Applies to: every Valar customer using Valar’s inference services
Effective date: 2026-05-01
Contact: [email protected]
Effective date: 2026-05-01
Contact: [email protected]
Definitions
- Customer Content - the prompts, inputs, files, and related data submitted to run an inference job, together with the outputs the service returns.
- Job metadata - the operational metadata required to run and track jobs, such as job identifiers, timestamps, status, and routing or state information.
- Compute subprocessor - a third-party compute provider Valar may draw on to run inference.
1. Controller and processor roles
The Customer is the controller of the data it sends to Valar and decides which inference jobs run. Valar is the processor: it handles that data solely to carry out the requested inference job and return the results to the Customer.2. Scope of data processed
Valar may handle two categories of data, defined above: Customer Content and Job metadata.3. Permitted and prohibited uses
Valar uses Customer data for two purposes only:- running the inference job the Customer has requested, and
- operating the service capabilities that job depends on — routing, scheduling, and job-state tracking.
- use Customer Content to train, fine-tune, or otherwise improve any machine learning model, whether Valar’s own or a third party’s;
- use Customer Content for marketing or advertising; or
- collect telemetry from GPU machines that would capture Customer Content.
4. Storage and retention
| Aspect | How Valar handles it |
|---|---|
| Persistent storage | Customer Content is stored persistently only in Amazon S3 buckets, unless the Customer opts for the customer-owned bucket arrangement below. |
| Transient processing | Everything else happens transiently and in-memory only, lasting no longer than the job itself. |
| Automatic deletion | Valar’s production S3 buckets carry an automated deletion rule (an S3 bucket lifecycle policy) that removes Customer Content soon after processing. Timing can shift due to job retries, failures, or other operational factors. In no event will Valar hold Customer Content for more than 48 hours. |
| Customer-owned buckets (optional) | Customers wanting tighter control over storage configuration and retention may elect to use their own Customer-owned S3 buckets. |
5. Security and access controls
Valar protects Customer data with controls that include the following.- Authenticated GPU machines. Inference GPU machines connect to Valar infrastructure over TLS (certificate transparency required) and authenticate with a high-entropy bearer token. They are never publicly reachable.
- Restricted connectivity. Inference machines reach only the services they need:
- container registry
- routing service
- object storage (e.g. Amazon S3)
- Data center assurance. Valar relies on cloud and data center providers that maintain SOC 2 and ISO 27001 assurance programs.
- Compute provider restrictions. Valar may draw on several compute subprocessors, subject to two conditions:
- they are barred from accessing Customer Content, and
- they must never store Customer Content unencrypted.