Last updated: April 14, 2026
Capitalized terms not defined here have the meaning given in the Agreement. For purposes of this DPA:
Customer is the Controller. For Customer Personal Data Processed through the API proxy and document scanner, Customer is the Controller (under GDPR) and the Business (under CCPA). Customer determines the purposes and means of Processing.
Redacta is the Processor. For the same Customer Personal Data, Redacta acts as the Processor (under GDPR) and Service Provider (under CCPA) on Customer's behalf. Redacta will Process Customer Personal Data only for the limited and specified purposes of providing the Service in accordance with the Agreement, this DPA, and Customer's documented instructions.
Redacta's own data. Separately, Redacta acts as Controller for the limited account and operational data described in Sections 2.1, 2.2, 2.5, 2.6, and 2.7 of the Privacy Policy (account credentials, billing data, audit logs, usage metadata). This DPA does not apply to that data; the Privacy Policy governs it.
The Agreement (including the Privacy Policy and this DPA), the Service's configuration options, and any written instructions Customer provides through the dashboard or by email constitute Customer's complete and final documented instructions to Redacta for the Processing of Customer Personal Data. Redacta will not Process Customer Personal Data outside or inconsistent with these instructions, except as required by applicable law (in which case Redacta will, where legally permitted, notify Customer of the legal requirement before Processing).
Redacta will notify Customer if, in Redacta's opinion, an instruction from Customer infringes Data Protection Laws.
Redacta will ensure that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are subject to an appropriate statutory duty of confidence, and that access to Customer Personal Data is limited to those personnel who require it to perform the Service.
Redacta will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. The measures currently in place are described in Annex 2 (Technical and Organizational Measures) below. Redacta may update these measures from time to time provided that the updates do not materially decrease the overall level of protection.
General authorization. Customer grants Redacta general authorization to engage Sub-processors for the Processing of Customer Personal Data, subject to the conditions in this Section 6 and to the list of currently authorized Sub-processors in Annex 3 below.
Notice of new Sub-processors. Redacta will notify Customer at least thirty (30) days before adding a new Sub-processor that will Process Customer Personal Data, by updating Annex 3 and posting the change to the Sub-processor list at getredacta.com/dpa. Customer may object in writing to the addition of a new Sub-processor on reasonable data-protection grounds within the notice period; if the parties cannot resolve the objection in good faith, Customer may terminate the affected portion of the Service without penalty by notifying Redacta in writing.
Sub-processor obligations. Redacta will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and will remain liable for the acts and omissions of its Sub-processors to the same extent as if they were Redacta's own.
Taking into account the nature of the Processing, Redacta will, to the extent legally permitted, promptly notify Customer of any request received directly from a Data Subject relating to Customer Personal Data, and will not respond to such requests except on documented instructions from Customer or as required by applicable law.
Redacta will provide reasonable assistance to Customer, by appropriate technical and organizational measures and insofar as possible, in fulfilling Customer's obligations to respond to Data Subject requests under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
Redacta will notify Customer without undue delay, and in any event within seventy-two (72) hours of confirmation, of any Security Incident affecting Customer Personal Data. The notification will include, to the extent then known:
Redacta will cooperate with Customer's reasonable requests for additional information about the Security Incident as it becomes available. Redacta's notification of or response to a Security Incident is not an acknowledgment by Redacta of any fault or liability with respect to the Security Incident.
Where Customer is required under Data Protection Laws to perform a data protection impact assessment or prior consultation with a supervisory authority in connection with the Service, Redacta will provide reasonable assistance to Customer, taking into account the nature of the Processing and the information available to Redacta.
Redacta will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. At Customer's written request, no more than once per twelve-month period and subject to reasonable confidentiality controls, Redacta will:
Redacta is a pre-launch organization that does not currently hold a SOC 2 Type II report. Customers requiring one as a condition of contracting should discuss this with Redacta before relying on the Service for regulated workloads.
US-only scope. The Service is offered to customers located in the United States only (see Section 3 of the Terms of Service). Redacta does not solicit or knowingly accept Customer Personal Data of Data Subjects in the European Economic Area, the United Kingdom, or Switzerland through the Service. Customer represents that its use of the Service complies with this scope restriction.
Standard Contractual Clauses (fallback). To the extent that Customer's use of the Service nevertheless involves the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to Redacta in the United States, the parties agree that the Standard Contractual Clauses (Module 3, processor-to-processor) are incorporated into this DPA by reference and apply to such transfers, with the United Kingdom International Data Transfer Addendum issued by the UK Information Commissioner applying as appropriate. The optional clauses of the SCCs are deemed deselected unless the parties expressly agree otherwise in writing. The choice of law for the SCCs is the law of the Republic of Ireland; the forum is the courts of Ireland; the docking clause (Clause 7) is included.
CCPA. For Personal Information of California residents, Redacta acts as a Service Provider as defined in Cal. Civ. Code § 1798.140(ag). Redacta will not Sell or Share (as those terms are defined in the CCPA) Personal Information received from Customer, will not retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement, and will not retain, use, or disclose Personal Information outside of the direct business relationship between Redacta and Customer. Redacta certifies that it understands these restrictions and will comply with them.
Upon termination of the Agreement, and at Customer's written choice, Redacta will return all Customer Personal Data to Customer or delete it within thirty (30) days, except to the extent retention is required by applicable law or by automated backup systems from which prompt deletion is impractical. Token mappings (which contain encrypted Customer Personal Data) are subject to the configurable per-user retention schedule described in Section 2.3 of the Privacy Policy and are cryptographically purged on that schedule independent of account termination.
Customer may export scan metadata at any time during the term via the Reports CSV export feature in the dashboard.
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability in Section 12 of the Terms of Service. Any reference in this DPA to liability of a party means aggregate liability of that party under and in connection with the Agreement.
This DPA is effective as of the date Customer accepts the Terms of Service or first uses the Service, whichever is earlier, and continues for as long as Redacta Processes Customer Personal Data on Customer's behalf. In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to the matters it addresses (data protection and Processing of Customer Personal Data).
This DPA is governed by the same law and subject to the same dispute-resolution provisions as the Terms of Service, except that the Standard Contractual Clauses referenced in Section 11 are governed by their own choice of law as set out there.
Subject matter: Provision of the Redacta PII scrubbing proxy and document scanner.
Duration: For the term of the Agreement, plus the limited retention periods described in the Privacy Policy.
Nature and purpose of Processing:Detection of personal data within Customer Content, replacement of detected values with deterministic placeholder tokens, forwarding of the scrubbed content to a third-party LLM provider on Customer's behalf, and restoration of the original values in the LLM's response before returning it to Customer's application.
Categories of Data Subjects:Individuals whose personal data is contained in Customer Content. The specific categories depend on Customer's use case and are determined by Customer.
Categories of Personal Data:Personal data may include, without limitation: names, email addresses, phone numbers, physical addresses, government identifiers (Social Security Numbers, driver's license numbers, passport numbers), payment card numbers, financial account numbers, IP addresses, and authentication credentials. The specific categories Processed depend on what Customer submits and are determined by Customer.
Sensitive Personal Data: Customer is responsible for ensuring that its use of the Service does not transmit Protected Health Information (PHI) as defined under HIPAA. Redacta does not sign Business Associate Agreements and is not a Business Associate. See Section 7 of the Terms of Service.
Frequency of Processing: Continuous, on demand, in response to Customer API requests and document uploads.
Redacta implements the following measures to protect Customer Personal Data. These measures are subject to continuous improvement and may be updated provided the overall level of protection is not materially decreased.
The following Sub-processors are authorized to Process Customer Personal Data as of the “last updated” date at the top of this DPA. Each Sub-processor is engaged under a written contract that imposes data protection obligations no less protective than those in this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| OpenAI, Inc. | LLM inference for Customer requests routed to OpenAI models. Receives scrubbed request content (with PII replaced by placeholder tokens). | United States |
| Anthropic, PBC | LLM inference for Customer requests routed to Anthropic models. Receives scrubbed request content. | United States |
| Google LLC (Gemini API) | LLM inference for Customer requests routed to Google Gemini models via the Google Generative Language API. Receives scrubbed request content. | United States |
| Amazon Web Services, Inc. | Hosting (compute, database, storage, networking) for the Service. AWS is a passive infrastructure provider and does not access the contents of Customer Personal Data. | United States (us-east-1) |
| Stripe, Inc. | Payment processing for Customer subscriptions. Receives Customer's email address, Stripe customer ID, and subscription metadata. Does not receive Customer Personal Data Processed through the proxy or scanner. | United States |
| GitHub, Inc. | OAuth identity provider for sign-in. Receives authentication handshake data only; does not receive Customer Personal Data Processed through the Service. | United States |
| Google LLC (OAuth) | OAuth identity provider for sign-in. Receives authentication handshake data only. Note that Google LLC also appears above as a Gemini API Sub-processor; the two roles are separate. | United States |
Customers may request notice of changes to this list automatically by emailing legal@getredacta.com with the subject line “Subscribe: Sub-processor changes.”
For questions about this DPA, to request a counter-signed copy, or to submit data protection inquiries, contact legal@getredacta.com.
Sandia Development Group, LLC
New Mexico, United States