Skip to main content

Legal

Data Processing Addendum

Last updated July 12, 2026

The plain version: when emisar processes personal data on your behalf, we act only on your instructions, we never sell it or train on it, our subprocessors are a short named list, and we delete it when you leave. This is the standard DPA we'll sign — email support@emisar.dev for an executable copy.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer", the data controller) and emisar, operated by Andrii Dryga ("we", "us", the data processor). It governs our processing of personal data on your behalf and reflects Article 28 of the GDPR and the equivalent UK and California requirements. Where this DPA conflicts with the Terms, this DPA controls for matters of data protection. It is the standard form we will execute — email support@emisar.dev for a signable copy.

1. Roles and scope

You are the controller of the personal data you and your authorized users put into emisar; we are your processor. We process that data only to provide the emisar service to you and only on your documented instructions — the Terms, this DPA, and your use of the product are those instructions. We will tell you if we believe an instruction breaches data-protection law. We do not sell your data, share it with advertisers, enrich it with data brokers, or use it to train AI models — ours or anyone else's.

2. Details of processing

  • Subject matter and duration. Processing for the term of your account.
  • Nature and purpose. Operating the control plane: authenticating users, routing actions to your runners, enforcing your policies, and producing your audit trail.
  • Categories of data. Account information (email, optional name, authentication metadata, request IP) and product telemetry (runner metadata, the actions your operators or AI agents trigger, approvals, policy decisions, and the resulting audit events). Secrets are redacted on the host before they leave it, and we never receive full card numbers. We do not ask for, and you should not send, special-category data.
  • Data subjects. Your authorized operators, administrators, and any individuals referenced in the actions or audit records your team generates.

3. Our obligations as processor

We will: process personal data only on your instructions; ensure the people who process it are bound by confidentiality; implement the security measures in §5; engage subprocessors only under §4; assist you with data-subject requests and with your own security, breach-notification, and impact-assessment obligations (§7); and, at the end of the service, return or delete the data (§9). We make available the information needed to demonstrate compliance with these obligations (§10).

4. Subprocessors

You authorize us to engage the subprocessors below, each contractually bound to confidentiality and to processing data only on our instructions, under terms no less protective than this DPA:

  • Google Cloud Platform — application hosting, networking, managed PostgreSQL, and backups (United States region).
  • Paddle — payment processing and subscription retention (Paddle Retain, checkout page only); we never see or store full card numbers.
  • Postmark — transactional email (confirmations, approvals, magic links).
  • Mixpanel — product & usage analytics (United States); server-side, scoped to product-usage events, never the contents of your runs or audit records.

We will give you advance notice before adding or replacing a subprocessor — the current list lives on the privacy policy — and you may object on reasonable data-protection grounds, in which case we will work with you in good faith or you may terminate.

5. Security measures

The technical and organizational measures we maintain include, at minimum:

  • Encryption in transit (TLS 1.2+, 1.3 where supported) and provider-managed encryption at rest for compute storage, database storage, and backups.
  • Least-privilege access, enforced multi-factor authentication, and role-based access control.
  • A tamper-evident, hash-chained audit trail on each host, mirrored to the searchable cloud record.
  • Secrets redacted on the host before egress; outbound-only runners with no inbound port.
  • Signed dispatch and local admission control — a compromised control plane cannot forge an action.

The trust center and security model describe these in depth; they reflect the controls actually in the product, not aspirations.

6. Personal-data breach

If we become aware of a personal-data breach affecting your data, we will notify you without undue delay, with the information you need to meet your own notification obligations, and we will cooperate on investigation and remediation.

7. Assisting you

Taking into account the nature of the processing, we will help you respond to data-subject requests (access, rectification, erasure, portability, restriction, objection). Much of this you can do yourself: audit events stream out as NDJSON from /api/audit, and a full account snapshot or deletion is available by emailing support@emisar.dev.

8. International transfers

Production data is processed in the United States. Where you are in the EU, UK, or another region whose law restricts transfers, the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) are incorporated into this DPA by reference and govern those transfers, with us as the data importer.

9. Return and deletion

On termination, or on your request, we delete your personal data from the primary database within 24 hours and from encrypted backups within 30 days (after which the backups themselves expire), except where we are legally required to retain specific records (e.g. tax records for invoices) for the minimum statutory period. We can provide a deletion certificate or a copy of the data first if you ask.

10. Audits

We make available the information reasonably necessary to demonstrate compliance with this DPA, including our security documentation and, when available, third-party attestations. Where an on-site or independent audit is required, we will agree the scope, timing, and cost with you in advance so it doesn't compromise other customers' security.

11. General

This DPA supplements and does not replace the Terms; the liability limits in the Terms apply to it. We may update it to reflect new legal requirements or subprocessors; material changes will be communicated as described in the Terms. Questions, or to receive an executable copy: support@emisar.dev.