Skip to content
cantila

Legal

Data processing agreement

Effective 2026-05-28

This DPA forms part of the Cantila Terms of Service and governs Cantila's processing of personal data on behalf of customers (controllers) under GDPR, UK GDPR, and equivalent regimes.

1. Roles

  • You are the controller — you decide why and how the personal data of your end users is processed.
  • Cantila is the processor — we process personal data only on your documented instructions.
  • The plan tier you subscribe to, the configuration you set in the Console, and the operations you initiate through the API / CLI / MCP are your documented instructions.

2. Scope and duration

Cantila processes personal data only as long as needed to provide the service, plus a 30-day grace period after account deletion for accidental-deletion recovery. After that, data is purged from primary storage and backups age out within 30 days.

3. Categories of data and data subjects

  • Account holders — name, email, hashed password, OIDC subject.
  • Billing contacts — name, billing address, last-4 of payment instrument.
  • End users of customer applications — whatever the customer stores in their database, mailbox, or SMS history, plus traffic metadata (method, path, status, latency).

4. Security measures

  • TLS 1.2+ on every public endpoint.
  • AES-256-GCM encryption at rest for secrets and environment variable values.
  • Per-account envelope keys under a master CANTILA_SECRET_KEY.
  • Per-key API scoping; bcrypt password hashing.
  • Firewalled admin endpoints; immutable audit log of every mutation.
  • Backups are encrypted, regional, and retained 30 days.

5. Subprocessors

Cantila uses a small set of subprocessors listed at cantila.app/legal/subprocessors. Cantila notifies controllers at least 30 days before adding a new subprocessor that handles personal data. Controllers may object; if the objection isn't resolvable, the controller may terminate with pro-rated refund for the unused portion of any prepaid term.

6. International transfers

Cantila's production region is Hetzner FSN1 (Germany). Transfers to Stripe (US) and other subprocessors outside the EEA are covered by Standard Contractual Clauses (2021/914 Module 3 where Cantila is processor and the subprocessor is sub-processor).

7. Data subject requests

Cantila will forward any data-subject request it receives to the relevant controller within 5 business days. Cantila supports the controller in fulfilling access, correction, deletion, and portability requests through the export and delete tooling in the Console.

8. Personal data breach notification

Cantila will notify controllers within 72 hours of becoming aware of a personal data breach affecting their data. The notification will include what we know about scope, impact, and remediation, and will be updated as the investigation progresses.

9. Audit rights

Controllers may request a summary of Cantila's security controls once per 12-month period; for deeper review (penetration test reports, SOC 2 once Cantila achieves it), Cantila will provide them under NDA on reasonable request.

10. Liability and termination

Liability under this DPA is subject to the limitations in the Terms of Service. Either party may terminate this DPA on the same notice as the Terms.

11. Contact

Data Protection Officer: dpo@cantila.app.

Cantila will sign a counter-signed copy of this DPA on request to legal@cantila.app.