Data Processing Agreement

Effective date: June 11, 2026

1. Overview and parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between pail ("we", "us", the "Processor") and the customer accepting the Terms (the "Controller"). It applies whenever we process personal data on your behalf in the course of providing the Service, and it reflects the requirements of the EU General Data Protection Regulation ("GDPR") and the UK GDPR.

This DPA is incorporated by reference into the Terms and applies automatically — no signature is required. If your compliance process requires a countersigned copy, email privacy@thalos.ai and we will return one.

2. Definitions

"Personal data", "processing", "controller", "processor", "data subject", and "supervisory authority" have the meanings given in the GDPR. "Customer Data" means personal data contained in artifacts you or your agents upload to the Service, plus account data we process to operate your tenancy.

3. Scope and roles

For Customer Data inside artifacts, you are the controller and we are the processor: we process that content only to store it, serve it at its URL, render it as HTML, and generate preview images — never for any independent purpose. For account, billing, and usage data we need to run the Service itself, we act as an independent controller as described in the Privacy Policy.

We process Customer Data only on your documented instructions, which are: the Terms, this DPA, and your use of the Service's APIs and tools. We will inform you if we believe an instruction infringes applicable data protection law.

4. Processing purposes and details

  • Nature and purpose: hosting, storage, retrieval, rendering, and delivery of artifacts (files, text, diagrams, notebooks, previews) shared through the Service; generation of OG preview images; delivery of notifications you configure.
  • Duration: the TTL of each artifact, or until you revoke it or delete your account, plus the deletion windows described in the Data Deletion policy.
  • Categories of data subjects: your end users, employees, contractors, and any individuals whose personal data appears in content you upload.
  • Types of personal data: whatever you choose to include in artifacts. The Service is not designed for special-category data; do not upload it.

5. Subprocessors

You authorize the following subprocessors, which we use to deliver the Service:

  • Hetzner Online GmbH — server infrastructure and primary storage. Germany (EU).
  • Cloudflare, Inc. (R2) — object storage for artifact blobs, plus DNS, DDoS protection, and TLS termination. United States / global edge.
  • Stripe, Inc. — payment processing and subscription management. United States.
  • Resend, Inc. — transactional email delivery. United States.
  • Functional Software, Inc. (Sentry) — error monitoring; receives request metadata and stack traces, never artifact content. United States.

We will give at least 30 days' notice before adding or replacing a subprocessor, via the blog at /blog or by email. If you object on reasonable data protection grounds and we cannot resolve the objection, you may terminate the affected service and receive a pro-rated refund per the Refunds policy. Each subprocessor is bound by a written agreement imposing data protection obligations no less protective than this DPA.

6. International transfers

Customer Data is stored primarily on Hetzner servers in Germany (EU). Where a subprocessor processes personal data outside the EEA or UK in a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two: controller-to-processor, or Module Three: processor-to-processor, as applicable), and for UK transfers by the UK International Data Transfer Addendum. The SCCs are incorporated into our subprocessor agreements or this DPA by reference.

7. Security

We implement technical and organizational measures appropriate to the risk, including TLS encryption in transit, hashed API keys and tokens, per-tenant isolation of storage and data access, least-privilege infrastructure access, and daily encrypted database backups. Details are summarized in the security section of the Privacy Policy. We ensure persons authorized to process Customer Data are bound by confidentiality obligations.

8. Data subject requests

Taking into account the nature of the processing, we will assist you with reasonable technical measures to fulfil data subject requests (access, correction, deletion, portability, objection). The Service's revoke and deletion endpoints let you remove specific artifacts directly. If a data subject contacts us directly about Customer Data, we will refer them to you and not respond except as required by law.

9. Personal data breach

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for you to meet your own notification obligations.

10. Deletion and return

On termination of the Service, or on request, we delete Customer Data per the timelines in the Data Deletion policy (artifacts on TTL expiry or revocation; full account data within 30 days of account deletion), except where retention is required by law. You can export your data at any time before deletion via the API.

11. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and, no more than once per year, allow for audits — normally satisfied by providing documentation, security summaries, and answers to a reasonable security questionnaire. On-site audits require 30 days' notice, must not disrupt the Service, and are at your expense.

12. Contact

DPA questions and countersignature requests: privacy@thalos.ai