SeaLinkSeaLink
/
← Trust & Legal

Data Processing Agreement

Last updated: 2026-05-25

Agreement scope: This DPA covers SeaLink's current product data flows: account, billing, usage metadata, error diagnosis, and customer-enabled request snapshots.

1. Roles

Customer acts as Data Controller. SeaLink (Singapore) acts as Data Processor. Model inference infrastructure acts as a Sub-processor — see /legal/sub-processors.

2. Purpose & scope of processing

SeaLink processes Customer Data only for service delivery (request processing, billing, usage analytics, error diagnosis). Processing types: transmission for model calls, temporary storage of metadata logs, and aggregation for usage reports.

3. What SeaLink does NOT store

  • Request bodies (prompts)
  • Response bodies (completions)
  • Source text for embeddings
  • Personal data of Customer's end users

4. Metadata SeaLink does process

  • Timestamps
  • Model ID
  • Token counts (input / output / cached)
  • Latency, status code
  • Customer account ID and API Key ID (no prompt correlation)

5. Storage location & cross-border transfer

Default storage in Singapore. When invoking models, data is processed in the relevant region for the selected model path. Enterprise clients with dedicated residency requirements can define them in the DPA.

Cross-border transfer safeguards: US transfers: EU SCC (2021/914) + DPF certification. Singapore: PDPA adequacy (EU Commission decision 2025). China: EU SCC + PIPL Art.38 supplementary measures. EU/EEA: GDPR Art.45 adequacy (internal market). Prompts and completions are not persistently stored on SeaLink servers, reducing transfer risk.

6. Sub-processors

Full sub-processor list at /legal/sub-processors. New sub-processors are announced 30 days in advance in public legal notices. Customers may object in writing within 30 days; if upheld, parties negotiate replacement or termination.

7. Data subject rights

SeaLink assists Customer in fulfilling data subject access / rectification / erasure / objection / portability / restriction rights. Send requests to contact@sealink.io — we respond within 30 days.

8. Data breach notification

Upon confirming a data breach, SeaLink notifies Customer within 72 hours in writing, including incident description, estimated scope, and remediation steps taken.

9. Data deletion

Within 30 days of Customer account closure, SeaLink deletes all Customer metadata. Aggregated, anonymized statistics may be retained for service quality analysis. Backups are overwritten within 90 days.

10. Audit rights

Customer may audit SeaLink once per year (onsite or remote), with 30 days' written notice. Audit costs are borne by the requesting party unless material non-compliance is found.