SeaLink

Data Processing Agreement

Last updated: 2026-05-11

Agreement scope: This DPA covers SeaLink's current product data flows: account, billing, usage metadata, error diagnosis, and customer-enabled request snapshots.

1. Roles

Customer acts as Data Controller. SeaLink Pte. Ltd. acts as Data Processor. Upstream AI providers act as Sub-processors — see /legal/sub-processors for the full list.

2. Purpose & scope of processing

SeaLink processes Customer Data only for service delivery (API routing, billing, usage analytics, error diagnosis). Processing types: transmission (pass-through to upstream), temporary storage (metadata logs), aggregation (usage reports).

3. What SeaLink does NOT store

  • Request bodies (prompts)
  • Response bodies (completions)
  • Source text for embeddings
  • Personal data of Customer's end users

4. Metadata SeaLink does process

  • Timestamps
  • Model ID
  • Token counts (input / output / cached)
  • Latency, status code
  • Customer account ID and API Key ID (no prompt correlation)

5. Storage location & cross-border transfer

Default storage in Singapore. When invoking upstream models, SeaLink transmits prompts to the upstream provider's region (US / EU / China / Korea / Japan — see /trust). Enterprise clients with dedicated residency requirements can define them in the DPA.

6. Sub-processors

Full sub-processor list at /legal/sub-processors. New sub-processors are announced 30 days in advance via /changelog. Customers may object in writing within 30 days; if upheld, parties negotiate replacement or termination.

7. Data subject rights

SeaLink assists Customer in fulfilling data subject access / rectification / erasure / objection / portability / restriction rights. Send requests to privacy@sealink.asia — we respond within 30 days.

8. Data breach notification

Upon confirming a data breach, SeaLink notifies Customer within 72 hours in writing, including incident description, estimated scope, and remediation steps taken.

9. Data deletion

Within 30 days of Customer account closure, SeaLink deletes all Customer metadata. Aggregated, anonymized statistics may be retained for service quality analysis. Backups are overwritten within 90 days.

10. Audit rights

Customer may audit SeaLink once per year (onsite or remote), with 30 days' written notice. Audit costs are borne by the requesting party unless material non-compliance is found.