Skip to content
Back to Home
Legal

Data Processing Agreement

Last Updated: 10 July 2026

This Data Processing Agreement (DPA) supplements our Terms of Service. It outlines how Skeptral processes personal data on behalf of our enterprise and agency clients in compliance with global data protection laws like the GDPR and CCPA.

1. Roles of the Parties

For the purposes of applicable Data Protection Laws:

  • You (The Customer): Are the Data Controller of the personal data you feed into the Skeptral platform (e.g., user research transcripts, customer feedback logs).
  • Skeptral: Acts as the Data Processor.

2. Processing Instructions

Skeptral will only process Personal Data in accordance with your documented instructions, which include the use of the platform to generate insights, code, or analytics. We will not use Customer Data for any other purpose, including the training of generalised AI models, unless explicitly authorised.

3. Sub-processors

To deliver our services, Skeptral uses third-party sub-processors. Each is engaged under their standard data processing terms. Our current list, last updated 10 July 2026:

Sub-processorPurposeNotes
OpenRouterRoutes language-model processing to third-party model providers (Anthropic, Google, and others)Receives every prompt in order to relay it. Under the providers' API terms, inputs are not used to train their models.
PostHog (EU)Product analyticsEU-hosted. Memory-only until you opt in via the consent banner.
StripePayment processingHandles billing details directly, we never store card data.
ResendTransactional emailDossier delivery links, sign-in emails, and the opt-in daily verdict.
HetznerApplication hosting and database storageSingle-tenant server in Germany. We don't claim disk-level encryption at rest on this volume.

We will notify you at least 30 days prior to adding any new sub-processors, giving you the right to object.

4. Security Measures

Skeptral implements appropriate technical and organisational measures for a level of security matched to the risk, including:

  • Encryption of personal data in transit (HTTPS end to end).
  • Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • Regular testing and evaluating of the effectiveness of security measures.

5. Incident Response

In the event of a Personal Data Breach, Skeptral will notify you without undue delay (and no later than 48 hours) after becoming aware of the breach, providing sufficient information to allow you to meet any reporting obligations.