Laplace
Sign inUse beta

Legal & Trust

Data Processing Addendum

This DPA forms part of the Terms of Service and governs Laplace's processing of personal data on behalf of business customers under GDPR, UK GDPR, and similar laws.

Last updated · May 31, 2026

1. Roles

For Customer Content, the customer is the controller and Laplace is the processor (or sub-processor where the customer is itself a processor). Laplace processes personal data only on documented instructions from the customer, including those set out in the Terms and this DPA.

2. Scope of processing

  • Subject matter: provision of the Laplace ML workbench.
  • Duration: the term of the agreement plus the retention windows below.
  • Nature & purpose: hosting, profiling, model training/evaluation, and reporting on the customer's datasets.
  • Data subjects & data types: as determined by the customer's uploaded content.

3. Confidentiality & security

Laplace ensures personnel are bound by confidentiality and implements the technical and organizational measures described in the Security Overview, including encryption in transit and at rest, access controls, and logging.

4. Subprocessors

The customer authorizes Laplace to engage the subprocessors listed on the Subprocessors page. Laplace imposes data-protection obligations on each subprocessor and remains responsible for their performance. We provide notice before adding a subprocessor that processes Customer Content.

5. Data subject requests

Laplace will assist the customer, by appropriate technical and organizational measures, in responding to requests to exercise data-subject rights, and will forward any request it receives directly to the customer.

6. International transfers

Where personal data is transferred outside the EEA/UK, the parties rely on the EU Standard Contractual Clauses (and the UK Addendum) incorporated by reference, with Laplace as data importer.

7. Breach notification

Laplace will notify the customer without undue delay (and within 72 hours where feasible) after becoming aware of a personal-data breach affecting Customer Content, with information reasonably available to support the customer's own notification obligations.

8. Audits

Laplace will make available information necessary to demonstrate compliance and, on reasonable request and subject to confidentiality, support audits via documentation, questionnaires, or available third-party reports.

9. Return & deletion

On termination, the customer may export Customer Content for 30 days, after which Laplace deletes it per the retention schedule in the Privacy Policy, unless retention is legally required.

10. Execution

To execute a countersigned DPA or request our SCCs, contact legal@laplace.ai.