Data Processing Agreement

When Eline processes personal data on your behalf — for example, employee email addresses pulled from a connected CRM — you are the data controller and Eline is the data processor under GDPR Article 28.

This DPA binds Eline to process that data only as your agent, only on your documented instructions, and only for the purposes spelled out in our Terms of Service.

This DPA covers:

• Personal data you upload to Eline directly (account holders).
• Personal data Eline pulls from connectors you authorize (e.g., contact rows from HubSpot, employee emails from Gmail metadata).
• System-generated data Eline creates while operating the service (audit log entries, recon events).

Eline uses the following sub-processors as of the effective date:

• Supabase (database, auth, storage) — AWS ap-south-1.
• Vercel (hosting, edge functions, analytics) — global.

We’ll give you 30 days’ notice before adding any new sub-processor with access to your data. You may object during the notice window; if we can’t agree on a substitute, you may terminate the affected service for a pro-rated refund.

Eline implements technical and organizational measures appropriate to the risk, including:

• Encryption at rest (AES-256) and in transit (TLS 1.3).
• Per-organization data encryption keys, with optional bring-your-own-key (BYOK).
• Least-privilege access controls; production access is logged and audited.
• Annual penetration test by an external firm.
• Quarterly access reviews; offboarding within 24 hours of termination.
• SOC 2 Type II in progress (target Q2 2026).

Where personal data of EU/UK data subjects leaves the EEA/UK, Eline relies on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum. The applicable modules are incorporated into this DPA by reference.

When a data subject contacts you with a GDPR request that Eline can help fulfill (access, correction, deletion, portability), email privacy@eline.com. We’ll assist within 30 days. We don’t respond directly to data subjects unless required by law.

Customers under enterprise contracts may audit Eline’s compliance with this DPA once per year, with at least 60 days’ notice and during business hours, at the customer’s expense. Where a recent SOC 2 Type II report covers the audit’s scope, we’ll provide it in lieu of an on-site audit.

Eline will notify affected customers of any personal data breach within 72 hours of discovery, with the information GDPR Article 33(3) requires. We’ll cooperate fully with any required notifications to supervisory authorities or data subjects.

On termination of the service, Eline will return or delete all personal data within 90 days, at your option. Audit log entries are retained for 7 years for financial-records purposes; everything else goes.

Email privacy@eline.com for any DPA matter, including to request a counter-signed copy on company letterhead.