Data Processing Addendum

For customer-provided files and workflow content, customer acts as controller and Deliteful acts as processor.

For Deliteful account administration, security, and legal compliance, Deliteful may act as an independent controller.

Processing is limited to executing requested file-processing tasks and delivering outputs. Deliteful processes data according to documented customer instructions through product configuration and API calls.

Depending on customer use, processed data may include:

• Uploaded file contents and generated outputs
• Account identifiers and job metadata
• Diagnostic metadata needed for support and security

• Cloudflare (R2 storage, DNS, traffic protection)
• Modal (isolated compute execution)
• Supabase (authentication and database)
• Vercel (application hosting and delivery)
• Lemon Squeezy (billing and invoicing, controller role for payments)

• Encryption in transit over HTTPS
• Access controls and secrets management
• Isolated execution environments for processing
• Automatic retention-based deletion for temporary files
• Database row-level access controls via Supabase

Data may be processed outside the customer's jurisdiction, including in the United States, through subprocessors. Appropriate transfer safeguards are applied where required under applicable law.

Uploaded files and generated outputs are automatically deleted under plan retention rules. Account and billing records are retained only as required for service delivery, compliance, fraud prevention, and dispute resolution.

Where applicable, Deliteful provides reasonable assistance for controller requests related to access, deletion, or correction, taking into account the nature of processing and technical constraints.

Deliteful will take reasonable steps to investigate and remediate confirmed security incidents and provide notice where required by applicable law.

Questions regarding this DPA can be submitted through our support page.