Data Processing Addendum (DPA) Template
This is our standard DPA template. It is executed per-customer after legal review. Request a signed copy at security@getdeplo.com. The commitments in it are drawn from Deplo’s actual, shipped practices (see the privacy policy and Trust & Security), so the template promises only what the product already keeps. Bracketed fields are filled in per customer.
This DPA forms part of the agreement between [Customer legal name] (“Customer”, the data controller) and Deplo (“Processor”), operated by [legal entity/sole proprietor name], for the services described at getdeplo.com (the “Services”).
1. Scope and roles
Customer is the controller of personal data processed through the Services; Deplo is the processor. Deplo processes personal data only on Customer’s documented instructions, as expressed through Customer’s use of the Services.
2. Data processed
- Account data: names, email addresses, workspace membership of Customer’s users.
- Salesforce metadata: API names, labels, descriptions of objects, fields, automation, and permission structures, when Customer connects an org or invokes an AI feature. Deplo does not bulk-export Salesforce records.
- AI-feature content: the specific metadata or text a user submits with an AI action (e.g. a formula, a flow definition, an error message, which may incidentally quote record values Salesforce embeds in error text).
- Extension direct-mode tools process no data on Deplo servers and are outside processing scope: they operate entirely within the user’s browser against Customer’s own Salesforce org.
3. Security measures
- Encryption in transit (TLS) for all traffic.
- Encryption at rest for stored credentials and tokens (AES-256-GCM with key rotation support) and for stored AI conversation content.
- AI response caches are encrypted with keys derived from the request itself; cached responses cannot be browsed or bulk-decrypted.
- Two-factor authentication available for all accounts; passwords stored bcrypt-hashed; API rate limiting on all endpoints.
- Access to production systems is limited to [named operator(s)].
4. Subprocessors
Customer consents to the following subprocessors. Deplo will give 30 days’ notice before adding a subprocessor that receives Customer data.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI processing (Claude API, commercial terms: no training on inputs/outputs, ~30-day retention) | USA |
| Supabase | Database hosting | USA |
| Render | Application hosting | USA |
| Vercel | Web hosting | USA |
| Stripe | Billing | USA |
| Sentry | Error reporting (opt-in only, scrubbed) | USA |
5. Retention and deletion
- Investigate conversations auto-delete after 90 days of inactivity and can be deleted immediately by the user (hard delete, no grace period).
- AI response caches expire within 1–7 days.
- On termination, Deplo deletes Customer personal data within 30 days, except where retention is legally required.
- Customer may export its data at any time via the self-serve workspace export (Settings → Data & retention).
6. Breach notification
Deplo will notify Customer without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Customer data, with the information reasonably required for Customer’s own obligations.
7. Assistance and audits
Deplo will reasonably assist Customer with data-subject requests and supervisory-authority inquiries. Once per year, on 30 days’ notice, Customer may request Deplo’s completed security questionnaire and documentation of the measures in §3 in lieu of an on-site audit.
8. International transfers
Where processing involves transfers from the EEA/UK, the parties incorporate the EU Standard Contractual Clauses (module 2, controller→processor) by reference. [Lawyer: confirm module choice and UK addendum.]
Signatures: [Customer] / [Deplo], date.