Data Processing Agreement
Last updated: May 12, 2026
This DPA forms part of your Terms of Service with InsideDB. It governs how we process personal data on your behalf as a data processor under GDPR Article 28.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between InsideDB ("Processor", "we", "us") and the customer ("Controller", "you") who uses the InsideDB platform. This DPA governs the processing of personal data on your behalf and complies with Article 28 of the GDPR and equivalent provisions of other data protection laws.
2. Definitions
Capitalized terms not defined here have the meaning given in the Terms of Service or applicable data protection law.
- Personal Data — any information relating to an identified or identifiable natural person that you upload, process, or collect through InsideDB.
- Processing — any operation performed on personal data, including collection, storage, retrieval, use, and deletion.
- Subprocessor — any third-party engaged by InsideDB to process personal data on behalf of the Controller.
3. Processing Details
| Subject matter | Provision of the InsideDB platform services |
| Duration | For the term of your InsideDB account |
| Nature & purpose | Hosting, storage, AI processing, web data collection, and workflow automation as configured by you |
| Data categories | Account data (email, name), uploaded files, web-scraped content, AI-processed outputs |
| Data subjects | Your authorized users and any individuals whose data you process through the platform |
4. Processor Obligations
InsideDB shall:
- Process personal data only on documented instructions from you (including these terms).
- Ensure persons authorized to process personal data are committed to confidentiality.
- Implement appropriate technical and organizational measures (see Section 7).
- Assist you in fulfilling data subject rights requests (access, rectification, erasure, portability).
- Notify you without undue delay after becoming aware of a personal data breach.
- Delete or return all personal data upon termination of services (see Section 9).
5. Controller Obligations
You, as Controller, shall:
- Ensure you have a lawful basis for processing any personal data through InsideDB.
- Not process sensitive personal data (special categories under GDPR Art. 9) without implementing additional safeguards.
- Provide necessary notices and obtain required consents from data subjects.
6. Subprocessors
You authorize InsideDB to engage the following subprocessors for the purposes described:
| Subprocessor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Cloud hosting (all platform data at rest) | Germany (EU) |
| SendGrid (Twilio Inc.) | Transactional email delivery | USA (EU data center option) |
| Sentry (Functional Software Inc.) | Error monitoring (no user content) | USA |
| NowPayments | Cryptocurrency payment processing | Estonia (EU) |
InsideDB will inform you of any intended changes to subprocessors via email or platform notification. You may object to new subprocessors on reasonable grounds relating to data protection.
7. Technical & Organizational Measures
- Encryption at rest (Fernet) for user secrets and credentials.
- Encryption in transit (TLS 1.3, HSTS with 2-year max-age).
- JWT-based authentication with httpOnly cookies and CSRF protection.
- Bcrypt password hashing; bcrypt-verified API keys.
- Rate limiting, input validation, and abuse detection.
- Continuous monitoring (Sentry, Prometheus, OpenTelemetry).
- Access control: team-based permissions with owner/builder/viewer roles.
- Audit logging of administrative and user actions.
- Regular automated backups (Redis AOF, database backups).
8. Data Subject Rights
InsideDB will assist you in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by providing export and deletion tools and responding to your support inquiries within 30 days. Data subjects may contact us at support@insidedb.ai.
9. Data Retention & Deletion
Upon termination of your account, InsideDB will delete all personal data within 30 days. You may also request deletion of specific data at any time. AI conversation data is automatically purged after 30 days. Extract content is automatically purged after 90 days. Data subjects may contact us at support@insidedb.ai for deletion requests.
10. Contact
For questions about this DPA or to exercise your data protection rights, contact us at support@insidedb.ai.