Data Processing Addendum

1. Purpose

This Data Processing Addendum ("DPA") applies only where TRUP LLC and a business, institutional, university, research group, team, or enterprise customer have agreed that this DPA applies to the processing of personal data through Licentia.

Licentia is operated by TRUP LLC, a Wyoming limited liability company. Licentia is a product name only and is not a separate legal entity, registered DBA, or separately incorporated company.

2. Relationship to Agreement

This DPA supplements the Terms of Service or other written agreement between the customer and TRUP. If there is a conflict between this DPA and the Terms regarding processing of Customer Personal Data, this DPA controls only for that processing.

3. Definitions

"Customer" means the business, institution, university, research group, team, enterprise, or organization that uses Licentia under an applicable agreement.

"Customer Personal Data" means personal data processed by TRUP on behalf of Customer through the Services.

"Controller," "processor," "personal data," "processing," and similar terms have the meanings given under applicable data protection laws.

4. Roles

As between the parties, Customer is the controller or business responsible for determining the purposes and means of processing Customer Personal Data. TRUP acts as processor or service provider only to the extent it processes Customer Personal Data on behalf of Customer under this DPA.

For personal data processed by TRUP for account administration, billing, security, abuse prevention, legal compliance, service analytics without personal advertising, and direct relationship management, TRUP may act as an independent controller as described in the Privacy & Cookie Policy.

5. Processing Instructions

TRUP will process Customer Personal Data only:

• to provide, secure, maintain, support, and improve the Services;
• according to Customer's lawful instructions;
• as described in the applicable agreement and this DPA;
• as required by applicable law.

6. Subject Matter and Duration

The subject matter is the provision of Licentia's AI-assisted academic research, writing, study, citation, document-processing, statistics, and productivity services.

The duration of processing lasts for the term of the customer relationship and any additional period required for deletion, backup, legal, security, billing, dispute, or compliance purposes.

7. Categories of Data Subjects

Data subjects may include:

• Customer's users;
• students;
• researchers;
• faculty;
• staff;
• collaborators;
• support contacts;
• individuals referenced in uploaded materials;
• individuals whose information appears in datasets, documents, prompts, files, or academic content.

8. Categories of Personal Data

Customer Personal Data may include:

• account information;
• contact information;
• authentication information;
• user content;
• uploaded files;
• academic materials;
• prompts and AI outputs;
• citations and references;
• datasets;
• study materials;
• statistics inputs and outputs;
• support communications;
• logs and technical metadata;
• billing-related business contact information.

9. Sensitive Data

Customer must not submit sensitive personal data, regulated data, protected health information, children's data, biometric data, government identifiers, or confidential third-party data unless Customer has the lawful right and authority to do so and has confirmed that the Services are appropriate for that processing.

10. Subprocessors

Customer authorizes TRUP to use subprocessors and service providers to provide the Services. Subprocessors may include providers for:

• infrastructure and servers;
• database and backups;
• file storage;
• AI infrastructure, model routing, OCR, and model providers;
• authentication;
• payment processing;
• email delivery;
• academic metadata, citation, DOI, abstract, indexing, search, and source discovery;
• security, logging, abuse prevention, debugging, and support.

Examples may include OpenRouter, model providers routed through OpenRouter, Cloudflare R2 or similar storage providers, Google, Apple, Creem, Plisio, Stripe, Sendarix, Crossref, OpenAlex, Semantic Scholar, PubMed, DOAJ, arXiv, and similar providers used from time to time.

11. Subprocessor Changes

TRUP may add, replace, or remove subprocessors from time to time. Where required by an applicable written agreement or law, TRUP will provide notice or make updated subprocessor information available.

12. International Transfers

Customer Personal Data may be processed in the United States, the European Economic Area, the United Kingdom, Türkiye, and other countries where TRUP or its service providers operate.

Where required, the parties will use appropriate transfer mechanisms, which may include Standard Contractual Clauses, UK transfer addenda, data processing terms, or other lawful transfer mechanisms.

13. Security Measures

TRUP will use reasonable technical and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, or disclosure.

Measures may include access controls, authentication, transport encryption, operational security controls, logging, backups, file validation, abuse prevention, rate limiting, and security monitoring where appropriate.

14. Customer Responsibilities

Customer is responsible for:

• providing lawful instructions;
• obtaining all required notices, consents, and permissions;
• ensuring users comply with academic, institutional, privacy, and data protection rules;
• determining whether the Services are appropriate for the data submitted;
• avoiding unnecessary sensitive data uploads;
• responding to data subject requests where Customer is controller;
• maintaining user account controls and access permissions.

15. Data Subject Requests

If TRUP receives a request from a data subject relating to Customer Personal Data, TRUP may direct the requester to Customer or assist Customer where legally required and reasonably possible. Requests may be sent to hello@licentia.io.

16. Deletion and Return

Upon termination of the applicable agreement or upon Customer's valid request, TRUP will delete or return Customer Personal Data as reasonably possible, subject to backup, legal, billing, tax, accounting, security, fraud prevention, dispute resolution, service integrity, and compliance retention requirements.

Deleted information may remain in backups, logs, archives, or disaster recovery systems for a limited period before being overwritten or deleted.

17. Security Incidents

TRUP will notify Customer without undue delay after becoming aware of a security incident affecting Customer Personal Data, where required by applicable law. Notification may be delayed or limited where necessary for investigation, remediation, law enforcement, or legal reasons.

18. Audits

Upon reasonable written request and where required by applicable law or written agreement, TRUP may provide information reasonably necessary to demonstrate compliance with this DPA. Any audit must be limited, confidential, non-disruptive, and subject to reasonable security and confidentiality restrictions.

19. AI Processing

Customer acknowledges that AI-powered features may route prompts, instructions, uploaded content, source excerpts, metadata, outputs, and related information to third-party AI infrastructure providers, model routing providers, model providers, OCR providers, and other service providers.

TRUP does not use Customer Content to train TRUP-owned public AI models. Third-party AI providers may process information according to their own terms, privacy policies, retention settings, logging settings, routing policies, and model provider policies.

20. Liability

The liability limitations in the applicable agreement apply to this DPA to the maximum extent permitted by law.

21. Contact

For DPA, privacy, data protection, security, or subprocessor questions, contact hello@licentia.io.