Data Processing Agreement

Effective date: May 16, 2026

Overview

This Data Processing Agreement ("DPA") forms part of the agreement between XNODEHUB ENTERPRISES PTE. LTD. ("Modelane", "Processor") and the customer ("Controller") for the provision of the Modelane platform.

This DPA applies where Modelane processes personal data on behalf of the Controller in the course of providing the Service.

Roles and Responsibilities

Controller: The customer determines the purposes and means of processing personal data submitted through the Service.

Processor: Modelane processes personal data only on behalf of and in accordance with the documented instructions of the Controller.

Data Categories

The following categories of data may be processed under this DPA:

  • API request and response content (processed only during the request lifetime; not retained by default)
  • Account and billing information
  • Usage metadata (request ID, timestamp, model class, token count)

Subprocessors

Modelane engages subprocessors to deliver the Service. A current list of subprocessors is maintained in our Privacy Policy. The Controller will be notified at least 30 days before any new subprocessor is engaged. The Controller may object to a new subprocessor within 14 days of notification.

International Transfers

Where personal data is transferred outside the jurisdiction of the Controller, Modelane ensures appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and compliance with the cross-border transfer requirements of the Singapore Personal Data Protection Act (PDPA).

Security Measures

Modelane implements the following technical and organizational measures to protect personal data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM)
  • VPC-isolated compute infrastructure
  • HSM-backed key management with automatic rotation
  • Role-based access control with least-privilege principles
  • Audit logging of all administrative and data access events
  • Regular security assessments and penetration testing

Data Breach Notification

Modelane will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification will include the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the breach.

Data Return and Deletion

Upon termination of the Service or upon the Controller's request, Modelane will delete or return all personal data processed under this DPA within 30 days, unless retention is required by applicable law. A certificate of deletion will be provided upon request.

Request a Signed DPA

Enterprise customers can request a signed DPA by contacting us at legal@modelane.ai. We will provide a countersigned PDF within 5 business days.

XNODEHUB ENTERPRISES PTE. LTD. · UEN 202408470C
73 Upper Paya Lebar Road, #08-01M, Centro Bianco, Singapore 534818