Data Processing Agreement (DPA)

Last updated: April 2026

Data Processing Roles

Predax acts as a processor for customer-submitted IP data used with the API. Customers are controllers of their own end-user data. Where Predax processes data about its own registered users (account information, billing, usage), Predax acts as a controller.

Subprocessors

Predax uses the following subprocessors to deliver the Service. Transfers from the UK to US processors are governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses.

SubprocessorCountryPurposeTransfer Basis
Stripe, Inc.USAPayment processingUK IDTA / UK Addendum to EU SCCs
Twilio SendGridUSATransactional email deliveryUK IDTA / UK Addendum to EU SCCs
OpenAI, L.L.C.USAAI support chatbotUK IDTA / UK Addendum to EU SCCs
Hostinger UK LimitedUnited KingdomServer infrastructure and storageUK domestic (no transfer)

Predax will notify customers of material subprocessor changes with at least 14 days' notice via email or in-product notification.

Security Measures

Encryption in transit (TLS 1.3), network isolation, least-privilege access controls, audit logging, and API key rotation are enforced across all systems.

Data Subject Requests

Predax will assist controllers in fulfilling data subject rights requests (access, erasure, portability, restriction) where applicable and within a reasonable timeframe.

Retention

Logs and derived data are retained per plan defaults (typically 30–90 days for raw logs). Raw integration telemetry is deleted after 90 days. Customers may request deletion or shorter retention periods where technically supported.

For signed DPA copies or questions, contact [email protected]