Legal · DPA
Data Processing Addendum
We can sign a Data Processing Addendum compliant with GDPR Article 28 / UK GDPR / Swiss FADP.
Email [email protected] with your company details and
we'll send a counter-signed copy within 5 business days.
What's in the standard DPA
- Roles: you are the Controller, we are the Processor
- Purpose limitation: we process data only to provide the Service
- Security: per /security — AES-256-GCM at rest, TLS in transit, audit logs
- Subprocessor list: see /legal/subprocessors — currently just Cloudflare
- SCCs (Standard Contractual Clauses): we use the EU 2021/914 SCCs for any international transfers
- Breach notification: within 72 hours of discovery, per GDPR Article 33
- Audit rights: annual third-party security audit (when SOC2 ships) or your own audit on request
- Data return / deletion on termination: 30-day window for export, then full purge
Need data residency we don't offer?
We currently host in a single region (configurable when you reach us). If you need EU-only,
India-only, or air-gapped processing, the OSS self-host path gives you full control —
you become the Controller AND the Processor, and no telemetry leaves your environment.
See /self-host.
Contact
DPA requests: [email protected]