Layers
Trust & Compliance

DPA & Contractual

Data Processing Addendum, SCCs, breach notification.

View as Markdown

Getting a signed DPA

To start a DPA conversation, email legal@layers.com with:

  • Your signatory entity (legal name + country of incorporation).
  • The countries the personal data subjects are in.
  • Your requested governing law.

The template we send is GDPR Article 28-compliant, incorporates the current Standard Contractual Clauses (SCC Module 2, controller → processor) for EU → US transfers, and references the sub-processor list.

Roles

  • You are the data controller for your end-users' data.
  • Layers is a data processor, acting on your documented instructions.
  • For partner-representative data (the humans at your company who log into Layers or receive API keys), Layers is the controller.

Cross-border transfers

EU → US transfers rely on the SCCs incorporated into the DPA. A Transfer Impact Assessment is available on request.

Breach notification

If Layers detects a breach of your Customer Data:

  • We will notify your designated security contact as soon as reasonably practicable and in any event within the 72-hour window required under GDPR Article 33.
  • Notification goes to the Org Owner and any Security contact you've registered.

SLA

Layers does not publish a standard uptime SLA today. Uptime commitments, credits, and remedies — if any — are negotiated per agreement at contract time.

IP / confidentiality

  • Your Customer Data is yours.
  • Layers' platform and models are ours.
  • Rights in generated content follow the DPA: you retain ownership of generated assets; Layers has a limited license to process them to deliver the service.

Term & termination

  • Termination-for-convenience windows, data-retention-post-termination, and deletion mechanics are all defined in your signed DPA / MSA. Defaults aren't published here.

On this page

Getting a signed DPARolesCross-border transfersBreach notificationSLAIP / confidentialityTerm & termination