Data Processing Agreement
Requesty offers a DPA covering GDPR processor obligations for all traffic routed through the gateway. Request a copy by email — we typically turn signatures around in a few business days.
Include your company name and a signatory contact.
GDPR Article 28
Standard processor terms: scope, confidentiality, security measures, subprocessors, breach notification, deletion.
EU data residency
EU gateway hosted in Frankfurt, Germany. Route to EU-region model deployments so the full request path stays in the EU.
Zero data retention
Request and response bodies are not stored. Observability runs on metadata only — tokens, latency, cost.
Published subprocessors
A current subprocessor list is public and maintained at requesty.ai/privacy/subprocessors.
When you route LLM traffic through a gateway, the gateway operator processes your prompts and completions on your behalf — which makes it a data processor under GDPR and means your compliance review will ask for a DPA. Requesty provides one as standard, alongside the architecture choices that make it easy to sign off: requests on the EU gateway are processed in Frankfurt, request and response bodies are never stored, and EU-region deployments of Claude, GPT, Gemini and Mistral keep the full request path inside the European Union.
For the broader compliance picture, see our security overview, privacy policy and the subprocessor list.
Frequently asked questions
Yes. Requesty provides a DPA covering GDPR Article 28 processor obligations for all traffic routed through the gateway. To receive a copy for review and signature, email sales@requesty.ai.
The DPA defines Requesty as a data processor for the prompts and completions you route through the gateway: the scope and purpose of processing, confidentiality, security measures, subprocessor management, breach notification, and deletion. It reflects our zero-data-retention architecture: request and response bodies are not stored.
OpenRouter routes through US infrastructure and inherits the compliance posture of each upstream provider. If your review requires a processor DPA together with EU data residency, Requesty offers both: a GDPR Article 28 DPA and an EU gateway hosted in Frankfurt with zero data retention.
On the EU gateway (router.eu.requesty.ai), requests are processed in Frankfurt, Germany, and can be routed to EU-region model deployments so the full request path stays in the European Union. A current list of subprocessors is published at requesty.ai/privacy/subprocessors.
Usually a few business days. Email sales@requesty.ai with your company details; we send our standard DPA for review and can accommodate reasonable redlines for enterprise agreements.
Ready for your compliance review?
Email us and we will send the DPA for review and signature.
sales@requesty.ai