DDeck-Agent

Legal

Data Processing Addendum

Last updated: 2026-05-17 (GA release)

This Data Processing Addendum ("DPA") applies when Deck-Agent ("Processor") processes personal data on behalf of a customer ("Controller") subject to the General Data Protection Regulation ("GDPR"), the UK Data Protection Act 2018, or the California Consumer Privacy Act ("CCPA"). The DPA is incorporated into the Terms of Service by reference.

1. Scope of processing

Processor processes personal data only on documented instructions from Controller, including with regard to transfers of personal data to a third country (per GDPR Art. 28(3)(a)).

2. Subprocessors

The current subprocessor list is maintained at /dpa#subprocessors and tracks Anthropic, Clerk, Stripe, Twilio, Postmark, Cloudflare, Fly.io, Neon, and Tigris (per the Privacy Policy). We notify Controllers of new subprocessors at least 30 days in advance via the customer status page and a direct email to the billing contact.

3. Security measures

Processor implements appropriate technical and organisational measures (TOMs) including: encryption-at-rest (pgcrypto + Tigris SSE), encryption-in-transit (TLS 1.3 everywhere), role-based access control (least privilege), append-only audit logging, vulnerability scanning, and annual penetration testing.

4. Data subject requests

Processor will assist Controller in responding to data subject requests within 7 business days, via the export and deletion APIs at /api/v1/me/export and /api/v1/me.

5. Breach notification

Processor will notify Controller of any personal data breach within 72 hours of discovery, including the nature of the breach, affected data, mitigation steps, and recommended actions.

6. International transfers

Where personal data is transferred outside the EEA / UK, the parties rely on the European Commission Standard Contractual Clauses (Module 2 — Controller to Processor). The SCCs are incorporated by reference and available on request.

7. Audit + cooperation

Controller may audit Processor's compliance with this DPA once per calendar year on 30 days' written notice. Processor will cooperate with reasonable audit requests at Controller's expense.

8. Contact

Questions? Email dpo@deckserv.co.