# **Tokto.ai Data Processing Addendum (DPA)**

**Last updated:** May 2026

This Data Processing Addendum, the “DPA,” forms part of the applicable agreement between Tokto AI Ltd., “Tokto,” “we,” “us,” or “Processor,” and the customer identified in the applicable order form or written agreement, “Customer,” “you,” or “Controller,” for the use of Tokto’s website, software, platform, on-premise deployment, dashboard, APIs, support services, and related offerings.

This DPA applies only to the extent Tokto processes Personal Data on behalf of Customer in connection with the Services. If Tokto does not process Personal Data on behalf of Customer in a particular deployment or use case, then this DPA applies only to the extent required by applicable law or the applicable written agreement.

Tokto provides enterprise AI accountability infrastructure. Tokto is designed to help organizations govern, monitor, enforce policies, optimize usage, and maintain records of AI activity across customer-controlled enterprise environments. Tokto’s product is primarily deployed on Customer-controlled infrastructure, with an internal web dashboard and API connectivity. Customer controls its deployment, configuration, enabled features, retention settings, integrations, identity mapping, and policies.

This DPA is intended to satisfy applicable data protection requirements for processor agreements, including where applicable Article 28 of Regulation (EU) 2016/679, the General Data Protection Regulation, “GDPR,” and substantially similar processor-contract requirements under other applicable privacy and data protection laws.

## **1\. Definitions**

“Agreement” means the applicable order form, master services agreement, software license agreement, on-premise software license agreement, terms of use, or other written agreement between Tokto and Customer governing Customer’s use of the Services.

“Applicable Data Protection Law” means all privacy, data protection, and data security laws and regulations applicable to the processing of Personal Data under this DPA, including where applicable the GDPR, UK GDPR, Swiss data protection law, United States state privacy laws, and other applicable laws.

“Customer Data” means data, content, prompts, outputs, metadata, AI interaction records, configuration settings, policy settings, logs, identifiers, and other information submitted, transmitted, routed, processed, governed, recorded, or stored through the Services by or on behalf of Customer.

“Customer Personal Data” means Personal Data contained in Customer Data that Tokto processes on behalf of Customer as Processor under the Agreement.

“Deidentified Data” means data that does not identify Customer, Customer users, Customer clients, or natural persons, and that is not reasonably linkable to an identified or identifiable natural person.

“Incognito Data” means data generated, transformed, aggregated, pseudonymized, deidentified, or otherwise configured so that Tokto does not receive or maintain real customer identity information, real user identity information, or personal identity information, and where any entity identifiers are created internally and disconnected from the real-world entity unless Customer separately controls the mapping.

“Personal Data” means any information relating to an identified or identifiable natural person, and includes “personal information,” “personal data,” or similar terms under Applicable Data Protection Law.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, restriction, erasure, or destruction.

“Services” means Tokto’s website, software, on-premise platform, dashboard, APIs, AI governance infrastructure, policy enforcement, visibility, optimization, system-of-record functionality, support, and related offerings provided under the Agreement.

“Subprocessor” means any third party engaged by Tokto to process Customer Personal Data on behalf of Customer.

“Telemetry” means diagnostic, operational, usage, performance, error, support, and system data generated by or related to the Services.

## **2\. Roles of the Parties**

Customer is the Controller or business, as applicable, with respect to Customer Personal Data. Customer determines the purposes and means of processing Customer Personal Data, including what data is routed through Tokto, what records are maintained, what policies are enabled, what retention period applies, what integrations are used, and what identity mapping exists inside Customer’s environment.

Tokto is the Processor or service provider, as applicable, with respect to Customer Personal Data processed on behalf of Customer under the Agreement. Tokto processes Customer Personal Data only on documented instructions from Customer, including the Agreement, this DPA, Customer’s configuration of the Services, Customer’s use of APIs, Customer’s enabled features, Customer’s written instructions, and applicable law.

Tokto may act as an independent controller for limited business contact information, website inquiry information, sales communications, support communications, billing administration, and other information processed for Tokto’s own business operations, as described in Tokto’s Privacy Policy. This DPA does not apply to information for which Tokto acts as an independent controller.

## **3\. Scope of Processing**

The subject matter of processing is the provision, operation, maintenance, support, security, optimization, and improvement of the Services.

The duration of processing is the term of the Agreement, unless otherwise required by applicable law, Customer’s documented instructions, the applicable retention setting, or the Agreement.

The nature of processing may include receiving, routing, processing, inspecting, transforming, reducing, caching, recording, storing, retrieving, analyzing, logging, displaying, exporting, deleting, and otherwise handling Customer Data as required to provide the Services.

The purpose of processing is to provide Tokto’s AI accountability infrastructure, including AI visibility, policy enforcement, cost and budget management, routing and optimization, security and compliance monitoring, system-of-record functionality, reporting, customer-directed export through available APIs, support, troubleshooting, maintenance, security, and related product functionality.

## **4\. Customer Instructions**

Customer instructs Tokto to process Customer Personal Data as necessary to provide the Services, comply with the Agreement, follow Customer’s configuration and enabled features, provide support requested by Customer, secure the Services, comply with applicable law, and perform the obligations described in this DPA.

Tokto will not process Customer Personal Data for purposes other than those described in this DPA or the Agreement unless required by applicable law. If Tokto is required by law to process Customer Personal Data other than on Customer’s instructions, Tokto will inform Customer before such processing unless the law prohibits Tokto from doing so.

Customer is responsible for ensuring that its instructions comply with Applicable Data Protection Law. Tokto may notify Customer if Tokto believes that an instruction violates Applicable Data Protection Law, but Tokto is not required to provide legal advice to Customer.

## **5\. Categories of Data**

Depending on Customer’s deployment, configuration, policies, integrations, and enabled features, the Services may process Customer Data that includes prompts, AI model outputs, AI interaction records, AI interaction metadata, policy decisions, routing events, model interaction metadata, token and cost information, user, team, department, application, service, agent, workflow, or entity identifiers, configuration settings, security and compliance logs, administrative actions, timestamps, audit records, diagnostics, error reports, and support information.

Customer has confirmed that Tokto does not currently need to collect or maintain Customer personal information or personal information about Customer’s users for Tokto’s own purposes in order to operate the product, because the product is primarily deployed on-premise, runs inside Customer’s environment, uses an internal web dashboard, and connects through APIs.

Where identity information is needed for Customer’s internal governance, visibility, policy enforcement, reporting, or system-of-record purposes, Customer controls the identity mapping, entity names, user records, access controls, and related organizational data inside Customer’s environment.

In future product versions or business models, Tokto may seek to collect Incognito Data for statistical analysis relating to behavior, cost, risk, visibility, optimization, product performance, and product improvement. Such Incognito Data is intended to exclude real customer information and personal information, and to use internally created entity identifiers that are disconnected from real-world entities unless Customer separately controls the mapping. Any such collection will be governed by the Agreement, this DPA, applicable product settings, applicable law, and any additional written terms required at that time.

## **6\. Categories of Data Subjects**

Depending on Customer’s deployment and configuration, Customer Personal Data may relate to Customer’s authorized users, employees, contractors, administrators, developers, business users, support personnel, agents acting on behalf of Customer, and other individuals whose information Customer routes through or records in the Services.

Where Customer configures Tokto to use internal entity identifiers disconnected from real-world entities, Tokto may process only those internal identifiers and related operational metadata, while Customer retains control over any mapping between internal identifiers and real individuals or real entities.

## **7\. Special Categories of Data**

Customer is responsible for determining whether Customer Data includes special categories of Personal Data, sensitive personal information, regulated data, confidential information, health information, financial information, code, secrets, credentials, or other protected information.

Tokto’s Services are designed to help Customer detect, govern, block, transform, reduce, route, record, or monitor sensitive information depending on enabled features and Customer configuration. Tokto does not require Customer to provide special categories of Personal Data to Tokto unless Customer chooses to route such information through the Services or configure the Services to process such information.

Customer is responsible for ensuring that it has all required rights, notices, consents, legal bases, policies, and safeguards for any sensitive or regulated data that Customer routes through, records in, or processes using the Services.

## **8\. Customer Responsibilities**

Customer is responsible for Customer Data, Customer Personal Data, Customer systems, Customer infrastructure, Customer policies, Customer users, Customer configurations, Customer-selected integrations, Customer-selected AI model providers, Customer retention settings, Customer identity mapping, Customer access controls, and Customer instructions.

Customer is responsible for complying with Applicable Data Protection Law, including providing notices to data subjects, establishing a lawful basis for processing, responding to data subject requests, maintaining required records, conducting data protection impact assessments where required, and ensuring that Customer’s use of the Services complies with employment, privacy, security, industry, and regulatory obligations.

For on-premise deployments, Customer is responsible for operating, securing, monitoring, and maintaining Customer-controlled infrastructure, including databases, servers, cloud accounts, storage, network configuration, encryption controls, credentials, keys, access controls, backups, logging, and related systems.

Customer is responsible for configuring the Services in a manner appropriate to Customer’s legal, security, operational, and compliance requirements.

## **9\. Tokto Responsibilities**

Tokto will process Customer Personal Data only on Customer’s documented instructions, use personnel or contractors who are subject to confidentiality obligations, implement appropriate technical and organizational measures for the Tokto-controlled portions of the Services, assist Customer as described in this DPA, and make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality, security, and protection of Tokto confidential information.

Tokto will not sell Customer Personal Data. Tokto will not use Customer content to train, fine-tune, or improve general-purpose AI models unless Customer expressly authorizes such use in writing or through a clear product setting.

Tokto may use Aggregated Data, Deidentified Data, or Incognito Data to analyze usage, improve services, develop features, monitor performance, support security, optimize cost and routing, and produce statistical insights, provided such data does not identify Customer, Customer users, Customer clients, or natural persons, and provided such use is permitted by the Agreement and Applicable Data Protection Law.

## **10\. Telemetry**

Telemetry is default-on unless the Agreement, order form, product settings, deployment configuration, or Customer’s written instructions state otherwise.

Telemetry may include operational, diagnostic, usage, performance, error, support, and system data needed to maintain, support, secure, troubleshoot, and improve the Services.

Telemetry is not intended to include real customer identity information, real user identity information, personal information, Customer prompts, Customer outputs, proprietary Customer data, or Customer-owned models, unless such data is necessary for support requested by Customer, configured by Customer, required to provide the Services, or required by law.

Customer may disable, limit, or configure telemetry where supported by the product and the applicable Agreement.

## **11\. Security Measures**

Tokto will implement reasonable technical, administrative, and organizational safeguards designed to protect Customer Personal Data processed by Tokto against unauthorized access, disclosure, alteration, loss, misuse, or destruction.

These safeguards may include access controls, authentication measures, encryption where appropriate, monitoring, logging, least-privilege access practices, internal security controls, confidentiality obligations, secure development practices, vulnerability management, and support procedures.

Because Tokto’s product is primarily deployed on Customer-controlled infrastructure, Customer remains responsible for infrastructure-level security, network security, storage security, credential security, key management, database security, cloud account security, endpoint security, access control, backup configuration, and operational monitoring within Customer’s own environment.

Tokto’s obligations apply to the Tokto-controlled portions of the Services and to Tokto’s own systems used to support, maintain, or improve the Services.

## **12\. Confidentiality**

Tokto will ensure that persons authorized by Tokto to process Customer Personal Data are subject to appropriate confidentiality obligations.

Customer will protect Tokto confidential information, including non-public software, source code, binaries, APIs, routing logic, model orchestration, prompt-processing logic, system prompts, architecture, configurations, templates, performance characteristics, pricing, documentation, and non-public technical or business information, in accordance with the Agreement.

## **13\. Subprocessors**

As of the effective date of this DPA, Tokto does not publish a public subprocessor list.

Tokto may publish a subprocessor list in the future as its software, infrastructure, hardware optimization, performance architecture, storage architecture, support operations, or cloud services evolve.

Tokto will not engage a Subprocessor to process Customer Personal Data unless permitted by the Agreement, an order form, Customer’s written authorization, or Applicable Data Protection Law.

Where Tokto engages a Subprocessor to process Customer Personal Data, Tokto will impose data protection obligations on the Subprocessor that are substantially similar to those in this DPA to the extent applicable to the nature of the services provided by the Subprocessor.

If required by Applicable Data Protection Law or the Agreement, Tokto will provide notice of new Subprocessors and a reasonable opportunity to object, subject to the procedures and limitations in the Agreement.

## **14\. Third-Party AI Providers and Customer-Selected Services**

Customer may configure the Services to interact with third-party AI model providers, APIs, platforms, tools, IDEs, browser consoles, services, or integrations.

Customer is responsible for selecting, authorizing, configuring, and using third-party AI providers and Customer-selected third-party services. Customer’s use of third-party AI providers may be subject to the third party’s own terms, privacy policies, data processing terms, security commitments, model training policies, and data retention rules.

Tokto is not responsible for third-party model behavior, third-party AI provider policies, Customer-selected third-party services, or Customer’s configuration of those services, except as expressly stated in a written agreement with Tokto.

## **15\. Data Subject Requests**

Customer is responsible for responding to requests from data subjects exercising rights under Applicable Data Protection Law.

To the extent Tokto processes Customer Personal Data on behalf of Customer and Customer cannot reasonably respond to a data subject request without Tokto’s assistance, Tokto will provide reasonable assistance using appropriate technical and organizational measures, taking into account the nature of the processing, the information available to Tokto, the deployment model, Customer’s configuration, and the fact that Customer may control the relevant infrastructure and identity mapping.

If Tokto receives a request directly from a data subject relating to Customer Personal Data, Tokto may direct the data subject to Customer unless prohibited by law.

## **16\. Assistance with Compliance**

Taking into account the nature of processing and the information available to Tokto, Tokto will provide reasonable assistance to Customer with Customer’s obligations relating to security, data protection impact assessments, prior consultation with supervisory authorities, and data breach obligations, where such obligations apply to Customer’s use of the Services.

Tokto’s assistance is limited to the Tokto-controlled portions of the Services and to information reasonably available to Tokto. Customer remains responsible for compliance decisions, legal analysis, notices, data protection impact assessments, regulatory submissions, and communications with supervisory authorities unless otherwise agreed in writing.

## **17\. Security Incidents**

Tokto will notify Customer without undue delay after becoming aware of a confirmed security incident involving Customer Personal Data processed by Tokto, where such notice is required by Applicable Data Protection Law or the Agreement.

The notice will include information reasonably available to Tokto, which may include the nature of the incident, categories of data affected, likely consequences, mitigation steps taken or proposed, and contact information for follow-up.

Because the Services may be deployed on Customer-controlled infrastructure and because many features can be disabled or configured by Customer, Customer is responsible for monitoring, investigating, and responding to incidents occurring within Customer’s own systems, infrastructure, credentials, network, storage, databases, identity systems, endpoints, and access controls.

Tokto’s notification of or response to a security incident is not an admission of fault or liability.

Breach notification timing may be further defined in the applicable enterprise agreement, SLA, order form, or security addendum.

## **18\. Return and Deletion of Data**

Upon termination or expiration of the Agreement, Tokto will return or delete Customer Personal Data processed by Tokto in accordance with the Agreement, Customer’s written instructions, applicable product functionality, and applicable law.

For on-premise deployments, Customer is responsible for deleting, exporting, retaining, or securing Customer Data stored in Customer-controlled infrastructure, databases, storage, backups, logs, and systems.

Tokto may retain information where required by law, necessary to resolve disputes, enforce agreements, support security, maintain business records, or preserve Deidentified Data, Aggregated Data, or Incognito Data that does not identify Customer, Customer users, Customer clients, or natural persons.

## **19\. Audits and Information Rights**

Tokto will make available information reasonably necessary to demonstrate compliance with this DPA, subject to the Agreement, confidentiality obligations, security restrictions, protection of Tokto confidential information, and reasonable limitations.

Where required by Applicable Data Protection Law, Customer may request an audit of Tokto’s compliance with this DPA. Any audit must be conducted during normal business hours, with reasonable prior notice, in a manner that does not disrupt Tokto’s business operations, compromise security, expose information of other customers, or require disclosure of Tokto confidential information, trade secrets, system prompts, routing logic, model orchestration, source code, security-sensitive information, or non-public technical information.

Tokto may satisfy audit requests through security documentation, certifications, questionnaires, written responses, summaries, third-party reports, or other reasonable evidence, where available.

## **20\. International Data Transfers**

Tokto may process information in countries other than the country where Customer or Customer users are located, to the extent required to provide the Services, support operations, business operations, or customer-requested functionality.

Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with transfer restrictions to a country that does not provide an adequate level of protection, Tokto will use an appropriate transfer mechanism where required by Applicable Data Protection Law, such as applicable standard contractual clauses, an adequacy decision, or another lawful transfer mechanism.

The European Commission issued modernized standard contractual clauses for international transfers under the GDPR on 4 June 2021, and those clauses may be used where applicable for restricted transfers. ([European Commission](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?utm_source=chatgpt.com))

If standard contractual clauses or similar mechanisms are required, the parties will complete the applicable modules and appendices in a manner consistent with the Agreement, the processing activities, and the actual deployment model.

## **21\. Deidentified, Aggregated, and Incognito Data**

Tokto may use Deidentified Data, Aggregated Data, and Incognito Data to analyze usage, monitor performance, improve the Services, develop features, support security, optimize costs, assess risks, understand behavior patterns, improve visibility, and produce statistical insights.

Tokto will not attempt to reidentify Deidentified Data or Incognito Data, except where required to validate deidentification controls, investigate security issues, comply with law, or as otherwise permitted by Applicable Data Protection Law.

Customer acknowledges that future Tokto functionality may include collection and analysis of Incognito Data for behavioral statistics relating to costs, risks, visibility, and AI usage patterns. Such Incognito Data is intended to avoid real customer identity information and personal information, and to use internal entity identifiers disconnected from real-world entities unless Customer separately controls the mapping.

Any future expanded collection of Incognito Data will be implemented through product functionality, customer configuration, written agreement, or updated documentation, as appropriate.

## **22\. No Cookies and Basic Analytics**

Tokto’s public website is informative. Tokto does not currently use cookies on the website.

Tokto may use basic analytics to understand website usage and improve communications, provided such analytics are configured consistently with Tokto’s Privacy Policy and Applicable Data Protection Law.

The product itself runs on-premise with an internal web dashboard and API connectivity, unless otherwise stated in the applicable Agreement.

## **23\. Publicity and Customer Logo Use**

Customer logo use is order-form based.

Tokto may use Customer’s name or logo only as permitted by the applicable order form, written agreement, or Customer’s written approval.

## **24\. Limitation of Scope**

This DPA does not create obligations for features that are not implemented, not enabled, not configured, or not included in the applicable Agreement.

This DPA does not represent that Tokto currently supports desktop AI usage, a mobile application, direct Slack, Teams, Zoom, or Meet application integrations, current file-support functionality, broad human approval workflows for every AI interaction, or full SIEM export beyond customer-directed API-based export or integrations that may be supported under the applicable product configuration.

Tokto’s roadmap, research, development plans, integrations, insurance-related cooperation, hardware optimization, storage optimization, risk scoring, model evaluation, and future product functionality may be subject to change and are not contractual commitments unless expressly stated in a signed written agreement.

## **25\. Order of Precedence**

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Customer Personal Data, unless the Agreement expressly states that a specific provision overrides this DPA.

If there is a conflict between this DPA and standard contractual clauses or another mandatory data transfer mechanism, the standard contractual clauses or mandatory transfer mechanism controls to the extent required by Applicable Data Protection Law.

## **26\. Term and Termination**

This DPA remains in effect for as long as Tokto processes Customer Personal Data on behalf of Customer.

Sections that by their nature should survive termination will survive, including confidentiality, deletion and retention, audit limitations, deidentified and incognito data, limitation of scope, and any provisions necessary to interpret or enforce this DPA.

## **27\. Contact**

Privacy contact, privacy@tokto.ai.

Company, Tokto AI Ltd.

Address, Delaware, USA, full company address to be provided.

## **Annex A, Details of Processing**

Subject matter, provision of Tokto’s enterprise AI accountability infrastructure, including AI visibility, policy enforcement, cost and budget management, routing and optimization, security and compliance monitoring, system-of-record functionality, reporting, API-based customer-directed export, support, troubleshooting, maintenance, and related functionality.

Duration, the term of the Agreement, plus any period required by law, Customer’s documented instructions, retention settings, product configuration, or the Agreement.

Nature of processing, receiving, routing, processing, inspecting, transforming, reducing, caching, recording, storing, retrieving, analyzing, logging, displaying, exporting, deleting, and otherwise handling Customer Data as required to provide the Services.

Purpose of processing, to provide, secure, support, maintain, troubleshoot, optimize, and improve the Services, to enforce Customer-configured policies, to support Customer’s AI governance and system-of-record needs, to provide cost and budget management, to provide visibility and reporting, to provide customer-directed exports or integrations, and to comply with law.

Categories of Personal Data, depending on Customer configuration, prompts, outputs, AI interaction records, metadata, policy decisions, routing events, model interaction metadata, token and cost information, user, team, department, application, service, agent, workflow, or entity identifiers, configuration settings, security and compliance logs, administrative actions, timestamps, audit records, diagnostics, error reports, and support information.

Categories of data subjects, Customer authorized users, employees, contractors, administrators, developers, business users, support personnel, agents acting on behalf of Customer, and other individuals whose information Customer routes through or records in the Services.

Sensitive data, only to the extent Customer routes, processes, records, or configures the Services to handle such data, which may include sensitive personal information, regulated information, confidential information, health information, financial information, code, secrets, credentials, or other protected information.

Processing location, primarily Customer-controlled infrastructure for on-premise deployments, and Tokto-controlled systems only to the extent required for support, telemetry, diagnostics, business operations, or other functions agreed by the parties.

## **Annex B, Technical and Organizational Measures**

Tokto-controlled measures may include access controls, authentication measures, encryption where appropriate, monitoring, logging, least-privilege access practices, internal security controls, confidentiality obligations, secure development practices, support procedures, incident-response procedures, diagnostic controls, and vulnerability management.

Customer-controlled measures include securing Customer infrastructure, servers, cloud accounts, storage, databases, networks, APIs, credentials, encryption keys, identity systems, user access, backups, logs, endpoints, model-provider accounts, and third-party integrations.

Product-level controls may include customer-configured policies, retention controls where supported, visibility controls, routing controls, cost and budget controls, allow, block, or transform decisions where enabled, record-keeping controls, and API-based customer-directed export where supported.

Telemetry is default-on, may include operational, diagnostic, usage, performance, error, support, and system data, and may be disabled, limited, or configured where supported by product settings or the applicable Agreement.

Tokto does not use customer content to train, fine-tune, or improve general-purpose AI models unless Customer expressly authorizes such use in writing or through a clear product setting.

Tokto may use Deidentified Data, Aggregated Data, and Incognito Data to analyze usage, improve services, develop features, monitor performance, support security, optimize cost and routing, assess risk, and produce statistical insights, provided such data does not identify Customer, Customer users, Customer clients, or natural persons.