Data Processing Agreement (DPA)
Last updated: April 2026
Data Processing Roles
Predax acts as a processor for customer-submitted IP data used with the API. Customers are controllers of their own end-user data. Where Predax processes data about its own registered users (account information, billing, usage), Predax acts as a controller.
Subprocessors
Predax uses the following subprocessors to deliver the Service. Transfers from the UK to US processors are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses.
| Subprocessor | Country | Purpose | Transfer Basis |
|---|---|---|---|
| Stripe, Inc. | USA | Payment processing | UK IDTA / UK Addendum to EU SCCs |
| Twilio SendGrid | USA | Transactional email delivery | UK IDTA / UK Addendum to EU SCCs |
| OpenAI, L.L.C. | USA | AI support chatbot | UK IDTA / UK Addendum to EU SCCs |
| Hostinger UK Limited | United Kingdom | Server infrastructure and storage | UK domestic (no transfer) |
Predax will notify customers of material subprocessor changes with at least 14 days' notice via email or in-product notification.
Security Measures
Encryption in transit (TLS 1.3), network isolation, least-privilege access controls, audit logging, and API key rotation are enforced across all systems.
Data Subject Requests
Predax will assist controllers in fulfilling data subject rights requests (access, erasure, portability, restriction) where applicable and within a reasonable timeframe.
Retention
Logs and derived data are retained per plan defaults (typically 30–90 days for raw logs). Raw integration telemetry is deleted after 90 days. Customers may request deletion or shorter retention periods where technically supported.
