PacketProof

Draft — pending legal review. The text below summarises the data-processing terms we intend to publish. It is not yet a binding agreement; engage support@packetproof.io for a signed copy.

Data Processing Addendum (DPA)

Roles

Customer is the data controller. PacketProof is the processor for personal data the customer puts into a workspace (member profiles, evidence, audit log).

Categories of data

  • Member account data: email, name, role, audit history.
  • Workspace content: evidence titles, descriptions, files, framework links.
  • Questionnaire data: questions, draft answers, citations, exported CSVs.
  • Operational logs: minimal request metadata.

Subprocessors

See /subprocessors for the canonical list. We notify customers of new subprocessors at least 30 days before activation.

Cross-border transfers

Customer content is stored in the EU (Vercel Frankfurt + Supabase EU). AI inference may route via OpenAI USA unless the workspace is configured to use Azure OpenAI EU. Standard Contractual Clauses apply to non-EU transfers when relevant.

Security measures

See /security for the summary of technical and organisational measures.

Deletion

On workspace deletion, the row is soft-deleted immediately and purged from primary storage within 30 days. Backups roll off after the standard Supabase retention window.