Legal
Data Processing Addendum
Last updated: 2026-06-06
1. Parties
This addendum supplements the Terms of Service between Customer ("Controller") and MobileByteSensei Pvt Ltd ("Processor"). It applies when Customer processes Personal Data of EU/UK/India data subjects through PayCraft.
2. Subject Matter
Processor processes Personal Data on behalf of Controller to deliver the PayCraft Service — namely subscriber emails, device identifiers, subscription state, and audit metadata.
3. Duration
Processing continues for the duration of the Terms of Service. Upon termination, Personal Data is deleted within 30 days unless legal retention applies.
4. Security
Processor maintains technical and organizational measures aligned with SOC 2 Type 1 (Type 2 in progress), including: encryption at rest (pgcrypto), encryption in transit (TLS 1.3), Row-Level Security on all tenant-scoped tables, append-only audit logs, MFA on production access, and quarterly access reviews.
5. Subprocessors
PayCraft engages the following subprocessors to deliver the service. Processor notifies Controller 30 days before adding a new subprocessor. Controller may object; if unresolved within 30 days, either party may terminate.
| Subprocessor | Purpose | Region | Security |
|---|---|---|---|
| Supabase | Postgres database, Auth, Edge Functions | US (default), EU on request | supabase.com |
| Vercel | Dashboard hosting + global edge CDN | Global edge | vercel.com |
| Stripe, Inc. | Card capture + payment processing (PCI DSS Level 1) | US / EU / IN | stripe.com |
| Razorpay Software Private Ltd. | Card capture + payment processing — India (PCI DSS Level 1) | IN | razorpay.com |
| Resend, Inc. | Transactional email (welcome, support auto-reply, alerts) | US | resend.com |
| Cloudflare R2 | Encrypted database backup storage (Phase 3 DR) | Global | www.cloudflare.com |
| Sentry, Functional Software, Inc. | Error tracking + observability (PII-masked) | US / EU | sentry.io |
| Google LLC | OAuth sign-in for dashboard authentication | Global | safety.google |
| GitHub, Inc. | Source code + CI/CD pipelines | US | github.com |
Last updated: 2026-06-17. For changes, see CHANGELOG.md.
6. Data Subject Rights
Processor will assist Controller in responding to data subject access, rectification, and erasure requests. Standard turnaround: 30 days.
7. Breach Notification
Processor notifies Controller within 72 hours of confirming a Personal Data breach affecting Controller's tenant.
8. International Transfers
Personal Data is primarily stored in the US East region. EU Standard Contractual Clauses are incorporated by reference. EU-residency hosting is available on Enterprise tier.
9. Audits
Controller may request a SOC 2 report or completed CAIQ questionnaire under NDA. On-site audits are subject to mutual scheduling and reasonable fees.
10. Termination
Personal Data is deleted within 30 days of contract termination unless required by law to retain. Backup deletion completes within 90 days.
11. Contact
For DPA execution, email legal@paycraft.mobilebytesensei.com.