k_ Keyline

Data Processing Agreement

Effective July 14, 2026

This DPA is part of the Terms of Service and applies automatically to every customer. No signature needed. If your compliance process requires a countersigned copy, email support@keyline.sh and we will provide one.

You (the customer) are the controller of the personal data in your workspace. We (Keyline, operated by a sole proprietor based in Bulgaria) are your processor under Article 28 GDPR.

1. What processing looks like here

Keyline is zero-knowledge by design. Secret values are encrypted on your devices before upload; we hold ciphertext we cannot decrypt. The personal data we actually process for you is small:

DataSubjectsPurpose
Emails, names, workspace rolesYour team membersAccounts, invitations, sign-in
Device public keysYour team membersAuthentication and key wrapping
Audit events (who did what, when)Your team membersThe tamper-evident audit log you rely on
Short-lived technical logs (IPs)Your team membersSecurity and debugging

Duration: while your workspace exists. Nature: hosting, storage, transmission. We process this data only to run the service.

2. Our obligations

3. Subprocessors

You authorize these subprocessors. We remain responsible for them.

SubprocessorRoleLocation
VercelApplication hostingUSA/EU
NeonDatabase hostingEU region
ResendTransactional email (invitations, sign-in links)USA
Functional Software (Sentry)Error monitoring, scrubbed before sendEU (Germany)

Paddle handles billing as an independent merchant of record, not as our subprocessor. The public audit anchors contain only hashes, no personal data.

We will update this page at least 14 days before adding or replacing a subprocessor. If you object on reasonable data protection grounds and we cannot resolve it, you may terminate and export your data.

4. International transfers

Where a subprocessor processes data outside the EEA, transfers rest on the EU Standard Contractual Clauses or an adequacy decision, as implemented in that subprocessor's own DPA with us.

5. The boring but binding part

This DPA lasts as long as the Terms do and ends when your data is deleted. If it conflicts with the Terms on data protection, this DPA wins. Governing law follows the Terms: Bulgaria.