Compliance & Data Processing

Last updated: 2026-04-20 · Version 2.0.0 · JSON format

1. Data Controller

Holistic Quality LLC (US (Ohio, USA))

2. Data Processing Agreements

Under GDPR Article 28, we maintain Data Processing Agreements with all sub-processors that handle personal data on our behalf.

Processor	Jurisdiction	Data Location	DPA Status	DPA	Executed
Cloudflare	US (global edge network)	Global edge network	in_force	View DPA	2026-04-03
Upstash	EU (Ireland)	eu-west-1 (AWS Ireland)	in_force	View DPA	2025-04-01
Vercel	US	iad1 (US-East) and global edge	in_force	View DPA	2026-03-31
Resend	US	US	in_force	View DPA	2025-12-31
Stripe	US	US	in_force	View DPA	Per active SSA

Action required: Processors with "Pending" status require DPA execution. This page will be updated once agreements are in place.

3. International Data Transfers

For processors located outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission (2021 Decision) to ensure adequate data protection.

Processor	SCCs Required	SCCs Status	Transfer Mechanism
Cloudflare	Yes	in_force	2021 EU Commission SCCs (Module 2 Controller→Processor) incorporated in Cloudflare DPA v6.4; UK IDTA Addendum B1.0; Swiss FADP terms; EU-U.S./UK-U.S./Swiss-U.S. Data Privacy Framework; Global CBPR/PRP System
Upstash	No	N/A	N/A — data stored in EU (eu-west-1); no cross-border transfer from EU controller perspective for this data category
Vercel	Yes	in_force	2021 EU Commission SCCs incorporated in Vercel DPA; UK IDTA Addendum; Swiss FADP; EU-U.S. Data Privacy Framework (Vercel DPF-certified)
Resend	Yes	in_force	2021 EU Commission SCCs incorporated in Resend DPA; EU-U.S. Data Privacy Framework (Resend DPF-certified)
Stripe	Yes	in_force	2021 EU Commission SCCs and Data Transfers Addendum incorporated in Stripe DPA/SSA; PCI-DSS Level 1 certified processor

4. Data Flow Details

Detailed breakdown of data categories, retention periods, and encryption for each processor.

Cloudflare — DNS, CDN, edge security, DDoS protection, bot management, edge rate limiting

Jurisdiction: US (global edge network) (Global edge network) · Encryption: TLS 1.2/1.3 in transit, encrypted at rest

Data categories:

IP addresses (used for edge routing and security; truncated to /24 before HQ-side logging)
Security cookies (anti-bot, WAF challenge state)
TLS session metadata
Request headers (for edge routing only)

Data Type	Retention
edge security logs	Per Cloudflare provider policy (typically 7-30 days)
bot management data	Per Cloudflare provider policy

Cloudflare sub-processor list

Upstash — Serverless Redis — hashed API key storage, rate limiting, account records

Jurisdiction: EU (Ireland) (eu-west-1 (AWS Ireland)) · Encryption: TLS in transit, AES-256 at rest (Upstash-managed keys)

Data categories:

API key records (one-way hashed)
Email addresses
Usage counters
Trial flags
Enterprise inquiry data
Watchlist compound IDs
Webhook configurations
Rate limit counters

Data Type	Retention
api keys active	Duration of active subscription (max 24 months idle on paid keys per Terms)
api keys post cancellation	90 days baseline; up to 120 days if open Stripe chargeback/dispute window applies
trial flags	30 days (auto-TTL)
usage metadata	90 days (auto-TTL)
rate limits	24 hours (auto-TTL)
inquiry data	30 days (auto-TTL)
encrypted backups	Roll off within 35 days of source-record deletion

Upstash sub-processor list

Vercel — Serverless compute, website hosting, infrastructure logs

Jurisdiction: US (iad1 (US-East) and global edge) · Encryption: TLS 1.3 in transit, encrypted at rest

Data categories:

Request logs (IP truncated to /24 subnet per COMP-9)
Function execution metadata
CDN cache keys
Vercel Analytics (anonymous, no cookies, no fingerprinting)

Data Type	Retention
function logs	30 days (Vercel default)
cdn cache	Per Cache-Control headers

Vercel sub-processor list

Resend — Transactional email delivery (API key issuance, security advisories, rights-request verification)

Jurisdiction: US (US) · Encryption: TLS in transit

Data categories:

Email addresses
Email content (PII masked per COMP-6)
Delivery metadata

Data Type	Retention
email logs	28 days (Resend retention policy)

Resend sub-processor list

Stripe — Payment processing and subscription management (direct-issued customers only)

Jurisdiction: US (US) · Encryption: TLS 1.2+ in transit, AES-256 at rest (Stripe managed)

Data categories:

Email address
Payment information (card data never touches ALETHEIA servers — PCI SAQ-A per COMP-7)

Data Type	Retention
billing data	Per Stripe retention policy

Stripe sub-processor list

5. Your Rights

For your full data subject rights (access, erasure, rectification, portability), see our Privacy Policy.

To exercise your right to erasure: POST /api/keys/erasure with your email address.

6. Review Schedule

This compliance documentation is reviewed quarterly. Next scheduled review: 2026-07-20.

Material changes to sub-processors or data handling will be reflected here and noted in the API changelog.

ALETHEIA Safety Database · Holistic Quality LLC · API Root