Data Processing Addendum
Last updated: 2026-04-17
This DPA stub applies to Team and Enterprise customers who process personal data through ashlr on behalf of EU or California residents. A countersigned DPA is available on request — email support@ashlr.ai.
1. GDPR and CCPA compliance
ashlr acts as a data processor when processing personal data on behalf of customers (“controllers”) under the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We process personal data only as instructed by the controller and as described in our Privacy Policy.
For CCPA purposes, ashlr does not sell personal information and does not use it for any purpose beyond providing the contracted service.
2. Sub-processors
We engage the following sub-processors. We will notify customers at least 30 days before adding a material new sub-processor.
| Name | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing | US / global |
| Resend, Inc. | Transactional email delivery | US |
| Fly.io, Inc. | API backend hosting, compute | US-East (iad); EU on request |
| Neon, Inc. | Postgres database (accounts, stats, audit logs) | US-East; EU on request |
| Vercel, Inc. | Marketing site hosting | US / global CDN |
3. International data transfers
Personal data originating in the European Economic Area (EEA) or UK is transferred to the United States under the Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46(2)(c). We apply the 2021 SCCs (Module 2: controller-to-processor) in our agreements with each sub-processor listed above.
Enterprise customers requiring in-region EEA processing can request EU-region deployment — contact support@ashlr.ai.
4. Security measures
- Encryption in transit: all API traffic is TLS 1.2 or higher.
- Encryption at rest: database volumes are AES-256 encrypted at the infrastructure level (Neon + Fly.io).
- Access control: production database access is limited to the API service account and named engineers. All human access requires MFA and is logged.
- Audit logs: all API authentication events and gated tool calls are logged with timestamps and retained for 7 years.
- Vulnerability management: dependencies are scanned continuously via GitHub Dependabot. Critical patches are applied within 72 hours.
5. Breach notification
In the event of a personal data breach, ashlr will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach, to the extent required by GDPR Article 33. The notification will include, to the extent known at the time: the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
6. Contact and DPO requests
ashlr does not currently meet the threshold requiring a formal DPO appointment under GDPR Article 37. Data protection inquiries, requests for a countersigned DPA, and data subject rights requests should be sent to: support@ashlr.ai. We aim to respond within 5 business days.