Data Processing Agreement

Scope

This Data Processing Agreement (DPA) applies to the processing of personal data by Satcove (operated by Abyssal Group, the “Processor”) on behalf of the customer (the “Controller”) who subscribes to a Business or Enterprise plan.

Data processed

• Account data: email address, full name, plan type.
• Usage data: AI model used, token counts, request timestamps.
• Transaction data: payment amounts, Stripe customer ID.
• Content data: conversation content (processed in transit, not stored unless the user enables history).

Sub-processors

• Supabase (EU) — database and authentication.
• Stripe (US, SCCs) — payment processing.
• Vercel (EU region) — hosting and edge compute.
• Resend (US, SCCs) — transactional email.
• AI Providers: Anthropic, Google, OpenAI, Mistral, xAI, Perplexity — model inference only, no data retention.

Security measures

All data is encrypted at rest (AES-256) and in transit (TLS 1.3). API keys are hashed with SHA-256. Row-level security is enforced on all database tables. Access to production infrastructure is limited to authorized personnel.

Data breach notification

In the event of a personal data breach, we will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.

Request a signed DPA

Business and Enterprise customers can request a signed DPA — contact us.