Data processing addendum
Effective July 14, 2026
This addendum applies when a customer’s use of the Corent API involves personal data protected by data protection law (including the GDPR and UK GDPR) and forms part of the terms of service. It is incorporated automatically for all customers; no signature is required. Enterprise customers who need a countersigned copy can request one at hello@corent.tech.
Roles
For content you submit (prompts, reference media) and outputs generated for you, you are the controller and Corent is a processor acting on your documented instructions, which are: process the content to route, generate, store, and return media, enforce acceptable use, and bill accurately. For account and billing data, Corent is an independent controller.
Processing details
Subject matter and duration: processing of customer content for the term of the agreement. Nature and purpose: AI media generation routing as described in the terms. Data subjects and categories: determined by what you submit; you are responsible for having a lawful basis to submit it.
Our commitments
- Process customer content only per the instructions above, unless law requires otherwise.
- Never use customer content to train AI models.
- Apply the technical and organizational measures described on the security page.
- Ensure persons processing the data are bound by confidentiality.
- Assist you, as reasonably needed, with data subject requests and with your security and impact-assessment obligations.
- Notify you without undue delay of a personal data breach affecting your content.
- Delete or return customer content on request or at termination, per the retention terms in our privacy policy.
Subprocessors
You authorize the subprocessors listed on the security page, which is the canonical, maintained list. We will update that page before adding a subprocessor that handles customer content; if you object to an addition on reasonable data-protection grounds, your remedy is to stop using the service and receive a refund of unused credits. We remain responsible for our subprocessors’ performance.
International transfers
Our subprocessors are primarily in the United States. Where GDPR-protected data is transferred to a country without an adequacy decision, the transfer is protected by the subprocessor’s participation in the EU-U.S. Data Privacy Framework or by standard contractual clauses, as applicable.
Audit
We make available the information reasonably necessary to demonstrate compliance: this addendum, the security page, and our platforms’ audit reports where available under their terms. On written request, no more than once per year, we will answer a reasonable security questionnaire.
