Data Processing Agreement

rag.art acts as processor for the personal data your organization (controller) submits to the service. This page summarizes the DPA. Download the signable PDF:

1. Subject matter and duration

Storage and processing of customer-provided documents and conversation data for the duration of the subscription agreement.

2. Technical and organizational measures

• Encryption at rest (AES-256) and in transit (TLS 1.2+).
• Role-based access controls, least privilege, audit logging.
• EU data residency (Frankfurt).
• Environment separation for production data.

3. Sub-processors

Supabase, OpenAI, Anthropic, Vercel, Stripe, Resend. See the PDF for the full list and purposes. We notify customers 30 days before adding or replacing a sub-processor.

4. International transfers

Covered by EU Standard Contractual Clauses (Commission decision 2021/914) where applicable.

5. Data subject rights assistance

rag.art exposes in-product endpoints for access and erasure: GET /api/compliance/data-export and POST /api/compliance/gdpr-delete. The controller is responsible for routing data subject requests.

6. Breach notification

Without undue delay and in any event within 72 hours of becoming aware, to security@rag.art.

7. Return or deletion

Upon termination, the controller may export data via the endpoint above within 30 days; after that period data is deleted or anonymized.