Data processing agreement
Last updated: March 13, 2026
Note: If these Terms, Policies, or Agreements are available in multiple languages, and any discrepancies exist between translations, the English version shall prevail.
This Data Processing Agreement ("DPA") forms part of the agreement between BabySea, Inc. ("BabySea", "Processor", "we", "us", or "our") and the customer entity that has accepted the Terms of use ("Customer" or "Controller"), and governs the processing of Personal Data by BabySea on behalf of the Customer in connection with the BabySea API and related services (the "Services").
This DPA is incorporated into and forms part of the Terms of use and the Service-level terms. In the event of a conflict between this DPA and any other agreement between the parties, this DPA shall take precedence with respect to the subject matter of data protection and processing.
1. Definitions
"Applicable Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act ("CCPA") and any applicable national or regional data protection laws, regulations, and regulatory guidance in force from time to time.
"Controller" means the Customer, as the entity that determines the purposes and means of the processing of Personal Data.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by BabySea under this DPA on behalf of the Customer.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" (and "Process", "Processed", "Processes") means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, restriction, erasure, or destruction.
"Processor" means BabySea, as the entity that processes Personal Data on behalf of the Controller.
"Subprocessor" means any third party engaged by BabySea to process Personal Data in connection with the Services. The current list of Subprocessors is published at List of subprocessors.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission under Decision 2021/914/EU, or any successor instrument.
"Technical and Organizational Measures" or "TOMs" means the security and organizational measures described in Annex B of this DPA.
2. Scope and applicability
This DPA applies where and to the extent that BabySea processes Personal Data on behalf of the Customer in the course of providing the Services. It applies regardless of whether the Customer's account is on the US (North Virginia), EU (Frankfurt), or APAC (Tokyo) region.
This DPA does not apply to:
- Personal Data for which BabySea acts as a Controller (e.g., account data processed for BabySea's own billing, legal, and service-improvement purposes), which is governed by the Privacy policy.
- Information that does not constitute Personal Data under Applicable Data Protection Law.
3. BabySea's role as Processor
BabySea acts as a Processor with respect to Personal Data that the Customer submits to or generates through the Services. BabySea will:
- Process Personal Data only on documented instructions from the Customer, including those instructions given by the Customer's use of the Services in accordance with the Terms of use, or as required by Applicable Data Protection Law.
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the Technical and Organizational Measures set out in Annex B.
- Respect the conditions for engaging Subprocessors as set out in Section 6 of this DPA.
- Take reasonable steps to assist the Customer in responding to Data Subject rights requests as described in Section 8.
- Notify the Customer of any Personal Data Breach as described in Section 9.
- Provide reasonable assistance to the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
- Delete or return Personal Data at the end of the service relationship as described in Section 10.
If BabySea becomes aware that a processing instruction infringes Applicable Data Protection Law, BabySea will inform the Customer promptly.
4. Customer's obligations as Controller
As Controller, the Customer is responsible for:
- Ensuring that there is a valid legal basis under Applicable Data Protection Law for the processing of Personal Data described in this DPA.
- Ensuring that all notices, disclosures, and consents required by Applicable Data Protection Law have been provided to Data Subjects.
- Ensuring that Personal Data submitted to the Services is accurate, relevant, and limited to what is necessary for the processing purposes.
- Complying with the Terms of use and any acceptable-use requirements with respect to the content of prompts and inputs submitted to the Services.
- Not submitting sensitive categories of Personal Data (as defined under GDPR Art 9) to the Services unless separately agreed in writing with BabySea.
- Maintaining its own records of processing activities as required by Applicable Data Protection Law.
5. Processing details
The following describes the subject matter and nature of the processing performed by BabySea under this DPA.
5.1 Subject matter
Processing of Personal Data arising from the Customer's use of the BabySea API and related dashboard, Playground, SDK, and webhook functionality.
5.2 Duration
Processing continues for the duration of the Customer's use of the Services and, thereafter, for the period required to complete data return or deletion in accordance with Section 10 and retention obligations described in Data lifecycle.
5.3 Nature and purpose of processing
BabySea processes Personal Data to:
- Authenticate users and manage access to the Services.
- Receive and route generation requests (image and video) to inference providers and return results.
- Maintain API key credentials and usage logs for billing and security.
- Deliver webhook events describing generation outcomes.
- Process billing, subscriptions, and credit transactions.
- Provide customer support and respond to communications.
- Monitor service health, detect errors, and operate security controls.
- Comply with legal and regulatory obligations.
5.4 Categories of Personal Data
The following categories of Personal Data may be processed:
| Category | Description | Storage |
|---|---|---|
| Account data | Email address, display name, profile picture | Regional database |
| Generation data | Text prompts, provider parameters, output file URLs | Regional database and storage |
| API key data | bcrypt-hashed key values, key scopes, allowed IP ranges, usage log entries | Regional database |
| Webhook data | AES-256-GCM encrypted secrets, delivery log entries | Regional database |
| Billing data | Payment processor reference, subscription record, credit ledger entries | Regional database + Stripe |
| Consent records | Cookie consent state, GDPR consent choices | Regional database |
| Request metadata | SHA-256 hashed IP addresses, user-agent strings, endpoint, HTTP status code | Regional database |
| Account deletion audit log | SHA-256 hashed email, deletion timestamp | Regional database |
Raw API key values and raw webhook secrets are never stored. API keys are hashed using bcrypt. Webhook secrets are encrypted using AES-256-GCM before storage. IP addresses in request logs are pseudonymized using SHA-256 hashing before storage.
5.5 Categories of Data Subjects
Data Subjects whose Personal Data may be processed include:
- Individual users of the Customer's BabySea account.
- Members of the Customer's team workspaces.
- End users of the Customer's applications where prompts or inputs submitted via the API contain Personal Data.
The Customer is responsible for ensuring that any Personal Data relating to end users is processed in accordance with Applicable Data Protection Law.
6. Subprocessor management
6.1 Authorization to engage Subprocessors
The Customer provides general authorization for BabySea to engage Subprocessors as listed at List of subprocessors. BabySea will update that page when Subprocessors are added or replaced and will provide reasonable notice of material changes.
6.2 Objection right
The Customer may object to a new Subprocessor by notifying BabySea in writing within 14 days of notice of the change. If the parties cannot resolve the objection in good faith within a further 14 days, the Customer may terminate the affected Services on written notice and will receive a pro-rated refund of prepaid fees.
6.3 Subprocessor obligations
BabySea imposes data protection obligations on Subprocessors that are substantially equivalent to those in this DPA. BabySea remains liable to the Customer for the performance of Subprocessors to the extent required by Applicable Data Protection Law.
7. International data transfers
7.1 Regional data isolation
BabySea operates three isolated data regions: US (North Virginia), EU (Frankfurt), and APAC (Tokyo). Persistent data (databases and storage) is stored only in the selected region. There is no automatic cross-region replication of Customer data. Customers select their region at account creation and that selection determines where persistent data resides. This is described further in Data sovereignty.
7.2 Edge compute
Vercel edge compute functions are deployed globally and are stateless. They do not persist Personal Data outside the selected region. Cloudflare DNS, CDN, and WAF services are similarly global and stateless.
7.3 Inference provider transfers
Inference providers (BFL, Replicate, Fal, BytePlus, Cloudflare) may process generation requests in jurisdictions that differ from the Customer's selected region, including the United States and Germany. Prompts and generation parameters submitted by the Customer may transit these provider environments as part of the generation workflow.
7.4 Legal basis for transfers
Where Personal Data is transferred from the European Economic Area (EEA) or the United Kingdom to a country that has not received an adequacy decision, such transfers rely on Standard Contractual Clauses (SCCs) as approved under GDPR Art 46(2)(c) or, in the case of the UK, the International Data Transfer Agreement (IDTA) or addendum to the EU SCCs. BabySea uses DPAs or equivalent data transfer agreements with Subprocessors and is working to ensure that appropriate agreements are in place with all Subprocessors as required by Applicable Data Protection Law.
8. Data Subject rights assistance
BabySea will provide reasonable technical and organizational assistance to help the Customer fulfill its obligations to respond to Data Subject rights requests, including:
- Right of access: The DSAR export functionality in the dashboard (My profile - Download my data) provides a machine-readable JSON export of all Personal Data attributable to the requesting user, including consent records, generation history, API key metadata, API logs, webhooks, webhook delivery logs, bug reports, and activity records.
- Right to erasure: Account deletion (Settings - Danger Zone) triggers a cascade deletion of all associated Personal Data including generation records, API keys, webhooks, consent records, stored files, and activity logs, with PII scrubbing applied to audit records.
- Right to rectification: Users may update account name, email, and profile information through the dashboard settings.
- Right to data portability: The DSAR export provides data in JSON format.
- Right to restriction: The Customer or affected Data Subject should contact BabySea through our Support page or at connect@babysea.ai to request restriction of processing where technically feasible.
- Right to object: Data Subjects may revoke API keys, delete their accounts, or adjust cookie consent preferences at any time.
The Customer is responsible for receiving, verifying, and coordinating Data Subject rights requests. BabySea will provide the above assistance within a reasonable time after a request from the Customer.
9. Personal Data Breach notification
In the event that BabySea discovers or becomes aware of a Personal Data Breach, BabySea will:
- Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
- Provide, to the extent then available, (a) a description of the nature of the breach including the categories and approximate number of Data Subjects and records affected; (b) the name and contact details of the data protection contact; (c) a description of the likely consequences; and (d) a description of measures taken or proposed to address the breach.
- Cooperate with the Customer and take reasonable steps to mitigate the effects of and remedy the breach.
Notification of a Personal Data Breach is not an acknowledgment of fault or liability. BabySea's 72-hour notification commitment is aligned with the requirement in GDPR Art 33. The Customer remains responsible for notifying its Data Subjects and supervisory authority as required by Applicable Data Protection Law.
10. Data return and deletion
10.1 Retention during the service relationship
Personal Data is retained in accordance with the plan-based retention windows described in Data lifecycle. The current retention windows are summarized in Annex A.
10.2 Account deletion and data return
Upon termination of the Customer's account:
- All Personal Data held in the Customer's account will be deleted in accordance with the cascade deletion process described in Section 8.
- The Customer may export a copy of their Personal Data through the DSAR export function before initiating account deletion.
- BabySea will complete deletion within the operational cleanup schedule, typically within 30 days of account closure.
10.3 Post-termination retention
Certain records may be retained after account closure where BabySea is required to do so by Applicable Data Protection Law, legal proceedings, or for fraud prevention and financial record-keeping purposes. Such records are retained for the minimum period required by the applicable legal obligation and are processed only for those limited purposes.
10.4 Certificates of deletion
Customers who require written confirmation of data deletion upon account closure may request a certificate of deletion through our Support page or by emailing connect@babysea.ai.
11. Audit rights
11.1 Documentation and questionnaires
BabySea will make available to the Customer, upon written request, documentation reasonably necessary to demonstrate compliance with this DPA, including responses to information security questionnaires, SOC-2-equivalent documentation where available, and a copy of this DPA.
11.2 On-site audits
The Customer may audit BabySea's compliance with this DPA no more than once per calendar year, and only where the Customer has a reasonable, good-faith basis for concern that BabySea is not complying with this DPA. Audits must be conducted with at least 30 days' prior written notice, during normal business hours, in a manner that does not unreasonably disrupt BabySea's operations, and at the Customer's own expense. The parties will agree on the scope, timing, and duration of any audit before it commences.
11.3 Third-party audits
BabySea may satisfy the Customer's audit request by providing the results of a third-party security audit conducted within the prior 12 months, where that audit is substantially equivalent in scope to the Customer's requested audit.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of use. To the extent required by Applicable Data Protection Law, each party is liable for damages arising from processing that does not comply with Applicable Data Protection Law.
13. Term and termination
This DPA is effective from the date the Customer first accepts the Terms of use and continues in force for as long as BabySea processes Personal Data on behalf of the Customer. Termination of the Terms of use automatically terminates this DPA, subject to the obligations that expressly survive termination, including the obligations in Section 10.3.
14. Contact
For data protection inquiries, to exercise rights under this DPA, or to submit a written objection under Section 6.2, please contact:
Randy Aries Saputra
Privacy Contact
BabySea, Inc.
1111B S Governors Ave STE 39336
Dover, Delaware 19904, USA
Email: connect@babysea.ai
For general inquiries, you may also contact us.
Annex A: Processing details
This Annex forms part of the DPA and summarizes the processing details referred to in Section 5.
| Item | Detail |
|---|---|
| Subject matter | BabySea API and related dashboard, Playground, SDK, and webhook services |
| Duration | For the term of the Customer's use of the Services, plus any post-termination retention required by law |
| Nature of processing | Authentication, API routing, inference orchestration, billing, logging, monitoring, support |
| Purpose of processing | Delivery of the BabySea API service as described in the Terms of use |
| Data categories | Account data, generation data, API key data, webhook data, billing data, consent records, request metadata, deletion audit records |
| Data subjects | Customer users, team workspace members, and end users whose data is included in prompts or inputs |
A.1 Retention windows
| Category | Free | Starter | Pro | Scale | Enterprise |
|---|---|---|---|---|---|
| Output files | 1 hour | 12 hours | 1 day | 5 days | 7 days |
| Generation records | 1 day | 7 days | 30 days | 180 days | 365 days |
| API request logs | 1 day | 7 days | 30 days | 180 days | 365 days |
| Webhook delivery logs | 1 day | 7 days | 30 days | 180 days | 365 days |
| Activity records | 1 day | 7 days | 30 days | 180 days | 365 days |
| Credit ledger | 30 days | 90 days | 180 days | 365 days | 365 days |
These windows reflect the current product behavior as described in Data lifecycle and may change over time.
Annex B: Technical and organizational measures
This Annex describes BabySea's current Technical and Organizational Measures (TOMs) as referenced in Section 3.3. All measures described below reflect the actual implementation in the BabySea product as of the last updated date of this DPA.
B.1 Access control
- API keys: API key values are hashed using bcrypt before storage and are never stored in plain text. Keys are scoped based on assigned permissions and optionally restricted to specific IP allow-lists. Raw key values are shown to the user only once at creation time.
- Webhook secrets: Webhook signing secrets are encrypted at rest using AES-256-GCM. Encrypted secrets are stored in access-controlled storage with strict isolation. Raw secrets are never logged or exposed after initial provisioning.
- Row-Level Security (RLS): All customer-facing database tables are protected by Row-Level Security policies that enforce account-level isolation. Sensitive data is stored separately and is not accessible through public-facing APIs.
- Dashboard authentication: Dashboard and Playground access requires authentication. Team workspace access is further controlled by role-based membership (Primary Owner, Owner, Member).
- Infrastructure access: Production infrastructure is accessible only to authorized BabySea personnel.
B.2 Transport security
- All communication between clients and BabySea is encrypted in transit using HTTPS with TLS. TLS is enforced end-to-end across all edge and application layers.
- Webhook delivery uses HTTPS endpoints. Webhook payloads are signed using HMAC-SHA256 so that recipients can verify payload integrity.
B.3 Data pseudonymization
- IP addresses recorded in API request logs, API key usage logs, and consent records are pseudonymized before storage using SHA-256 hashing. Raw IP addresses are not persisted.
- Account deletion audit records store only a SHA-256 hash of the deleted email address, not the raw email.
B.4 Data minimization and retention
- Retention windows are enforced per-plan and per-category as described in Data lifecycle and Annex A.
- Automated retention enforcement processes periodically delete records and output files that have exceeded their retention window.
- Output files are deleted when their retention window expires. Customers should download outputs they need before expiry.
B.5 Network and perimeter security
- WAF and DDoS protection: Cloudflare WAF rules enforce edge-level controls including bot mitigation, injection protection, and abuse prevention.
- Rate limiting: API requests are rate-limited at multiple layers including edge-level and application-level controls that enforce plan-tiered request limits.
- Data isolation: Sensitive data (API key hashes, webhook encrypted secrets, credit ledger) is stored separately from public-facing data and is not accessible through public-facing APIs.
B.6 Availability and resilience
- BabySea operates three isolated regional deployments (US, EU, APAC) with no automatic cross-region replication. Each region operates an isolated database deployment with no cross-region data synchronization.
- Uptime, error, and performance monitoring is provided by the observability subprocessors listed at List of subprocessors.
- The API supports automatic failover across multiple inference providers, including providers such as BFL, Replicate, Fal, BytePlus, and Cloudflare, to maintain service availability, as listed on the current List of subprocessors page.
B.7 Incident management
- BabySea maintains a Personal Data Breach notification process aligned with Section 9 of this DPA and GDPR Art 33.
- Incidents are detected through error monitoring, uptime monitoring, and operational alerting.
- Incident response involves notifying the Customer within 72 hours of becoming aware of a Personal Data Breach and cooperating on remediation.
B.8 Organizational measures
- Personnel with access to production systems are bound by confidentiality obligations.
- Access to production infrastructure is managed on a least-privilege basis.
- BabySea implements processes to establish and maintain data processing agreements with Subprocessors as required by Applicable Data Protection Law and is working to confirm such terms with all current Subprocessors.
Annex C: Subprocessor list
The current list of Subprocessors is maintained at List of subprocessors and is updated when Subprocessors are added or replaced. The Subprocessors listed there include providers for hosting, authentication, database, storage, inference, billing, observability, and communications.
BabySea requires that each Subprocessor that processes Personal Data on BabySea's behalf enter into data processing agreements or equivalent contractual data protection terms, as required by GDPR Art 28(2) and equivalent Applicable Data Protection Law provisions, and is in the process of confirming or updating such terms with certain Subprocessors.