# DPA & Contractual (/docs/trust/dpa)



## Getting a signed DPA [#getting-a-signed-dpa]

To start a DPA conversation, email
[legal@layers.com](mailto:legal@layers.com) with:

* Your signatory entity (legal name + country of incorporation).
* The countries the personal data subjects are in.
* Your requested governing law.

The template we send is GDPR Article 28-compliant, incorporates the
current Standard Contractual Clauses (SCC Module 2, controller →
processor) for EU → US transfers, and references the [sub-processor
list](/docs/trust/subprocessors).

## Roles [#roles]

* **You** are the data **controller** for your end-users' data.
* **Layers** is a data **processor**, acting on your documented
  instructions.
* For partner-representative data (the humans at your company who log
  into Layers or receive API keys), Layers is the controller.

## Cross-border transfers [#cross-border-transfers]

EU → US transfers rely on the SCCs incorporated into the DPA. A
Transfer Impact Assessment is available on request.

## Breach notification [#breach-notification]

If Layers detects a breach of your Customer Data:

* We will notify your designated security contact as soon as
  reasonably practicable and in any event within the 72-hour window
  required under GDPR Article 33.
* Notification goes to the Org Owner and any Security contact you've
  registered.

## SLA [#sla]

Layers does not publish a standard uptime SLA today. Uptime
commitments, credits, and remedies — if any — are negotiated per
agreement at contract time.

## IP / confidentiality [#ip--confidentiality]

* Your Customer Data is yours.
* Layers' platform and models are ours.
* Rights in generated content follow the DPA: you retain ownership of
  generated assets; Layers has a limited license to process them to
  deliver the service.

## Term & termination [#term--termination]

* Termination-for-convenience windows, data-retention-post-termination,
  and deletion mechanics are all defined in your signed DPA / MSA.
  Defaults aren't published here.