Doc2iXBRL
Data Processing Agreements

Data Processing Agreements

Overview of our Data Processing Agreements (DPAs) with sub-processors, as required under GDPR Article 28.

Last updated: March 2026

About our DPAs

Under Article 28 of the General Data Protection Regulation (GDPR), we are required to have a written Data Processing Agreement in place with each sub-processor that processes personal data on behalf of our users. This page provides an overview of the DPAs we have in place with our sub-processors.

Vercel Inc.

Frontend hosting and delivery

Vercel hosts our web application and processes minimal personal data such as IP addresses, cookies, and request metadata through their content delivery network.

Incorporated via Terms of ServiceActive
DateMarch 31, 2023
SCCsEU Standard Contractual Clauses (2021/914) included
SecuritySOC 2 Type 2, AES-256 encryption at rest, TLS 1.2+ in transit
Governing lawIrish law
Contactprivacy@vercel.com
View DPASub-processors

GitHub, Inc.

Source code hosting and version control

GitHub hosts our source code repositories and manages version control. The codebase may contain configuration files, environment variable references, and development artifacts. GitHub acts as Processor for Customer Personal Data under their DPA.

Incorporated via GitHub Customer AgreementActive
DateOctober 2025
SCCsEU Standard Contractual Clauses (2021/914) included, governed by Dutch law
SecuritySOC 1 Type 2, SOC 2 Type 2, ISO 27001, EU-US Data Privacy Framework
Governing lawDutch law
Contactprivacy@github.com
View DPASub-processors

Supabase, Inc.

Database, authentication, and file storage

Supabase stores all user data, authentication records, uploaded documents, and conversion results.

Data Processing AddendumActive
DateMarch 25, 2026
SCCsEU Standard Contractual Clauses (2021/914) included
SecurityAES-256 encryption at rest (FIPS 140-2 HSMs), TLS 1.2+ in transit, daily backups
Governing lawIrish law
Contactprivacy@supabase.io
View DPASub-processors

Fly.io, Inc.

Backend application hosting

Fly.io hosts our backend processing infrastructure in the Amsterdam (AMS) region. Document content is processed in memory during conversions.

Data Processing AddendumActive
DateMarch 25, 2026
SCCsEU Standard Contractual Clauses (2021/914) included
SecurityInfrastructure isolated per organization, TLS in transit
Governing lawCalifornia law (SCCs: Irish law)
Contactfinance@fly.io
View DPA

OpenRouter (Crusoe Energy Systems)

AI inference routing

OpenRouter routes AI inference requests to model providers for document analysis, classification, and taxonomy mapping. Document content may include personal data.

OpenRouter (Crusoe Energy Systems)Requested

DPA has been requested from OpenRouter. This section will be updated once the agreement is in place.

DeepInfra

PDF OCR preprocessing

DeepInfra provides OCR services (OlmOCR) for extracting text from scanned PDF documents. PDF page content is sent to their inference API with a zero-retention policy.

DeepInfraRequested

DPA has been requested from DeepInfra. This section will be updated once the agreement is in place.

Questions

If you have questions about our data processing agreements or our sub-processors, please contact Ontos B.V..

Ontos B.V.

CoC: 42011303

VAT: NL869277571B01

Email: contact@doc2ixbrl.com