Data Processing Addendum
Last updated: May 30, 2026
Draft — pending legal counsel review. A countersigned DPA is available for Enterprise customers on request: legal@dataextractor.io.
1. Roles
For personal data contained in documents you upload, you are the data controller and dataextractor.io is the processor, processing that data only on your documented instructions to provide the Service.
2. Processing details
- Subject matter: AI extraction of structured data from your documents.
- Duration: for the term of your account; deletable on request.
- Data subjects: individuals referenced in your uploaded documents.
- Data categories: as contained in your documents (e.g. names, addresses, financial line items).
3. Sub-processors
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Managed PostgreSQL (account + extracted data) | ap-south-1 |
| Amazon Web Services (S3) | Encrypted object storage for uploaded documents | ap-south-1 |
| Anthropic | LLM inference for extraction | US |
| Google Cloud (Gemini / Document AI) | OCR + LLM inference for extraction | US |
| LangSmith | Extraction tracing / observability | US |
We will give notice of new sub-processors before they begin processing your data.
4. Security measures
- Encryption in transit (TLS 1.2+) and at rest (AES-256 server-side encryption on object storage).
- Role-based access control; tenant isolation by organization.
- Append-only, hash-chained audit log of security-relevant actions.
- CI security scanning (SAST, dependency & secret scanning) on every deploy.
5. Deletion & return
On account or organization deletion, we purge your documents and extracted data from active systems. Integrity-protected security audit records may be retained for up to 12 months as described in the Privacy Policy.
6. International transfers
Some sub-processors operate outside your region (see table). Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.