Last updated: June 18, 2026
This Data Processing Agreement (“DPA”) forms part of and is incorporated into the Terms of Service and governs the processing of personal data by BitCore AI Ltd (the “Company”, “we”) on behalf of the customer (“Customer”) in connection with the services made available through gpu.ai (the “Services”). By using the Services, or by submitting personal data through them, the Customer agrees to be bound by this DPA, which applies automatically to the extent we process personal data on the Customer’s behalf.
In respect of personal data processed in connection with the Services, the Customer acts as the controller (or business, and as Data Fiduciary under Indian law where applicable) and the Company acts as the processor (or service provider, and as Data Processor under Indian law where applicable), except where the Company processes data for its own independent purposes as described in the Privacy Policy. The Company processes personal data only on behalf of, and in accordance with the documented instructions of, the Customer unless otherwise required by applicable law.
The Company processes personal data only to provide, maintain, and support the Services and not for any purpose not authorised by the Customer. Processing may include collection, storage, organisation, retrieval, transmission, and deletion of personal data as required to perform the Services. The categories of personal data and data subjects are determined by the Customer and may vary with the Customer’s use of the Services. The Company operates a technology platform and does not determine the content of the data processed through the Services.
The Company ensures that personnel authorised to process personal data are subject to appropriate confidentiality obligations and process such data only on a need-to-know basis for the performance of the Services. Access to personal data is limited to authorised personnel who require it for legitimate operational purposes.
The Company implements and maintains appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, commensurate with the nature, scope, and risks of the processing. The Customer acknowledges that the Services are provided in part using infrastructure operated by third-party providers, and that the Company’s obligations under this clause are limited to measures that are commercially reasonable and consistent with the capabilities and contractual commitments of such providers.
The Customer agrees that the Company may engage third-party Sub-Processors in connection with the Services. The Company ensures that such Sub-Processors are subject to contractual obligations no less protective than those in this DPA, to the extent within the Company’s control. A current list of Sub-Processors is maintained in our Sub-Processor Disclosure. We may update our Sub-Processors from time to time, and continued use of the Services following such an update constitutes acceptance of the change. Certain Sub-Processors may be integral to the Services and may not be capable of substitution without materially impacting them.
Personal data may be transferred to and processed in jurisdictions outside its country of origin, including where the Company or its Sub-Processors operate. The Company ensures that such transfers are conducted in accordance with applicable data-protection law and implements appropriate safeguards, including standard contractual clauses and, where applicable, the UK International Data Transfer Agreement or equivalent mechanisms. The Customer authorises the Company to enter into such arrangements on its behalf where required.
Taking into account the nature of the processing, the Company provides reasonable assistance to the Customer in responding to data-subject requests under applicable data-protection law, including rights of access, correction, erasure, restriction, portability, and objection. The Company is not responsible for directly responding to such requests unless required by applicable law.
The Company notifies the Customer without undue delay upon becoming aware of a personal-data breach affecting personal data processed on the Customer’s behalf. The notification includes information reasonably available to the Company about the nature of the breach, the categories of data affected, and the measures taken or proposed, subject to limitations imposed by third-party providers or legal requirements.
The Company makes available information reasonably necessary to demonstrate compliance with this DPA. Where appropriate, this may be satisfied through independent third-party certifications or audit reports. Any further audit rights are subject to reasonable limitations, including prior notice, confidentiality obligations, and safeguards necessary to protect the Company’s systems, infrastructure, and other customers.
Upon termination or expiry of the Customer’s use of the Services, the Company, subject to applicable law, deletes or returns personal data processed on the Customer’s behalf. The Customer acknowledges that residual copies may be retained in backup systems for a limited period in accordance with the Company’s data-retention policies.
To the extent personal data processed under this DPA is subject to the Digital Personal Data Protection Act, 2023, the Customer acts as Data Fiduciary and the Company as Data Processor. The Company processes personal data only for the purposes specified by, and in accordance with the instructions of, the Customer and not for any independent purpose except as required by law. The Customer represents that it has provided all necessary notices and obtained all requisite consents. The Company implements reasonable security safeguards and, to the extent applicable and commercially reasonable, assists the Customer with data-subject rights and grievance redressal. Personal data may be processed outside India, subject to applicable law.
The Company’s liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA is governed by and construed in accordance with the laws of the Dubai International Financial Centre (DIFC), unless otherwise required by applicable data-protection law.
For questions about this DPA or to discuss a countersigned copy for vendor review, contact us at support@gpu.ai.