Rundux markRundux
BenefitsHow it worksPricingSecurityFAQBlogDiscordStart free with €5 credit

Legal & Compliance

Terms, Privacy, and Data Processing

This page explains how Rundux operates as a gateway to enterprise large language models, the commitments we make as your processor, and the responsibilities you retain while using the service.

Last updated: October 25, 2025

Terms of Service

Rundux provides a managed gateway to leading large language model APIs so research teams can orchestrate coding workflows without maintaining their own infrastructure.

By using the service you confirm you have the right to process the data you submit, will comply with each model provider's usage policies, and will not transmit prohibited or unlawful content.

We may update features or suspend access when needed to protect the platform or our upstream providers. The service is offered on an as-is basis without guarantees of uninterrupted availability.

  • Use Rundux solely for legitimate business research use cases and respect all intellectual-property rights.
  • Do not share logins or attempt to copy, reverse engineer, or misuse third-party APIs accessed through the platform.
  • Follow the Acceptable Use policies for OpenAI, Anthropic (Claude), xAI (Grok), and OpenRouter managed models.

Privacy & Data Protection

We operate entirely on EU-based infrastructure and align our practices with GDPR, UK GDPR, and comparable privacy regulations. Rundux acts as a processor for customer-submitted content and processes only the data required to deliver coding outputs.

Application hosting is provided by zone.ee in Tallinn (Estonia) and encrypted object storage/backups run on Amazon Web Services S3 within EU regions (currently eu-central-1 and eu-west-1). Customer verbatims, project metadata, exports, and audit logs remain on EU soil unless you explicitly instruct us otherwise.

Prompts and responses are relayed through EU-only inference gateways: OpenRouter's EU region (`https://eu.openrouter.ai`) or Requesty.ai's Frankfurt routers (`https://router.eu.requesty.ai/v1`). Both providers enforce zero-retention policies for enterprise customers, and our production keys reject any non-EU endpoint to keep residency airtight.

We log request metadata (timestamps, model identifiers, and token counts) for billing, support, and abuse prevention. We deliberately avoid storing verbatim content or other sensitive fields once a job completes, unless you ask us to retain them for collaboration features.

Customers remain responsible for supplying lawful, minimised datasets and for notifying us if special category data is included. We will support data subject requests, deletion instructions, and audit inquiries via support@rundux.com.

  • We rely on encryption in transit and at rest across our hosting providers.
  • We never use customer data to train shared models or derivative models.
  • Support access is restricted to vetted personnel under confidentiality obligations.

Data Processing Addendum Summary

Our Data Processing Addendum (DPA) incorporates the latest EU Standard Contractual Clauses and outlines the roles of Rundux (processor) and the customer (controller). It covers technical and organisational measures, breach notification timelines, and subprocessors.

Current subprocessors are zone.ee (primary hosting in Tallinn, Estonia), Amazon Web Services S3 within EU regions (encrypted object storage and backups), OpenRouter EU (LLM inference gateway with zero retention), and Requesty.ai's EU routers (optional dedicated inference gateway). Each maintains enterprise-grade data protection commitments and contractual assurances that prompts and outputs are excluded from model training.

We will provide prior notice of any new subprocessor and give customers an opportunity to object. Upon termination you can request deletion of all customer data still stored within Rundux, and we will cascade the request to any engaged subprocessors.

  • Security controls include role-based access, least-privilege credentials, continuous monitoring, and automated guards that prevent non-EU routing.
  • Incident notifications are issued without undue delay and always within the timelines required by GDPR.
  • Signed copies of the full DPA are available to customers via support@rundux.com.

Questions or Requests

If you need a signed agreement, a copy of our detailed security measures, or assistance with a data subject request, please reach out to support@rundux.com.