Goatfied

Legal

Data Processing Addendum

Covers our processing of personal data on your behalf under GDPR, UK GDPR, and CCPA.

1. Scope

This DPA forms part of the Goatfied Terms of Service between AIARCO Inc. ("Processor") and the customer ("Controller"). It applies whenever Goatfied processes personal data on the Controller's behalf.

2. Categories of data

  • Account identifiers (name, email, organization).
  • Usage telemetry tied to user IDs.
  • Prompt + completion content (only if Controller opts in to retention).

3. Sub-processors

The current list of sub-processors is published at /dpa#subprocessors. We give 30 days' notice before adding a new sub-processor.

  • Amazon Web Services (US, EU) — hosting + GPU inference.
  • Stripe Inc. — payment processing.
  • Vercel Inc. — edge network for marketing pages.
  • Anthropic PBC — optional third-party model provider.
  • OpenAI Inc. — optional third-party model provider.

4. Security

Encryption in transit (TLS 1.3) and at rest (AES-256). SOC 2 Type II in flight (Q3 2026). Pen-test reports available under NDA.

5. International transfers

We rely on the EU SCCs (2021/914), UK IDTA, and the EU–US Data Privacy Framework where applicable.

6. Sign + countersign

Email legal@goatfied.com to request a signed copy.

Data Processing Addendum · Goatfied