Last updated: April 2026
Need a signed DPA? Contact us at team@datafoundry.app and we will send you our standard DPA for countersignature within one business day. This is available to all customers at no additional cost.
This Data Processing Agreement ("DPA") governs the processing of personal data by DataFoundry ("Processor") on behalf of the customer ("Controller") in connection with the DataFoundry SaaS platform. This DPA incorporates the Standard Contractual Clauses (SCCs) where applicable under GDPR.
DataFoundry processes personal data submitted by the Controller through the platform for the purpose of providing the annotation operations management service. Processing continues for the duration of the active subscription or trial period.
DataFoundry stores, retrieves, and organizes personal data on behalf of the Controller. This includes user account information (name, email, role) and any personal data contained within work items, audit logs, or vendor records created by the Controller.
Data subjects may include: Controller's employees and contractors (platform users), and individuals referenced in annotation work items or vendor records at the Controller's discretion.
DataFoundry agrees to: process personal data only on documented instructions from the Controller; ensure personnel authorized to process data are bound by confidentiality; implement appropriate technical and organizational security measures; assist the Controller in meeting data subject rights requests; notify the Controller of any data breaches without undue delay; delete or return all personal data on termination; provide all information necessary to demonstrate compliance with this DPA.
DataFoundry uses the following sub-processors: Supabase, Inc. (database infrastructure, US), Resend, Inc. (transactional email, US), Upstash, Inc. (caching/rate limiting, US), Sentry (error monitoring, US). Customers will be notified of any new sub-processors 30 days before engagement.
Where personal data is transferred from the EEA, UK, or Switzerland to sub-processors in third countries, such transfers are covered by Standard Contractual Clauses (2021/914/EU) or equivalent safeguards.
Upon termination of service, DataFoundry will retain personal data for a minimum of 12 months to enable reactivation or data export, unless the Controller requests earlier deletion. After the retention period, data is permanently deleted from all systems.
To request a signed DPA or for questions about data processing, contact team@datafoundry.app.