Deckle

Data Processing Agreement

Last updated: 2026-05-20

Deckle offers a signable Data Processing Agreement (DPA) to customers who require one for GDPR Article 28 or comparable regulatory obligations. The DPA references the EU Standard Contractual Clauses (2021/914) for transfers of personal data outside the EEA.

How to request

  1. Email legal@getdeckle.dev from your work address with your company name and the Deckle account email.
  2. We send the DPA as a DocuSign or PandaDoc envelope. Most customers receive it within one business day.
  3. Sign and return. The signed DPA is binding on both parties and supersedes the privacy summary in our privacy policy.

What the DPA covers

  • Categories of data subjects (your end users) and personal data we process.
  • Purpose and duration of processing.
  • Technical and organisational measures we apply (subprocessor controls, encryption in transit and at rest, access controls).
  • Subprocessor list — currently Clerk, Stripe, Resend, Fly.io, Anthropic.
  • Audit rights and breach-notification timelines (72 hours).
  • Standard Contractual Clauses for international transfers.

Self-hosting

If you run Deckle from our open-source repo on your own infrastructure, you are the data controller AND processor for your end users — Deckle has no access to the data. In that case a DPA between you and Deckle is not required for the data you process. You may still want one with your own hosting provider.

Questions about scope, subprocessors, or contractual edits? Reply to the email we send with the envelope. We engage on every reasonable request.