Data Processing Agreement
When The Octane processes personal data on behalf of a business customer acting as a controller, The Octane acts as processor under this DPA. Effective 2026-06-17.
Roles
The Octane is the processor. The business customer is the controller of team member and transaction data.
We process data only on documented instructions from the controller.
Security
We apply appropriate technical and organizational measures: encryption at rest and in transit, role-based access control, audit logs, and regular security reviews.
Sub-processors
We use the following sub-processors: Supabase (Zurich, database + auth + storage), Resend (email delivery), Vercel (hosting), Stripe (payments).
We will notify controllers of material sub-processor changes at least 30 days in advance.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Managed Postgres database, Auth and Storage for all user data. | Switzerland (Zurich region, eu-central-2) |
| Vercel Inc. | Application hosting, edge delivery, build artefacts. | Global edge with European primary region |
| Resend (Plus Five Five, Inc.) | Transactional and authentication email delivery (verification codes, password resets, invitations, alerts), via SMTP relay. | United States / EU |
| Stripe Payments Europe, Ltd. | Subscription billing and payment processing. Card data is entered directly with Stripe and never reaches The Octane's servers. | Ireland / United States |
| GitHub Inc. | Source code hosting, CI, cron scheduling for background jobs. | United States |
| Functional Software, Inc. (Sentry) | Error and performance telemetry. Only active when SENTRY_DSN is set; all events pass through The Octane's PII scrubber before leaving the process. | United States |
| Amazon CloudFront | Static asset delivery for the marketing hero video. | Global edge |
Data subject rights
We assist controllers in responding to data subject rights requests (access, rectification, erasure, portability) within 72 hours of receiving a request.
Breach notification
We notify controllers of a confirmed personal data breach within 72 hours of becoming aware, including the nature of the breach, categories of data affected, and remediation steps taken.