Back to Home

Data Processing Agreement

Last updated: May 25, 2026

This DPA forms part of the Terms when EdgeFlow processes personal data on behalf of a Customer (you).

1. Roles

Customer is the Controller; EdgeFlow is the Processor for trade and journal data submitted to the Service.

2. Subject and Duration

Processing for the term of the subscription, for the purpose of delivering the Service.

3. Categories of Data

Trade records, journal text, emotional tags, AI conversation history.

4. Sub-processors

Current sub-processors: hosting (Vercel), database (Supabase, EU region), AI inference (Anthropic, OpenAI), payments (LemonSqueezy), email (Resend, transactional email). We will notify Customer of new sub-processors 14 days in advance.

5. Security

TLS, encryption at rest, least-privilege access, audit logs.

6. Data Subject Rights

EdgeFlow will assist Customer in responding to data subject requests at reasonable cost.

7. Breach Notification

EdgeFlow will notify Customer of a confirmed data breach affecting Customer data within 72 hours of discovery.

8. Audits

Customer may request a SOC2 report (if available) once per 12 months.

9. Return / Deletion

On termination, data is deleted within 30 days unless retention is required by law.

10. Governing Law

As per Terms.