistt Labs, Inc. ("Processor") and applies when Tokenistt processes personal data on your behalf under applicable data protection law (GDPR, CCPA, UK GDPR).

Core Privacy Principle

The scope of this DPA is deliberately narrow: Tokenistt acts as a data processor only for the performance metadata described below. It never acts as a processor for your prompt content, source code, or LLM outputs — that data never reaches Tokenistt's servers and is therefore outside the scope of this agreement.

1. Roles

PartyRoleData involved

You (customer)ControllerYour users' account data; your workspace metadata

TokenisttProcessorPerformance metadata on your behalf (token counts, costs, latency)

TokenisttControllerYour account/billing data (email, payment method)

2. Subject matter and purpose of processing

Tokenistt processes performance metadata (token counts, request latency, cost estimates, workspace labels, model identifiers) for the sole purpose of providing the Tokenistt analytics dashboard and optimization service described in the Terms of Service. No other processing is permitted without your explicit written instruction.

3. Categories of data subjects

–Your engineering team members who use LLM tools connected to the Tokenistt MCP server
–Identified only by workspace label (a non-PII string you configure)
–No direct identification of individual engineers in metadata unless you configure workspace labels containing names

4. Security measures

Tokenistt implements the technical and organizational measures described in our SOC 2 Type II report, including: TLS 1.3 in transit, AES-256 at rest, access controls, audit logging, vulnerability management, and incident response. Full details available upon request.

5. Sub-processing

You grant general authorization for Tokenistt to engage subprocessors listed at tokenistt.com/legal (Subprocessors tab). Tokenistt will provide 30 days' notice of any new subprocessor. You may object in writing; if we cannot accommodate the objection, you may terminate without penalty.

6. Data subject rights

Tokenistt will assist you in responding to data subject requests (access, deletion, correction, portability) within the metadata we hold. Submit requests to legal@tokenistt.com. We will respond within 72 hours and fulfill within the legally required timeframe.

7. International transfers

Performance metadata is processed and stored in AWS us-east-1 (United States). For customers in the EU/EEA, we rely on Standard Contractual Clauses (SCCs, EU 2021/914) as the transfer mechanism. Enterprise customers may request EU-only data residency.

8. Breach notification

In the event of a personal data breach affecting metadata we process on your behalf, Tokenistt will notify you without undue delay and no later than 48 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, estimated number of data subjects, and remediation steps.

9. Deletion on termination

Upon termination of the main agreement, Tokenistt will delete all performance metadata within 30 days, unless retention is required by law. Confirmation of deletion will be provided in writing upon request.