Legal

Data Processing Agreement

Last updated 29 June 2026

1. Scope and roles

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer") and OmniStream ("we", "us") and applies where we process personal data on your behalf in connection with the Service. For that personal data, the Customer is the controller and OmniStream is the processor under the EU General Data Protection Regulation ("GDPR") and equivalent laws. Where you act as a processor for your own customers, we act as a sub-processor and this DPA applies accordingly.

2. Details of the processing

Subject matter and purpose: providing the Service - issuing and verifying keys, proxying your API calls, metering usage, billing, and support.
Duration: for as long as you use the Service, plus any legally required retention period.
Nature of processing: collection, storage, transmission, and forwarding of request data through the unified proxy.
Types of personal data: account identifiers (such as email), authentication and key data, and any personal data you choose to include in requests you route through the proxy.
Categories of data subjects: your authorized users and any individuals whose data you transmit through the Service.

3. Our obligations as processor

We will:

process personal data only on your documented instructions, including the Terms and your use of the Service, unless required by law (in which case we will inform you where permitted);
ensure personnel authorized to process personal data are bound by confidentiality;
implement appropriate technical and organizational security measures (see below);
assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations; and
make available the information reasonably necessary to demonstrate compliance with this DPA.

4. Security

We maintain measures appropriate to the risk, including encryption of data in transit (HTTPS), hashing of passwords, access controls and least-privilege handling of secrets, and segregation of the platform from unrelated systems. We review these measures and improve them over time.

5. Sub-processors

You authorize us to engage sub-processors to provide the Service. Each sub-processor is bound by data-protection obligations no less protective than this DPA. Our current sub-processors are:

Stripe - payment processing and subscription management.
Our cloud hosting / infrastructure provider - hosting of the gateway, website, and stored data.

When you call an API through the proxy, request data is also forwarded to the API publisher's upstream that you chose to call; that publisher acts as a separate controller or processor for that data. We will give reasonable notice of new or replacement sub-processors, and you may object on reasonable data-protection grounds.

6. International transfers

Where personal data is transferred outside the EEA, we rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses or an adequacy decision.

7. Data-subject requests

If we receive a request from a data subject relating to your processing, we will, where legally permitted, forward it to you and not respond directly except on your instructions. We will assist you in fulfilling such requests, taking into account the nature of the processing.

8. Personal data breaches

We will notify you without undue delay after becoming aware of a personal data breach affecting your data, and provide the information reasonably available to help you meet your notification obligations.

9. Return and deletion

On termination of the Service, we will delete or return personal data processed on your behalf, except where retention is required by law. Backups are deleted on our ordinary retention cycle.

10. Audits

We will make available information necessary to demonstrate compliance and allow for, and contribute to, audits - including by providing relevant documentation. On-site audits may be conducted on reasonable prior notice, during business hours, subject to confidentiality and without disrupting our operations.

11. Liability and precedence

This DPA is subject to the limitations of liability in the Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

12. Accepting this DPA

If you are a business customer who needs a signed DPA, contact us at support@skinvaults.online with your company details and we will execute it. Otherwise, this DPA applies to your use of the Service as published.