Legal
Data Processing Addendum
Covers our processing of personal data on your behalf under GDPR, UK GDPR, and CCPA.
1. Scope
This DPA forms part of the Goatfied Terms of Service between AIARCO Inc. ("Processor") and the customer ("Controller"). It applies whenever Goatfied processes personal data on the Controller's behalf.
2. Categories of data
- Account identifiers (name, email, organization).
- Usage telemetry tied to user IDs.
- Prompt + completion content (only if Controller opts in to retention).
3. Sub-processors
The current list of sub-processors is published at /dpa#subprocessors. We give 30 days' notice before adding a new sub-processor.
- Amazon Web Services (US, EU) — hosting + GPU inference.
- Stripe Inc. — payment processing.
- Vercel Inc. — edge network for marketing pages.
- Anthropic PBC — optional third-party model provider.
- OpenAI Inc. — optional third-party model provider.
4. Security
Encryption in transit (TLS 1.3) and at rest (AES-256). SOC 2 Type II in flight (Q3 2026). Pen-test reports available under NDA.
5. International transfers
We rely on the EU SCCs (2021/914), UK IDTA, and the EU–US Data Privacy Framework where applicable.
6. Sign + countersign
Email legal@goatfied.com to request a signed copy.

