Data Processing Agreement
This Data Processing Agreement (DPA) supplements our Terms of Service. It outlines how Skeptral processes personal data on behalf of our enterprise and agency clients in compliance with global data protection laws like the GDPR and CCPA.
1. Roles of the Parties
For the purposes of applicable Data Protection Laws:
- You (The Customer): Are the Data Controller of the personal data you feed into the Skeptral platform (e.g., user research transcripts, customer feedback logs).
- Skeptral: Acts as the Data Processor.
2. Processing Instructions
Skeptral will only process Personal Data in accordance with your documented instructions, which include the use of the platform to generate insights, code, or analytics. We will not use Customer Data for any other purpose, including the training of generalised AI models, unless explicitly authorised.
3. Sub-processors
To deliver our services, Skeptral uses third-party sub-processors. Each is engaged under their standard data processing terms. Our current list, last updated 10 July 2026:
| Sub-processor | Purpose | Notes |
|---|---|---|
| OpenRouter | Routes language-model processing to third-party model providers (Anthropic, Google, and others) | Receives every prompt in order to relay it. Under the providers' API terms, inputs are not used to train their models. |
| PostHog (EU) | Product analytics | EU-hosted. Memory-only until you opt in via the consent banner. |
| Stripe | Payment processing | Handles billing details directly, we never store card data. |
| Resend | Transactional email | Dossier delivery links, sign-in emails, and the opt-in daily verdict. |
| Hetzner | Application hosting and database storage | Single-tenant server in Germany. We don't claim disk-level encryption at rest on this volume. |
We will notify you at least 30 days prior to adding any new sub-processors, giving you the right to object.
4. Security Measures
Skeptral implements appropriate technical and organisational measures for a level of security matched to the risk, including:
- Encryption of personal data in transit (HTTPS end to end).
- Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
- Regular testing and evaluating of the effectiveness of security measures.
5. Incident Response
In the event of a Personal Data Breach, Skeptral will notify you without undue delay (and no later than 48 hours) after becoming aware of the breach, providing sufficient information to allow you to meet any reporting obligations.