Skip to main content
Effective: November 28, 2025 This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service or other agreement between Customer and StepFun that references this DPA and governs Customer’s use of the Services (the “Agreement”). It applies to StepFun’s processing of Customer Data as defined below. Capitalized terms used but not otherwise defined in this DPA have the meaning set out in the Agreement. StepFun may amend this DPA on reasonable notice to Customer to the extent such changes are required due to changes in applicable data protection laws. If there is any conflict between this DPA and the Agreement, this DPA controls. This DPA is governed by the laws, and subject to the mandatory arbitration provisions, set out in the Agreement, except where applicable data protection laws require otherwise. This does not limit or affect the governing law of the Standard Contractual Clauses, where applicable.

1. Definitions

  • Applicable Data Protection Laws: all applicable privacy or data protection laws and regulations relating to the processing of personal data, as amended from time to time.
  • Customer Personal Data: personal data submitted through the Services by or for Customer or a Customer Affiliate.
  • Customer Affiliate: an affiliate of Customer that is permitted to use the Services pursuant to the Agreement and directly or indirectly controls, is controlled by, or is under common control with the relevant entity. “Control” means direct or indirect ownership or control of more than 50% of voting interests.
  • Customer Data: all data or other information submitted through the Services by or for Customer or a Customer Affiliate.
  • Data Subject Request: a request from a data subject to exercise personal data rights under applicable data protection laws, such as access, correction, or deletion.
  • GDPR: Regulation (EU) 2016/679, including the European Commission Implementing Decision (EU) 2021/914 of June 4, 2021, as amended from time to time.
  • Security Breach: a breach of StepFun’s security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data.
  • Standard Contractual Clauses or SCCs: Module Two (controller to processor) or Module Three (processor to processor) of the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to GDPR.
  • Subprocessor: an entity engaged by StepFun to process Customer Personal Data.
  • UK Addendum: the International Data Transfer Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018.
The terms “personal data”, “data subject”, “processing”, “controller”, and “processor” have the meanings given by applicable data protection laws or, absent such meaning, by GDPR. The terms “controller” and “processor” also include “business” and “service provider” respectively, where required by applicable law.

2. Processing of Customer Data

With respect to Customer Personal Data, Customer is the controller and StepFun is the processor. Each party will comply with its respective obligations under applicable data protection laws in connection with the Services and the Customer Personal Data. Unless required by law, StepFun will process Customer Personal Data only to provide or maintain the Services and in compliance with Customer’s documented instructions, including those set out in the Agreement and this DPA. Without limiting the foregoing, StepFun will not:
  • sell or share Customer Personal Data as defined by applicable data protection laws
  • retain, use, or disclose Customer Personal Data outside the direct business relationship and for any purpose other than the business purposes specified in Schedule 1 Part B and the Agreement, except as otherwise permitted by law
  • except as otherwise permitted by law, combine Customer Personal Data with personal data received from or on behalf of another person, or collected from StepFun’s own interaction with the data subject
As required by applicable law, StepFun will promptly inform Customer if it determines that it can no longer comply with its processing obligations under this DPA. Customer may then take reasonable and appropriate steps in accordance with the Agreement to stop or remediate unauthorized processing. StepFun will promptly inform Customer if, in StepFun’s opinion, an instruction from Customer relating to processing of Customer Personal Data violates applicable data protection law. StepFun will cooperate with and provide reasonable assistance to Customer for:
  • Customer’s performance of any required data protection impact assessment
  • related consultation with supervisory authorities where reasonably required
StepFun will ensure that each person it authorizes to process Customer Personal Data is subject to an appropriate duty of confidentiality. Customer represents, warrants, and covenants that it has and will maintain throughout the term all necessary rights, consents, and authorizations to provide Customer Data to StepFun and to authorize StepFun to use, disclose, retain, and otherwise process Customer Data as contemplated by this DPA, the Agreement, and any other processing instructions provided to StepFun. Without prejudice to StepFun’s security obligations in Section 5, Customer acknowledges and agrees that it, rather than StepFun, is responsible for certain configurations and design decisions for the Services and for implementing them in a secure manner that complies with applicable data protection laws. Customer must not provide Customer Data to StepFun except through agreed mechanisms. Customer further represents, warrants, and covenants that it will transfer Customer Data to StepFun only using secure, reasonable, and appropriate mechanisms to the extent such mechanisms are within Customer’s control.

3. Subprocessors

Customer grants StepFun general authorization to engage subprocessors. StepFun will:
  1. enter into a contractual agreement with each subprocessor imposing data protection obligations that are substantially as protective as StepFun’s obligations under this DPA to the extent applicable to the services provided
  2. remain liable to Customer, subject to the liability limitations in the Agreement, for each subprocessor’s acts and omissions related to this DPA to the same extent StepFun is liable for its own

4. Data Subject Requests

StepFun will promptly forward to Customer any Data Subject Request relating to Customer Personal Data received by StepFun and may advise the data subject to submit the request directly to Customer. Taking into account the nature of the processing, StepFun will provide reasonable and timely assistance as necessary for Customer to fulfill its obligations under applicable data protection laws in responding to Data Subject Requests.

5. Security

StepFun will comply with the data security obligations of applicable data protection laws and will implement and maintain reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk of the relevant processing.

6. Security Breaches

StepFun will notify Customer in writing without undue delay after becoming aware of any Security Breach and will assist Customer in complying with Customer’s obligations under applicable data protection laws by reasonably cooperating with Customer’s investigation. StepFun’s notification of, or response to, a Security Breach does not constitute an acknowledgement of fault or liability. Upon becoming aware of a Security Breach, StepFun will:
  1. investigate the Security Breach
  2. provide timely information relating to the nature of the breach, including where reasonably possible:
    • categories and approximate number of data subjects concerned
    • categories and approximate number of Customer Personal Data records concerned
    • likely consequences of the breach
    • measures taken or proposed to address the breach and mitigate possible adverse effects

7. Deletion and Return

Within 30 days of termination or expiration of the Agreement, StepFun will:
  1. if requested by Customer within that period, return a copy of all Customer Data in its control or possession, or provide self-service functionality allowing Customer to do the same
  2. delete all copies of Customer Data, including Customer Personal Data, processed by StepFun or any subprocessors, except to the extent:
    • applicable law or regulatory requirements require storage
    • retention is necessary to resolve a dispute between the parties
    • retention is necessary to combat harmful use of the Services

8. Standard Contractual Clauses

The parties agree that, to the extent required by applicable data protection laws, the terms of SCC Module Two and or Module Three, as completed in Schedule 2 of this DPA, are incorporated by reference and deemed executed by the parties. To the extent required by applicable data protection laws, the jurisdiction-specific addenda to the SCCs set out in Schedule 2 are also incorporated by reference and deemed executed. If there is a conflict between this DPA, the Agreement, and the SCCs, the order of precedence is:
  1. the SCCs
  2. this DPA
  3. the Agreement
StepFun will provide Customer with reasonable support to enable compliance with requirements imposed on international transfers of Customer Personal Data, including information reasonably necessary for a transfer impact assessment where required.

Schedule 1. Details of Processing and Transfers

A. List of Parties

The parties are set out in the preamble to this DPA. For transfers of Customer Personal Data falling within the scope of applicable data protection laws, the following additional information applies.
  • Data Exporter: Customer and or Customer Affiliates exporting Customer Personal Data to which GDPR applies. Contact person details, and where applicable data protection officer or representative details, are included in the Agreement or will be disclosed to StepFun upon request.
  • Data Importer: the StepFun entity that executed the Agreement. Contact details are included in the Agreement or will be disclosed to Customer upon request.

B. Description of Processing

  • Categories of data subjects: determined by Customer in accordance with the Agreement
  • Categories of personal data: determined by Customer in accordance with the Agreement
  • Special categories of personal data: none, if applicable
  • Duration and frequency of processing: continuous for the duration of the Agreement, as determined by Customer’s configuration of the Services
  • Subject matter and nature of processing: performing the Services on behalf of Customer, including collection, storage, organization, and structuring of personal data as part of AI-powered functions; verifying or maintaining quality, security, and integrity of the Services; debugging to identify and repair errors
  • Purpose of transfer and further processing: providing the Services to Customer pursuant to the Agreement and as otherwise agreed by Customer and StepFun
  • Storage limitation: compliance with legal retention requirements under applicable law
  • Subprocessors: may be used by StepFun to assist in providing the Services

C. Competent Supervisory Authority

The competent supervisory authority will be identified in accordance with clause 13 of the SCCs:
  • where the data exporter is established in an EU Member State, the supervisory authority of that country is the competent authority
  • where the data exporter is not established in an EU Member State but falls within GDPR territorial scope under Article 3(2) and has appointed a representative under Article 27(1), the competent authority is that of the Member State where the representative is established
  • where the data exporter falls within GDPR territorial scope under Article 3(2) but has not appointed a representative under Article 27(2), the competent supervisory authority is the supervisory authority of Ireland

Schedule 2. International Data Transfers

A. EU SCCs

For Module Two and Module Three of the SCCs, the following elections apply:
  • Clause 7 (Docking clause): does not apply
  • Clause 11 (Redress): optional wording does not apply
  • Clause 17 (Governing Law): Option 1 applies and governing law is the law of the Republic of Ireland
  • Clause 18 (Choice of forum and jurisdiction): the applicable forum and jurisdiction is the Republic of Ireland
  • Clause 9 (Use of subprocessors): Option 2, general written authorization, applies
For Annex I of the SCCs:
  • Schedule 1 Part A contains the specifications regarding the parties
  • Schedule 1 Part B contains the description of the transfer for Module Two and Module Three
  • Schedule 1 Part C contains the competent supervisory authority

B. UK Addendum

This UK Addendum applies to processing of Customer Personal Data subject to the UK GDPR or both the UK GDPR and GDPR. For the purposes of this UK Addendum:
  • Approved Addendum means the template addendum, version B.1.0, issued by the UK Information Commissioner under section 119A(1) of the Data Protection Act 2018 and laid before the UK Parliament on February 2, 2022, as revised from time to time
  • UK GDPR means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland, and as amended
  • Mandatory Clauses means Part 2: Mandatory Clauses of the Approved Addendum
For transfers of Customer Personal Data subject to the UK GDPR from Customer to StepFun:
  1. to the extent necessary under applicable data protection law, the Approved Addendum is incorporated into and forms part of this DPA
  2. for Table 1 of Part 1, party details are set out in Schedule 1 Part A
  3. for Table 2 of Part 1, the selected SCCs are the version set out in the EU SCCs portion of Schedule 2, including Appendix Information
  4. for Table 4 of Part 1, StepFun as data importer may end the Approved Addendum

C. Swiss Addendum

This Swiss Addendum applies to processing of Customer Personal Data subject to Swiss Data Protection Laws, or both Swiss Data Protection Laws and GDPR.

Interpretation

Where this Addendum uses terms defined in the SCCs, those terms have the same meaning. In addition:
  • Addendum means this Addendum to the Clauses
  • Clauses means the SCCs as further specified in this Schedule
  • Swiss Data Protection Laws means the Swiss Federal Act on Data Protection of June 19, 1992 and the Swiss Ordinance to that Act of June 14, 1993, and any new or revised versions that enter into force from time to time
This Addendum will be interpreted in light of Swiss Data Protection Laws so that it provides the safeguards required by Article 46 GDPR and or Article 6(2)(a) of Swiss Data Protection Laws, as applicable. It will not be interpreted in a way that conflicts with rights and obligations under Swiss Data Protection Laws. References to legislation include amended, consolidated, reenacted, or replacement versions. If there is a conflict between this Addendum and the Clauses or other related agreements, the provisions that provide the most protection to data subjects prevail.

Incorporation of the Clauses

For processing subject to Swiss Data Protection Laws, or both Swiss Data Protection Laws and GDPR, this Addendum amends the DPA and SCCs to the extent necessary so they operate:
  • for transfers made by the data exporter to the data importer where Swiss Data Protection Laws apply
  • to provide appropriate safeguards for transfers in accordance with Article 46 GDPR and or Article 6(2)(a) of Swiss Data Protection Laws
Where processing is exclusively subject to Swiss Data Protection Laws, the following amendments apply:
  • references to the Clauses or SCCs mean this Swiss Addendum as it amends the SCCs
  • Clause 6 description of the transfer is replaced so that transfer details are those specified in Schedule 1 where Swiss Data Protection Laws apply
  • references to GDPR are replaced by Swiss Data Protection Laws and references to GDPR articles are replaced with the equivalent Swiss provisions where applicable
  • references to Regulation (EU) 2018/1725 are removed
  • references to the European Union, Union, EU, and EU Member State are replaced with Switzerland
  • Clause 13(a) and Part C of Annex I are not used; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as transfers are governed by Swiss Data Protection Laws
  • Clause 17 is replaced so that the Clauses are governed by the laws of Switzerland insofar as transfers are governed by Swiss Data Protection Laws
  • Clause 18 is replaced so that disputes relating to Swiss Data Protection Laws are resolved by the courts of Switzerland, and a data subject may also bring proceedings before the courts of Switzerland where the data subject has habitual residence
  • until the revised Swiss Data Protection Laws enter into force, the Clauses also protect the personal data of legal entities
To the extent any processing is subject to both Swiss Data Protection Laws and GDPR, the DPA, including the Clauses as further specified in this Schedule, applies:
  1. as written
  2. additionally, where a transfer is subject to Swiss Data Protection Laws, as amended by the Swiss Addendum, except that Clause 17 of the SCCs is not replaced as described in Section 3(b)(vii) of the Swiss Addendum
Customer warrants that it and or Customer Affiliates have made any notifications to the Swiss Federal Data Protection and Information Commissioner required under Swiss Data Protection Laws.