Data Processing Addendum
This Data Processing Addendum (DPA) governs the processing of personal data by Custodia on behalf of customers and supplements our Terms of Service.
1. Definitions
"Customer Data" means personal data uploaded to or processed through the Service by or on behalf of Customer. "Data Protection Laws" means applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant regulations. "Subprocessor" means any third party engaged by Custodia to process Customer Data.
2. Roles and Responsibilities
For purposes of Data Protection Laws: Customer is the "Controller" (or "Business") determining the purposes and means of processing. Custodia is the "Processor" (or "Service Provider") processing Customer Data on Customer's behalf and instructions. Custodia will only process Customer Data in accordance with Customer's documented instructions as set forth in the Terms of Service and this DPA.
3. Processing Purposes
Custodia processes Customer Data solely for the following purposes: (a) providing the Service as described in the Terms of Service; (b) complying with Customer's instructions; (c) complying with applicable law; (d) detecting and preventing fraud, abuse, and security incidents. Custodia will not sell Customer Data, use it for advertising, or process it for purposes incompatible with those listed above.
4. Security Measures
Custodia implements appropriate technical and organizational measures to protect Customer Data, including: (a) encryption in transit (TLS 1.2+) and at rest (AES-256); (b) access controls limiting personnel access to Customer Data; (c) secure development practices; (d) regular security assessments; (e) incident detection and response capabilities; (f) employee confidentiality obligations and training. These measures are designed to ensure a level of security appropriate to the risk.
5. Subprocessors
Customer authorizes Custodia to engage Subprocessors to process Customer Data. Current Subprocessors include: Stripe, Inc. (payment processing), Google Cloud Platform / Gemini AI (AI services and hosting), Neon, Inc. (database hosting), and Vercel, Inc. (application hosting). Custodia will: (a) impose data protection obligations on Subprocessors materially similar to those in this DPA; (b) remain liable for Subprocessor compliance; (c) notify Customer of new Subprocessors at least 30 days before engagement, allowing Customer to object.
6. Data Subject Rights
Custodia will assist Customer in responding to data subject requests (access, correction, deletion, portability, etc.) to the extent Customer cannot fulfill such requests independently through Service functionality. Custodia will notify Customer promptly if it receives a request directly from a data subject, unless prohibited by law.
7. Data Breach Notification
Custodia will notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Customer Data. Notification will include: (a) description of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed to address the breach. Custodia will cooperate with Customer's breach response efforts.
8. International Transfers
Customer Data may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, Custodia relies on: (a) Standard Contractual Clauses (SCCs) approved by the European Commission; and/or (b) other valid transfer mechanisms under applicable law. Upon request, Custodia will execute SCCs with Customer.
9. Audits
Upon Customer's written request (no more than once per year), Custodia will provide: (a) responses to reasonable security questionnaires; (b) summaries of third-party security audits or certifications. Custodia is not required to disclose information that would compromise security, violate confidentiality obligations to other customers, or reveal proprietary information.
10. Data Deletion and Return
Upon termination of the Service agreement, Customer may export Customer Data within 30 days. After this period, Custodia will delete Customer Data unless retention is required by law or for legitimate business purposes (e.g., billing records). Upon request, Custodia will certify deletion in writing.
11. Term
This DPA remains in effect for as long as Custodia processes Customer Data on Customer's behalf. Provisions related to data security, confidentiality, and deletion survive termination.
Questions about this policy?
Contact us and we'll help clarify.