Data Processing Agreement
Last updated: June 2026
1. Parties
This agreement is entered into between:
- The Data Controller: the user or entity that uses the corelayer0 service to expose their API via an MCP server (hereinafter "the Customer").
- The Data Processor: iojik SAS, RCS Paris 994 122 018, publisher of the corelayer0 service (hereinafter "iojik").
This DPA forms an integral part of the corelayer0 Terms of Service and applies when the Customer processes personal data within the meaning of the GDPR through the service.
2. Subject and Nature of Processing
iojik processes personal data on behalf of the Customer strictly within the scope of providing the corelayer0 service, namely:
- Routing MCP requests from the Customer's LLM clients to the Customer's target API, and returning responses.
- Encrypted storage of authentication credentials provided by the Customer to access their target API (static bearer tokens).
- Temporary caching of the Customer's OpenAPI specifications for MCP tool generation.
iojik does not access the content of personal data transiting through the service, does not analyse it, and does not use it for any purpose other than service delivery.
As an ancillary activity, iojik performs anonymised audience measurement on the public pages of the service (dashboard and OAuth consent pages) via a self-hosted Matomo instance without cookies. No MCP request content or API payload is ever transmitted to this tool.
3. Duration
This agreement takes effect on the date the Customer accepts the Terms of Service and remains in force until account termination or deletion of the relevant projects. Upon termination, iojik deletes or returns the data in accordance with Article 9.
4. iojik's Obligations (Processor)
iojik undertakes to:
- Process personal data only on documented instructions from the Customer, as expressed through the service configuration (enabled endpoints, provided credentials).
- Ensure the confidentiality of data processed; authorised personnel are subject to a confidentiality obligation.
- Implement the technical and organisational measures described in Article 7.
- Not engage any new sub-processor without informing the Customer (Article 5).
- Assist the Customer, to the extent possible, in responding to data subject rights requests (Article 8).
- Notify the Customer of any data breach without undue delay and at most within 72 hours of becoming aware of the incident (Article 6).
- Make available the information necessary to demonstrate compliance and allow for audits (Article 10).
5. Sub-processors
The Customer authorises iojik to engage the following sub-processors:
| Sub-processor | Location | Role | Safeguards |
|---|---|---|---|
| OVH Cloud SAS — VPS | Strasbourg, France | Application server hosting (API) | EU Standard Contractual Clauses — OVH DPA |
| OVH Cloud SAS — Cloud Databases | Gravelines, France | PostgreSQL database | |
| OVH Cloud SAS — KMS | Paris, France (eu-west-par, 3-AZ, HDS certified) | Encryption key management (KMS) — master keys never leave the OVH HSM | |
| OVH Cloud SAS — VPS Matomo | Strasbourg, France | Hosting of the self-hosted Matomo instance (cookie-free audience measurement on public service pages) | Same OVH DPA — instance fully controlled by iojik, no third-party analytics vendor |
In the event of changes to this list, iojik will notify the Customer by email with 14 days' notice. The Customer has the right to object with justification.
6. Data Breach
In the event of a personal data breach within the meaning of Article 4(12) of the GDPR, iojik will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of the incident, by email to the address associated with the account.
The notification will include, to the extent possible: the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or planned.
7. Security Measures
iojik implements the following measures:
- Encryption in transit: TLS on all communications.
- Encryption at rest: API secrets encrypted under keys managed by OVH KMS, one key per project.
- Authentication tokens stored as hashes, never in plaintext.
- Logical isolation per user and per project.
- Infrastructure hosted exclusively in French data centres (OVH Cloud).
- Access to production systems restricted to authorised personnel.
8. Data Subject Rights
If iojik directly receives a rights request (access, rectification, erasure, portability, objection) from a data subject whose data transits through the Customer's service, iojik will inform the Customer as soon as possible so that they can respond.
iojik is not able to respond directly to such requests for data processed on behalf of the Customer, unless expressly instructed to do so by the Customer.
9. Data Return and Deletion
Upon termination of the contractual relationship or at the Customer's request:
- OpenAPI specifications, endpoint configurations, and encrypted credentials are deleted within 30 days.
- Residual backups are purged within 60 days.
- Upon explicit request, iojik may provide written confirmation of deletion.
10. Audit
The Customer may request, once per year with 30 days' notice, information to verify compliance with this agreement. iojik will respond in writing to reasonable security questionnaires.
For on-site audit purposes, the parties will agree on the modalities by mutual agreement.
11. Governing Law
This agreement is governed by French law. Any dispute relating to its interpretation or performance falls under the exclusive jurisdiction of the courts of Paris.
Contact
For any questions regarding this DPA: dpa@corelayer0.com