Data Processing Agreement
Data Processing Agreement
Effective date: March 30, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Encelade ("Processor", "we", "us") and the entity or individual using our Service ("Controller", "you", "your"), as set out in our Terms of Service.
This DPA applies where and to the extent that Encelade processes personal data on your behalf in the course of providing the Service, and such processing is subject to applicable data protection laws including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, or the California Consumer Privacy Act ("CCPA").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf through the Service.
- "Sub-processor" means any third party engaged by Encelade to process Personal Data on your behalf.
- "Data Subject" means the individual to whom the Personal Data relates.
2. Scope and Purpose of Processing
We process Personal Data solely for the purpose of providing the Service to you, as described in our Privacy Policy. The categories of data and data subjects are as follows:
- Data subjects: your end users, team members, and collaborators who use the Service.
- Categories of data: account information (name, email), presentation content, usage data, device information, and log data.
- Processing activities: hosting and storing content, authenticating users, processing AI generation requests, analytics, and customer support.
3. Obligations of the Processor
Encelade shall:
- Process Personal Data only on your documented instructions, unless required to do so by applicable law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security assessments.
- Assist you in fulfilling your obligations to respond to Data Subject requests (access, rectification, erasure, portability, restriction, and objection).
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
- At your choice, delete or return all Personal Data upon termination of the Service, unless retention is required by applicable law.
- Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.
4. Sub-processors
You authorize us to engage the following categories of Sub-processors to assist in providing the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | United States |
| Vercel | Application hosting, delivery, and file storage | United States |
| Stripe | Payment processing | United States |
| Anthropic | AI text generation (API only) | United States |
| OpenAI | AI text generation (API only) | United States |
| AI text and image generation via Gemini (API only) | United States | |
| Amplitude | Product analytics | United States |
| Resend | Transactional email delivery | United States |
We will notify you before adding or replacing a Sub-processor, giving you the opportunity to object. If you have a reasonable objection, we will work with you to find an alternative solution or, if none is available, you may terminate the affected portion of the Service.
5. International Transfers
Where Personal Data is transferred outside the European Economic Area, United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable).
- The UK International Data Transfer Addendum, where applicable.
- Supplementary measures as necessary to ensure an essentially equivalent level of protection.
6. Data Retention and Deletion
We retain Personal Data in accordance with the retention periods described in our Privacy Policy. Upon termination of the Service or upon your written request, we will delete or anonymize all Personal Data within 30 days, except where retention is required by applicable law (e.g., tax and accounting records).
7. Security Measures
We maintain appropriate technical and organizational security measures, as described in our Security page. These measures are designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
8. Contact
For questions about this DPA or to exercise your rights as a Controller, contact us at privacy@encelade.app.