Data Processing Addendum
This addendum supplements the Terms of Service and describes how Zesto, LLC (operating ObixHub) handles personal data in connection with the service.
- 01
Roles
For personal data in account profiles, billing, and usage metadata that we collect to operate ObixHub, Zesto, LLC is the controller (or equivalent under applicable law).
For request and response contents you submit through the gateway on behalf of your end users, you are the controller and ObixHub acts as a processor (or service provider): we transmit that content to the model provider you target to fulfil the request and do not store it.
- 02
Scope of processing
Account, billing, and usage metadata are processed as described in the Privacy Policy. API request and response contents are forwarded in transit to Anthropic or OpenAI and are not written to our application storage.
- 03
Sub-processors
Current categories and typical providers include: Anthropic and OpenAI (model inference); Stripe (payments); Neon (database); Cloudflare (hosting and edge); Google and GitHub (OAuth sign-in); Google Analytics (marketing-site analytics); and our email delivery provider for transactional mail. We’ll give notice of material changes to this list where required and let you object on reasonable grounds.
- 04
Confidentiality & security
Personnel with access to data are bound by confidentiality. We maintain technical and organizational measures appropriate to the risk — encryption in transit and at rest, hashed customer keys, encrypted provider credentials, team isolation, and no retention of API message bodies.
- 05
Data subject requests
We can assist with access, correction, and deletion of the account, billing, and usage data we hold. Because we do not retain API request or response contents, there is nothing for us to return or erase from that stream.
- 06
Breach notification
If we become aware of a personal-data breach affecting your data, we’ll notify you without undue delay and share the information you need to meet your own obligations.
- 07
Deletion & return
On termination, we delete or return the account and usage metadata we hold within a reasonable period, except where retention is required by law (for example, tax or accounting records).
- 08
International transfers
Where data is processed across regions, we rely on appropriate safeguards and on the data-protection commitments of our sub-processors.
- 09
Contact
To request this addendum as a signed document or ask about our data practices, email hi@obixhub.com.