Data Processing Addendum

Last updated: 2026-04-22

This DPA supplements the Ringside Terms of Service for customers who are "controllers" of personal data processed by Fight Club as a "processor" under the UK GDPR, EU GDPR, or equivalent laws. It takes effect automatically when you create a Ringside API account or send your first request to the API; no signature is required, though one is available on request (privacy@fightclub.pro).

1. Definitions

"Controller", "Processor", "Personal Data", "Processing", "Data Subject" follow the UK/EU GDPR meanings. "Customer Data" means personal data you provide to us or instruct us to process through the Ringside API (including your end-users' prompts, conversation history, usage events).

2. Subject matter & scope

We process Customer Data solely to provide the Ringside API described in our documentation, per your instructions issued through the API, dashboard, and these terms. You determine the purposes and means of processing; we are a processor.

3. Duration

Processing continues for as long as your account is active. On termination, we delete or return Customer Data within 30 days unless you instruct otherwise or retention is required by law.

4. Nature of processing

• Storage, retrieval, transmission of prompts + completions.
• Routing prompts to upstream LLM providers (see sub-processors).
• Billing, usage analytics, abuse detection, support.

5. Data subject categories

Your (the controller's) customers and end-users whose data you send to the Ringside API.

6. Data categories

Identifiers (user/customer IDs you assign), prompt content, LLM outputs, metadata (tags, properties, session IDs), usage timestamps. You control what additional personal data you submit.

7. Our obligations

• Process Customer Data only on your documented instructions.
• Ensure anyone authorised to process is under confidentiality obligations.
• Implement appropriate technical and organisational measures (see § 9).
• Assist you in responding to data subject requests (Art. 15-22).
• Assist you with DPIAs and prior consultations (Art. 35-36).
• Notify you of personal data breaches without undue delay and in any event within 72 hours of becoming aware.
• Delete or return Customer Data on termination.

8. Sub-processors

You authorise us to use the sub-processors listed at /sub-processors. We notify you at least 30 days before adding a new sub-processor; you may object (leading to termination of the affected service) within that window. All sub-processors are contractually bound to protections no less protective than this DPA.

9. Technical & organisational measures

• Encrypted in transit and at rest for sensitive values using strong cryptographic primitives.
• Per-user password hashing using a strong one-way function; vault password never stored in plaintext.
• Role-based access control on admin surfaces, audit logging of admin actions.
• Annual review of TOMs; incident response plan; regular backup testing.
• Least-privilege database roles; encrypted, rotating backups.

10. International transfers

Primary storage is in the EU (Germany). Where Customer Data is transferred to a non-adequate country (US-based sub-processors), we rely on the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.

11. Audit

Once per 12 months, you may request a summary of our latest security audit and sub-processor attestations. On 30 days' notice and subject to a mutually agreed confidentiality agreement, you may audit the parts of our environment that process your Customer Data.

12. Contact

Privacy/DPA questions: privacy@fightclub.pro.