Last Updated: June 26, 2026
This Data Processing Agreement (the "DPA") forms part of the agreement between Spherium.ai LLC ("Spherium.ai," "Spherium," "Processor," "we," "our," or "us") and the customer entity using the Spherium.ai services ("Customer," "Controller," "you," or "your") where Spherium.ai processes Personal Data on behalf of Customer.
This DPA is intended to address privacy and data processing requirements applicable to Spherium.ai's provision of its Enterprise AI Gateway and Collaboration Platform. If Customer has entered into a separate written data processing agreement with Spherium.ai, that written agreement will control to the extent of any conflict.
1. Definitions
"Agreement" means the Terms of Service, Order Form, written agreement, or other agreement governing Customer's use of the Services.
"Applicable Data Protection Laws" means privacy, data protection, and data security laws applicable to the processing of Personal Data under this DPA.
"Customer Data" means prompts, files, workspace content, knowledge resources, workflows, outputs, and other content submitted to, uploaded to, processed through, or generated through the Services by or on behalf of Customer or its Users.
"Data Subject" means an identified or identifiable individual to whom Personal Data relates.
"Personal Data" means information processed by Spherium.ai on behalf of Customer that identifies or relates to an identified or identifiable individual and is subject to Applicable Data Protection Laws.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.
"Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Spherium.ai on behalf of Customer.
"Services" means Spherium.ai's Enterprise AI Gateway and Collaboration Platform, websites, applications, APIs, support services, and related services.
"Subprocessor" means a third-party processor engaged by Spherium.ai to process Personal Data on behalf of Customer.
Terms such as "controller," "processor," "business," "service provider," and similar terms have the meanings given under Applicable Data Protection Laws.
2. Roles of the Parties
For Personal Data processed by Spherium.ai on behalf of Customer through the Services, Customer is the controller or business, and Spherium.ai is the processor or service provider.
Customer determines the purposes and means of processing Customer Data and Personal Data through the Services. Spherium.ai processes Personal Data only as described in this DPA, the Agreement, Customer's documented instructions, or as required by law.
For Operational Metadata processed by Spherium.ai to operate, secure, support, troubleshoot, bill, and administer the Services, Spherium.ai may act as an independent controller where permitted by law.
3. Scope and Instructions
Customer instructs Spherium.ai to process Personal Data as necessary to:
- Provide the Services;
- Support AI interactions;
- Support workspaces and collaboration;
- Apply routing, rules, reporting, and audit functionality;
- Provide customer support;
- Maintain security and platform integrity;
- Troubleshoot and improve service functionality;
- Process billing and subscription administration;
- Comply with applicable law;
- Perform other activities described in the Agreement or requested through Customer's use of the Services.
Spherium.ai will process Personal Data in accordance with Customer's documented instructions unless required by law to do otherwise.
Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Laws and that it has all required rights, permissions, notices, consents, and legal bases to provide Personal Data to Spherium.ai.
4. Nature and Purpose of Processing
Spherium.ai processes Personal Data to provide an Enterprise AI Gateway and Collaboration Platform.
Processing may include:
- Receiving Customer Data from Users or Customer systems;
- Routing requests to selected AI Model Providers where configured by Customer;
- Supporting workspace functionality;
- Applying platform rules and routing;
- Generating or returning outputs requested by Customer;
- Providing reporting and audit functionality;
- Supporting authentication and login events;
- Providing support and troubleshooting;
- Maintaining system reliability and security;
- Processing operational metadata;
- Performing billing and subscription administration.
5. Categories of Personal Data
Personal Data processed under this DPA may include:
- Business contact information;
- User account identifiers;
- Tenant or organization identifiers;
- Authentication and login event information;
- Support ticket information;
- Billing and subscription information;
- Model usage metadata;
- API usage metadata;
- Personal Data included in Customer prompts, files, workspace content, knowledge resources, workflows, or outputs, depending on Customer's use of the Services.
Spherium.ai personnel have routine access only to limited operational information, including tenant or organization information, authentication and login events, model usage metadata, API usage metadata, support ticket information, and billing or subscription information.
Customer prompts, files, workspace content, knowledge resources, workflows, and outputs are encrypted and are not routinely accessible to Spherium.ai personnel.
6. Categories of Data Subjects
Data Subjects may include:
- Customer employees, contractors, agents, and representatives;
- Customer administrators and Users;
- Customer prospects, customers, partners, or other individuals whose information is included in Customer Data;
- Website visitors and support contacts where applicable;
- Other individuals whose Personal Data is submitted by Customer or Users.
7. Customer Responsibilities
Customer is responsible for:
- Complying with Applicable Data Protection Laws;
- Providing required notices to Data Subjects;
- Obtaining required consents or other legal bases;
- Determining whether Personal Data is appropriate for processing through the Services;
- Configuring workspaces, access, rules, routing, integrations, and AI Model Providers;
- Managing User access;
- Reviewing AI outputs before relying on them;
- Responding to Data Subject requests where Customer is the controller;
- Ensuring Customer Data does not violate applicable law, third-party rights, or contractual restrictions.
8. Spherium.ai Responsibilities
Spherium.ai will:
- Process Personal Data only in accordance with Customer's documented instructions, the Agreement, and this DPA;
- Implement appropriate administrative, technical, and organizational safeguards designed to protect Personal Data;
- Limit access to Personal Data to personnel and Subprocessors who need access to perform the Services;
- Ensure personnel authorized to process Personal Data are subject to confidentiality obligations;
- Provide reasonable assistance to Customer with Data Subject requests, Security Incidents, and privacy assessments where required by law and taking into account the nature of processing;
- Make available information reasonably necessary to demonstrate compliance with this DPA;
- Notify Customer of a Security Incident as described below.
9. Security Measures
Spherium.ai maintains administrative, technical, and organizational safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction.
Security measures may include:
- Encryption
- Authentication controls
- Access controls
- Logging
- Monitoring
- Operational security practices
- Limited personnel access
- Support and troubleshooting procedures
- Infrastructure security controls
Customer prompts, files, workspace content, knowledge resources, workflows, and outputs are encrypted and are not routinely accessible to Spherium.ai personnel.
Spherium.ai personnel may access only limited operational information reasonably necessary to operate, secure, troubleshoot, and support the platform.
10. Subprocessors
Customer authorizes Spherium.ai to engage Subprocessors to provide the Services.
Spherium.ai will maintain a list of Subprocessors used to provide the Services. Spherium.ai will impose written obligations on Subprocessors that are designed to protect Personal Data in a manner consistent with this DPA.
Subprocessors may include hosting providers, CRM and support systems, billing providers, AI Model Providers selected or configured by Customer, analytics providers, advertising and retargeting providers where enabled, and other service providers used to operate or support the Services.
Customer may object to a new Subprocessor on reasonable data protection grounds by contacting support@spherium.ai within a reasonable period after notice or publication of the update. If Customer objects, the parties will work in good faith to address the objection. If the objection cannot be resolved, Customer may discontinue use of the affected Services in accordance with the Agreement.
11. AI Model Providers
Customer may select or configure AI Model Providers through the Services. When Customer selects or configures an AI Model Provider, Spherium.ai may transmit Customer Data to that provider as necessary to process Customer requests.
Customer is responsible for determining whether a selected AI Model Provider is appropriate for Customer's use case and Customer Data.
Processing by AI Model Providers may be subject to the applicable provider's terms, privacy practices, data handling policies, and technical limitations.
Spherium.ai does not use Customer Data to train AI models owned or operated by Spherium.ai.
12. Data Subject Requests
Customer is responsible for responding to Data Subject requests where Customer is the controller.
Taking into account the nature of processing, Spherium.ai will provide reasonable assistance to Customer in responding to Data Subject requests to the extent required by Applicable Data Protection Laws and where Customer cannot reasonably fulfill the request without Spherium.ai's assistance.
Customer should submit assistance requests to support@spherium.ai.
13. Security Incidents
Spherium.ai will notify Customer without undue delay after confirming a Security Incident involving Personal Data processed by Spherium.ai on behalf of Customer.
The notice will include information reasonably available to Spherium.ai, which may include:
- A description of the nature of the Security Incident;
- Categories of affected Personal Data where known;
- Approximate number of affected records where known;
- Likely consequences where known;
- Measures taken or proposed to address the Security Incident;
- Contact information for follow-up.
Spherium.ai's notification of a Security Incident is not an admission of fault or liability.
Customer is responsible for determining whether notification to individuals, regulators, or other parties is required.
14. Data Protection Impact Assessments
Taking into account the nature of processing and information available to Spherium.ai, Spherium.ai will provide reasonable assistance to Customer with data protection impact assessments or consultations with supervisory authorities where required by Applicable Data Protection Laws.
15. Deletion and Return
Upon termination or expiration of the Services, Spherium.ai will delete or return Customer Data in accordance with the Agreement, Customer's instructions, and Spherium.ai's retention practices, unless retention is required by law.
Customer is responsible for exporting Customer Data before termination or expiration where Customer requires a copy.
Operational Metadata may be retained as reasonably necessary for legal, security, audit, billing, dispute resolution, and legitimate business purposes.
16. Audits and Compliance Information
Spherium.ai will make available information reasonably necessary to demonstrate compliance with this DPA.
Where required by Applicable Data Protection Laws, Customer may request additional information regarding Spherium.ai's processing and security practices. Any audit or review must be conducted in a manner that does not compromise the security, confidentiality, availability, or integrity of Spherium.ai systems or other customers' data.
Spherium.ai may satisfy audit requests by providing summaries, documentation, security materials, certifications, or third-party reports where available.
17. International Processing
Spherium.ai is headquartered in the United States. Personal Data may be processed in the United States or other locations where Spherium.ai or its Subprocessors operate.
Where required by Applicable Data Protection Laws, the parties will use appropriate transfer mechanisms for international transfers of Personal Data.
18. U.S. State Privacy Laws
To the extent Spherium.ai processes Personal Data subject to applicable U.S. state privacy laws on behalf of Customer, Spherium.ai will process such Personal Data as a service provider or processor and will not:
- Sell Personal Data;
- Share Personal Data for cross-context behavioral advertising except as instructed or enabled by Customer or as described in the Privacy Policy for website visitors;
- Retain, use, or disclose Personal Data outside the business purposes described in the Agreement and this DPA;
- Combine Personal Data with personal information received from other sources except as permitted by applicable law.
19. Confidentiality
Spherium.ai will ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations.
20. Order of Precedence
If there is a conflict between this DPA and the Agreement regarding processing of Personal Data, this DPA will control to the extent of the conflict.
If there is a conflict between this DPA and any signed written agreement specifically addressing data processing, the signed written agreement will control.
21. Contact
Questions about this DPA may be directed to:
support@spherium.ai