Last updated: April 16, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between MachineFi Inc. ("Processor") and the customer ("Controller") using the QuickSilverPro API. It applies whenever QuickSilverPro processes Personal Data on behalf of the Controller within the meaning of the EU GDPR, UK GDPR, or equivalent laws.
Enterprise customers: email hello@quicksilverpro.io for a counter-signed DPA with SCCs (Standard Contractual Clauses) included.
The Controller determines the purposes and means of processing Personal Data submitted to the service. The Processor processes that Personal Data solely on documented instructions from the Controller (via API request parameters) and only to provide the service.
Data subjects: end-users of the Controller's application whose inputs are submitted to the API. Categories: content of prompts and completions (which may contain any Personal Data the Controller chooses to send), account metadata, and usage metadata. Duration: for the term of the service agreement.
Process Personal Data only on Controller's instructions, unless required by law (in which case the Processor will notify the Controller first where legally permitted).
Impose confidentiality obligations on personnel authorized to process Personal Data.
Implement the technical and organizational measures described in Section 6.
Not train machine-learning models on Controller Personal Data.
Assist the Controller with data subject requests and regulatory investigations, at the Controller's reasonable cost for non-routine requests.
The Controller authorizes the Processor to engage the sub-processors listed on our Privacy Policy. We will give at least 30 days' notice (by email or dashboard) before adding or replacing a sub-processor. If the Controller reasonably objects, the Controller may terminate and receive a pro-rata refund of prepaid unused fees.
Personal Data may be processed in the United States. For transfers originating in the EEA, UK, or Switzerland, the parties rely on the EU Standard Contractual Clauses (Module Two, Controller-to-Processor) and the UK International Data Transfer Addendum, which are incorporated by reference upon execution of the enterprise DPA.
TLS 1.2+ for data in transit; HSTS enforced.
API keys stored as SHA-256 hashes; shown in cleartext only once at creation.
Webhook signatures verified with HMAC-SHA256 and timestamp freshness window.
Prompt and completion content not persisted to our storage (held in memory only during request processing).
Access to production systems restricted to authorized personnel, with logs retained for investigation.
Hosted on Railway (SOC 2 Type II baseline) and Cloudflare edge.
We will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any confirmed Personal Data breach affecting Controller Personal Data. Notifications will include the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken.
On termination, we will delete all Personal Data within 30 days, subject to any retention required by law (for tax/accounting, up to 7 years in aggregated, non-personal form). The Controller may export account and usage metadata via the dashboard or by API at any time during the service term.
The Processor will make available to the Controller, upon request, its most recent third-party audit reports (once completed, SOC 2 Type II) or equivalent summaries. Where additional audit rights are required by applicable law, the Processor will reasonably cooperate at the Controller's expense.
In case of conflict between this DPA and the Terms of Service, this DPA controls as to processing of Personal Data.
Data Protection contact: hello@quicksilverpro.io — MachineFi Inc., 68 Willow Road, Menlo Park, CA 94205, USA.