Data Processing Addendum

This page summarizes how ActPass processes data on your behalf. It is a plain-language overview — not the agreement itself.

A countersignable DPA (with the current sub-processor list and Standard Contractual Clauses) is available on request for customers and design partners. Email legal@actpass.org and we will send the executable document.

Roles & scope

ActPass acts as a data processor for the limited personal data contained in agent actions, approvals, and evidence records that you route through the service. You remain the controller.

Sub-processors

We use a small set of infrastructure sub-processors (hosting, managed Postgres, error monitoring, and analytics). The current list, and changes to it, are provided to customers under the executed DPA with advance notice of additions.

Data residency

Production data is stored in the region configured for your deployment. Self-hosted and enterprise deployments keep all data within your own infrastructure.

Security measures

Encryption in transit and at rest, AES-256-GCM envelope encryption for vaulted credentials, strict tenant isolation, and an append-only, tamper-evident evidence ledger. See the Security page for detail.

Breach notification

We will notify affected customers without undue delay after becoming aware of a personal-data breach, with the information needed to meet your own notification obligations.

Data subject requests & deletion

We assist with access, correction, and deletion requests, and we delete or return customer data on termination, subject to the immutable nature of signed evidence records you have explicitly chosen to retain.

International transfers

Where personal data is transferred across borders, transfers are governed by Standard Contractual Clauses or an equivalent lawful mechanism in the executed DPA.

This overview does not modify or replace the executed DPA or our Terms. Where they conflict, the executed agreement controls. See also our Privacy Policy and Security overview.