Data processing agreement
Last updated: May 8, 2026
Note: If these Terms, Policies, or Agreements are available in multiple languages, and any discrepancies exist between translations, the English version shall prevail.
This Data Processing Agreement ("DPA") forms part of the agreement between BabySea, Inc. ("BabySea", "Processor", "we", "us", or "our") and the customer entity that has accepted the Terms of use or otherwise uses the BabySea services ("Customer", "Controller", or "you").
This DPA is incorporated into and forms part of the Terms of use and the Service-level terms. In the event of a conflict between this DPA and any other agreement between the parties regarding the processing of Personal Data, this DPA will control to the extent of the conflict.
1. Definitions
"Applicable Data Protection Law" means the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any other applicable privacy or data protection laws that apply to the processing of Personal Data under this DPA.
"Controller" means the Customer, as the entity that determines the purposes and means of the processing of Personal Data.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by BabySea under this DPA on behalf of the Customer.
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Processing" and related terms such as "Process", "Processed", and "Processes" mean any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
"Processor" means BabySea, as the entity that processes Personal Data on behalf of the Controller.
"Services" means the BabySea API, dashboard, Playground, SDK, webhooks, billing, support, documentation, and related execution-control-plane services for generative media workloads.
"Subprocessor" means any third party engaged by BabySea to process Personal Data in connection with the Services. The current list of Subprocessors is published at List of subprocessors.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries as approved by the European Commission under Decision 2021/914, as applicable.
"Technical and Organizational Measures" or "TOMs" means the security and organizational measures described in Annex B of this DPA.
2. Scope and applicability
This DPA applies where and to the extent that BabySea processes Personal Data on behalf of the Customer in the course of providing the Services.
This DPA does not apply to:
- Personal Data for which BabySea acts as a Controller, such as account data processed for BabySea's own billing, legal, compliance, security, fraud-prevention, and service-improvement purposes. Such processing is governed by the Privacy policy.
- Information that does not constitute Personal Data under Applicable Data Protection Law.
- Provider-side processing performed independently by inference providers according to their own terms, except where such provider acts as BabySea's Subprocessor in connection with providing the Services.
3. BabySea's role as Processor
BabySea acts as a Processor with respect to Personal Data that the Customer submits to or generates through the Services where Customer determines the purposes and means of processing.
BabySea will:
- Process Personal Data only on documented instructions from the Customer, including instructions given through the Customer's use of the Services in accordance with the Terms of use, this DPA, and applicable order or account settings.
- Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the Technical and Organizational Measures set out in Annex B.
- Respect the conditions for engaging Subprocessors as set out in Section 6.
- Take reasonable steps to assist the Customer in responding to Data Subject rights requests as described in Section 8.
- Notify the Customer of any Personal Data Breach as described in Section 9.
- Provide reasonable assistance to the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultations with supervisory authorities.
- Delete or return Personal Data at the end of the service relationship as described in Section 10.
If BabySea becomes aware that a processing instruction infringes Applicable Data Protection Law, BabySea will inform the Customer promptly.
4. Customer's obligations as Controller
As Controller, the Customer is responsible for:
- Ensuring that there is a valid legal basis under Applicable Data Protection Law for the processing of Personal Data described in this DPA.
- Ensuring that all notices, disclosures, and consents required by Applicable Data Protection Law have been provided to Data Subjects.
- Ensuring that Personal Data submitted to the Services is accurate, relevant, and limited to what is necessary for the Customer's processing purposes.
- Complying with the Terms of use and acceptable-use requirements with respect to prompts, inputs, files, URLs, outputs, and generated content submitted to or obtained from the Services.
- Not submitting sensitive categories of Personal Data as defined under GDPR Article 9, or equivalent sensitive data under other laws, unless separately agreed in writing with BabySea.
- Maintaining its own records of processing activities as required by Applicable Data Protection Law.
- Evaluating whether inference provider processing locations and provider terms satisfy the Customer's legal, contractual, or regulatory requirements.
5. Processing details
The following describes the subject matter and nature of the processing performed by BabySea under this DPA.
5.1 Subject matter
Processing of Personal Data arising from the Customer's use of the BabySea API and related dashboard, Playground, SDK, webhook, billing, support, documentation, and operational functionality.
5.2 Duration
Processing continues for the duration of the Customer's use of the Services and, thereafter, for the period required to complete data return or deletion in accordance with Section 10 and applicable retention obligations.
5.3 Nature and purpose of processing
BabySea processes Personal Data to:
- Authenticate users and manage access to the Services.
- Provide account, team, dashboard, and Playground functionality.
- Receive, validate, route, and execute image and video generation requests.
- Route generation requests to inference providers and return or store results.
- Maintain API key credentials, scopes, access restrictions, and usage logs.
- Enforce rate limits, concurrency limits, idempotency controls, and plan limits.
- Reserve, charge, refund, and add dollar-denominated credits.
- Maintain billing, subscription, checkout, invoice, refund, and credit-pack records.
- Deliver webhook events describing generation outcomes and service events.
- Monitor service health, detect errors, investigate incidents, and operate security controls.
- Provide customer support and respond to communications.
- Stream operational execution events for observability, analytics, replay of derived systems, and system optimization.
- Compute regional provider rankings, realtime provider-health signals, and routing hints used by the
"fastest"provider-order sentinel. - Comply with legal, tax, accounting, security, fraud-prevention, and regulatory obligations.
5.4 Categories of Personal Data
The following categories of Personal Data may be processed:
| Category | Description | Storage or Processing Location |
|---|---|---|
| Account data | Email address, display name, profile picture, account membership metadata | Regional database |
| Team data | Team membership, roles, invitations, and access-control metadata | Regional database |
| Generation data | Prompts, model parameters, generation state, provider metadata, output references | Regional database and storage |
| API key data | bcrypt-hashed key values, key prefixes, scopes, allowed IP ranges, usage logs | Regional database |
| Webhook data | AES-256-GCM encrypted secrets, webhook configuration, delivery logs, DLQ records | Regional database |
| Billing data | Payment processor references, subscriptions, invoices, credit ledger entries, credit-pack purchases | Regional database + Stripe |
| Consent records | Cookie consent state and privacy choices | Regional database |
| Request metadata | SHA-256 hashed IP addresses, user-agent strings, endpoints, HTTP status codes, request timing | Regional database |
| Account deletion audit log | SHA-256 hashed email, deletion timestamp, deletion metadata | Regional database |
| Execution metadata | Generation lifecycle events, provider routing decisions, attempt telemetry, performance metrics | Regional database and derived systems |
| Event streaming metadata | Operational event identifiers, status transitions, timing data, provider telemetry, credit events, webhook delivery outcomes | Regional event streaming and analytics systems |
Raw API key values and raw webhook secrets are never stored. API keys are hashed using bcrypt. Webhook secrets are encrypted using AES-256-GCM before storage. IP addresses in request logs are pseudonymized using SHA-256 hashing where implemented.
BabySea does not intentionally stream raw prompts, decrypted webhook secrets, raw API keys, customer emails, raw uploaded file URLs, webhook endpoint URLs, or unnecessary personal data through the realtime event backbone.
5.5 Categories of Data Subjects
Data Subjects whose Personal Data may be processed include:
- Individual users of the Customer's BabySea account.
- Members of the Customer's team workspaces.
- End users of the Customer's applications where prompts, inputs, metadata, or files submitted via the API contain Personal Data.
- Individuals who contact BabySea for support or service communications.
The Customer is responsible for ensuring that any Personal Data relating to end users is processed in accordance with Applicable Data Protection Law.
6. Subprocessor management
6.1 Authorization to engage Subprocessors
The Customer provides general authorization for BabySea to engage Subprocessors as listed at List of subprocessors. BabySea will update that page when Subprocessors are added or replaced.
6.2 Objection right
The Customer may object to a new Subprocessor by notifying BabySea in writing within 14 days of notice of the change. If the parties cannot resolve the objection in good faith within a further 14 days, the Customer may terminate the affected Services to the extent the use of the new Subprocessor materially prevents the Customer from complying with Applicable Data Protection Law.
6.3 Subprocessor obligations
BabySea imposes data protection obligations on Subprocessors that are substantially equivalent to those in this DPA where required by Applicable Data Protection Law. BabySea remains liable to the Customer for the performance of Subprocessors to the extent required by Applicable Data Protection Law.
7. International data transfers
7.1 Regional data isolation
BabySea operates three isolated data regions: US (North Virginia), EU (Frankfurt), and APAC (Tokyo). Persistent account, generation, billing, webhook, and operational data is stored in the selected region. There is no automatic cross-region synchronization of source-of-truth customer data.
7.2 Edge compute and network infrastructure
Vercel edge compute functions are deployed globally and are stateless. They do not persist Personal Data outside the selected region. Cloudflare DNS, CDN, WAF, and network services are global and stateless for BabySea source-of-truth data.
7.3 Event streaming, analytics, and routing intelligence
BabySea may process derived operational data through regional event streaming, analytics, cache, and routing-intelligence systems. These systems may include Confluent, Databricks, Upstash, and related infrastructure listed in the List of subprocessors.
These systems are used to improve provider routing, observability, replay of derived systems, realtime provider-health computation, incident response, and service reliability. They do not replace the regional source-of-truth database.
7.4 Inference provider transfers
Inference providers such as Alibaba Cloud, Black Forest Labs, BytePlus, Cloudflare, Fal, OpenAI, Replicate, Runway, or others may process generation requests in jurisdictions that differ from the Customer's selected BabySea region. Inference routing depends on the model, media type, provider availability, and route configuration.
Where a provider offers regional endpoints, BabySea may route requests to the endpoint that best aligns with the Customer's selected region. Not all providers or models support strict regional processing.
7.5 Legal basis for transfers
Where Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, such transfers rely on Standard Contractual Clauses or another transfer mechanism permitted by Applicable Data Protection Law.
8. Data Subject rights assistance
BabySea will provide reasonable technical and organizational assistance to help the Customer fulfill its obligations to respond to Data Subject rights requests, including:
- Right of access: The DSAR export functionality in the dashboard (My profile - Download my data) provides a machine-readable JSON export of Personal Data attributable to the user where available.
- Right to erasure: Account deletion (Settings - Danger Zone) triggers deletion workflows for associated Personal Data, subject to legal, billing, security, fraud-prevention, and audit retention requirements.
- Right to rectification: Users may update account name, email, and profile information through dashboard settings where available.
- Right to data portability: DSAR export provides data in JSON format where available.
- Right to restriction: The Customer or affected Data Subject may contact BabySea through Support or privacy@babysea.ai to request restriction of processing.
- Right to object: Data Subjects may revoke API keys, delete accounts, adjust cookie consent preferences, or contact BabySea regarding processing objections.
The Customer is responsible for receiving, verifying, and coordinating Data Subject rights requests. BabySea will provide assistance within a reasonable time after a verified request from the Customer.
9. Personal Data Breach notification
In the event that BabySea discovers or becomes aware of a Personal Data Breach, BabySea will:
- Notify the Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
- Provide, to the extent then available, a description of the nature of the breach, including categories and approximate number of Data Subjects and records affected; the likely consequences of the breach; and measures taken or proposed to address the breach.
- Cooperate with the Customer and take reasonable steps to mitigate the effects of and remedy the breach.
Notification of a Personal Data Breach is not an acknowledgment of fault or liability. The Customer remains responsible for determining whether notification to supervisory authorities or Data Subjects is required.
10. Data return and deletion
10.1 Retention during the service relationship
Personal Data is retained in accordance with plan-based retention windows described in Data lifecycle. The current retention windows are summarized in Annex A.
10.2 Account deletion and data return
Upon termination or deletion of the Customer's account:
- The Customer may export a copy of available Personal Data through the DSAR export function before initiating account deletion.
- BabySea will delete Personal Data associated with the account in accordance with its operational cleanup processes.
- Deletion typically completes within the operational cleanup schedule, generally within 30 days of account closure, subject to backups, logs, legal holds, billing records, security records, fraud-prevention records, and other permitted retention.
10.3 Derived event and analytics data
Derived event, analytics, cache, and routing-intelligence data may persist for the applicable retention period or until overwritten, compacted, expired, or deleted according to operational retention controls. Such derived data is used for observability, reliability, routing intelligence, billing support, security, and incident response.
BabySea designs event streams and derived systems to avoid unnecessary Personal Data and to process operational metadata where sufficient for the purpose.
10.4 Post-termination retention
Certain records may be retained after account closure where BabySea is required or permitted to do so by Applicable Data Protection Law, legal proceedings, tax or accounting obligations, billing dispute resolution, fraud prevention, security monitoring, or audit requirements.
10.5 Certificates of deletion
Customers who require written confirmation of data deletion upon account closure may request a certificate of deletion through Support or privacy@babysea.ai.
11. Audit rights
11.1 Documentation and questionnaires
BabySea will make available to the Customer, upon written request, documentation reasonably necessary to demonstrate compliance with this DPA, including responses to information security questionnaires, trust center materials, security summaries, or other documentation as appropriate.
11.2 On-site audits
The Customer may audit BabySea's compliance with this DPA no more than once per calendar year, and only where the Customer has a reasonable, good-faith basis for concern that BabySea is not complying with this DPA. Any audit must be conducted during normal business hours, with reasonable advance notice, and in a manner that does not disrupt BabySea's operations or compromise the security or confidentiality of other customers.
11.3 Third-party audits
BabySea may satisfy the Customer's audit request by providing the results of a third-party security audit, certification, report, or substantially equivalent documentation conducted within the prior 12 months, where available.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of use. To the extent required by Applicable Data Protection Law, nothing in this DPA limits either party's liability for violations that cannot legally be limited.
13. Term and termination
This DPA is effective from the date the Customer first accepts the Terms of use or uses the Services and continues in force for as long as BabySea processes Personal Data on behalf of the Customer.
Termination of the Services does not relieve either party of obligations that by their nature should survive termination, including confidentiality, security, deletion, audit, and liability obligations.
14. Contact
For data protection inquiries, to exercise rights under this DPA, or to submit a written objection under Section 6.2, please contact:
Randy Aries Saputra
Privacy Contact
BabySea, Inc.
Mailing Address: 244 Fifth Avenue, Suite #1882
New York, NY 10001, USA
Email: privacy@babysea.ai
For general inquiries, you may also contact us.
Annex A: Processing details
This Annex forms part of the DPA and summarizes the processing details referred to in Section 5.
| Item | Detail |
|---|---|
| Subject matter | BabySea API and related dashboard, Playground, SDK, webhook, billing, support, and execution-control-plane services |
| Duration | For the term of the Customer's use of the Services, plus any post-termination retention required or permitted by law |
| Nature of processing | Authentication, API routing, inference orchestration, execution event streaming, billing, logging, monitoring, support, and transactional email delivery |
| Purpose of processing | Delivery, security, reliability, billing, observability, and improvement of the BabySea API service as described in the Terms of use |
| Data categories | Account data, team data, generation data, API key data, webhook data, billing data, consent records, request metadata, deletion audit records, execution metadata, and event streaming metadata |
| Data subjects | Customer users, team workspace members, support contacts, and end users whose data is included in prompts, inputs, files, or metadata |
A.1 Retention windows
| Category | Free | Starter | Pro | Scale | Enterprise |
|---|---|---|---|---|---|
| Output files | 1 hour | 12 hours | 1 day | 5 days | 7 days |
| Generation records | 1 day | 7 days | 30 days | 180 days | 365 days |
| API request logs | 1 day | 7 days | 30 days | 180 days | 365 days |
| Webhook delivery logs | 1 day | 7 days | 30 days | 180 days | 365 days |
| Activity records | 1 day | 7 days | 30 days | 180 days | 365 days |
| Credit ledger | 30 days | 90 days | 180 days | 365 days | 365 days |
These windows reflect the current product behavior as described in Data lifecycle and may change over time.
Annex B: Technical and organizational measures
This Annex describes BabySea's current Technical and Organizational Measures as referenced in Section 3.
B.1 Access control
- API keys: API key values are hashed using bcrypt before storage and are never stored in plain text. Keys are scoped based on assigned permissions and may be restricted to specific IP allowlists.
- Webhook secrets: Webhook signing secrets are encrypted at rest using AES-256-GCM. Raw webhook secrets are never logged or intentionally exposed after creation.
- Row-Level Security (RLS): Customer-facing database tables are protected by Row-Level Security policies that enforce account-level isolation.
- Dashboard authentication: Dashboard and Playground access requires authentication. Team workspace access is controlled by role-based membership such as Primary Owner, Owner, and Member.
- Infrastructure access: Production infrastructure is accessible only to authorized BabySea personnel on a least-privilege basis.
B.2 Transport security
- All communication between clients and BabySea is encrypted in transit using HTTPS with TLS.
- Webhook delivery uses HTTPS endpoints.
- Webhook payloads are signed using HMAC-SHA256 so recipients can verify payload integrity and prevent replay.
B.3 Data pseudonymization
- IP addresses recorded in API request logs, API key usage logs, and consent records are pseudonymized before storage using SHA-256 hashing where implemented.
- Account deletion audit records store a SHA-256 hash of the deleted email address rather than the raw email.
B.4 Data minimization and retention
- Retention windows are enforced per plan and per category as described in Data lifecycle.
- Automated retention enforcement processes periodically delete records and output files that have exceeded their retention window.
- Output files are temporary and are deleted when their retention window expires.
- Event streaming payloads are designed to contain operational metadata and avoid unnecessary Personal Data.
B.5 Network and perimeter security
- WAF and DDoS protection: Cloudflare WAF and edge controls provide bot mitigation, injection protection, DDoS protection, and abuse prevention.
- Rate limiting: API requests are rate-limited at multiple layers, including edge-level and application-level controls that enforce plan-tiered limits.
- Data isolation: Sensitive data such as API key hashes, encrypted webhook secrets, and credit ledger records is access-controlled and not exposed through public APIs.
B.6 Availability and resilience
- BabySea operates isolated regional deployments for US, EU, and APAC with no automatic cross-region replication of source-of-truth customer data.
- The API supports failover across multiple inference providers to reduce the impact of provider degradation or outage.
- Supabase remains the source of truth for generation state, credits, billing, webhooks, and audit records.
- Databricks, Confluent, Upstash, analytics systems, and event streaming systems are designed as fail-open enhancement layers where applicable.
- If event streaming, analytics, or routing-intelligence systems are unavailable, BabySea is designed to continue serving requests using source-of-truth data, cached rankings, static provider order, circuit breaker state, and provider failover logic.
B.7 Event streaming controls
- BabySea uses a transactional outbox pattern for publishing operational events from the regional database to event streaming systems.
- API request handlers do not directly publish to Kafka or event streaming infrastructure.
- Event publishing is asynchronous and does not block source-of-truth generation, billing, credit, or webhook transactions.
- Event streams may be replayed to rebuild derived systems such as analytics, dashboards, provider-health aggregates, and routing hints.
- Event replays must not double-charge, double-refund, or mutate source-of-truth financial or generation state.
B.8 Incident management
- BabySea maintains a Personal Data Breach notification process aligned with Section 9 of this DPA and GDPR Article 33.
- Incidents are detected through error monitoring, uptime monitoring, operational alerting, logs, and derived observability signals.
- Incident response includes investigation, containment, remediation, customer notification where required, and post-incident review.
B.9 Organizational measures
- Personnel with access to production systems are bound by confidentiality obligations.
- Access to production infrastructure is managed on a least-privilege basis.
- BabySea implements processes to establish and maintain data processing agreements or equivalent contractual data protection terms with Subprocessors where required by Applicable Data Protection Law.
- BabySea maintains a public List of subprocessors and updates it as infrastructure, vendor, or provider relationships evolve.
Annex C: Subprocessor list
The current list of Subprocessors is maintained at List of subprocessors and is updated when Subprocessors are added or replaced.
BabySea requires that each Subprocessor that processes Personal Data on BabySea's behalf enter into data processing agreements or equivalent contractual data protection terms as required by Applicable Data Protection Law.