Data Processing Agreement
Effective July 14, 2026
This DPA is part of the Terms of Service and applies automatically to every customer. No signature needed. If your compliance process requires a countersigned copy, email support@keyline.sh and we will provide one.
You (the customer) are the controller of the personal data in your workspace. We (Keyline, operated by a sole proprietor based in Bulgaria) are your processor under Article 28 GDPR.
1. What processing looks like here
Keyline is zero-knowledge by design. Secret values are encrypted on your devices before upload; we hold ciphertext we cannot decrypt. The personal data we actually process for you is small:
| Data | Subjects | Purpose |
|---|---|---|
| Emails, names, workspace roles | Your team members | Accounts, invitations, sign-in |
| Device public keys | Your team members | Authentication and key wrapping |
| Audit events (who did what, when) | Your team members | The tamper-evident audit log you rely on |
| Short-lived technical logs (IPs) | Your team members | Security and debugging |
Duration: while your workspace exists. Nature: hosting, storage, transmission. We process this data only to run the service.
2. Our obligations
- We process personal data only on your documented instructions: this DPA, the Terms, and your use of the product. We tell you if we believe an instruction breaks the law.
- Everyone with access is bound by confidentiality.
- We apply the measures on our security page: client-side encryption, TLS, hashed scoped tokens, per-environment access control, and a publicly anchored audit log.
- We help you respond to data subject requests and, where relevant, with your obligations under Articles 32 to 36. Most requests you can handle yourself: members, devices, and audit history are visible in your dashboard.
- We notify you without undue delay after becoming aware of a personal data breach affecting your data.
- Delete your workspace and its data goes with it; backups expire on a rolling basis. On request we confirm deletion.
- We make available the information needed to demonstrate compliance, and allow audits. For a service at our size that means our public documentation first; reasonable written questions answered within 30 days.
3. Subprocessors
You authorize these subprocessors. We remain responsible for them.
| Subprocessor | Role | Location |
|---|---|---|
| Vercel | Application hosting | USA/EU |
| Neon | Database hosting | EU region |
| Resend | Transactional email (invitations, sign-in links) | USA |
| Functional Software (Sentry) | Error monitoring, scrubbed before send | EU (Germany) |
Paddle handles billing as an independent merchant of record, not as our subprocessor. The public audit anchors contain only hashes, no personal data.
We will update this page at least 14 days before adding or replacing a subprocessor. If you object on reasonable data protection grounds and we cannot resolve it, you may terminate and export your data.
4. International transfers
Where a subprocessor processes data outside the EEA, transfers rest on the EU Standard Contractual Clauses or an adequacy decision, as implemented in that subprocessor's own DPA with us.
5. The boring but binding part
This DPA lasts as long as the Terms do and ends when your data is deleted. If it conflicts with the Terms on data protection, this DPA wins. Governing law follows the Terms: Bulgaria.