Data Processing Addendum (DPA)
Last Updated: October 16, 2025
This Data Processing Addendum (DPA) supplements the Saturn Terms of Service and applies to Enterprise customers subject to data protection laws, including the EU GDPR.
Note: The complete DPA with all annexes and Standard Contractual Clauses (SCCs) is available in website/docs/legal/dpa.md. Enterprise customers should contact legal@saturn.io to execute the DPA.
Overview
Parties:
- Controller: You (the Customer)
- Processor: Saturn, Inc.
Scope: All Personal Data processed by Saturn on behalf of Customer in connection with the Services.
Data Processing Terms
Saturn processes Personal Data only:
- As necessary to provide the Services
- As documented in the DPA and its Annexes
- As instructed by Customer via the Services
- As required by applicable law (with notice to Customer)
Sub-Processors
Saturn engages the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Vercel Inc. | Web Hosting | USA (Global Edge Network) |
| Fly.io, Inc. | Worker Hosting | USA |
| Neon, Inc. | Database | USA |
| Upstash, Inc. | Caching & Queues | USA |
| Sentry.io, Inc. | Error Tracking | USA |
| Resend, Inc. | Email Delivery | USA |
| Stripe, Inc. | Payment Processing | USA/Ireland |
Saturn will notify Customer at least 30 days in advance of engaging new sub-processors. Customer may object on reasonable data protection grounds.
Security Measures
Saturn implements appropriate technical and organizational measures (TOMs):
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access controls: RBAC, MFA for employees, least privilege
- Row-level security: Database queries scoped to Customer's organization
- Token hashing: SHA-256 (irreversible)
- Rate limiting: 60-120 requests/minute
- Audit logging: All administrative actions logged
- Incident response: Documented procedures for breaches
See Security Overview for full details.
Data Subject Rights
Saturn will assist Customer in fulfilling Data Subject requests, including:
- Access: Export Personal Data in machine-readable format (JSON/CSV)
- Rectification: Enable Customer to correct data via the Services
- Erasure: Delete Personal Data within 30 days of Customer's instruction
- Restriction: Temporarily suspend processing (e.g., disable monitors)
- Portability: Export data in structured format
Data Breach Notification
Saturn will notify Customer without undue delay (and within 72 hours) of becoming aware of a Personal Data Breach affecting Customer's data.
International Data Transfers
For Personal Data originating from the EEA, UK, or Switzerland, Saturn relies on:
- Standard Contractual Clauses (SCCs): EU Commission's SCCs (Module 2: Controller-to-Processor)
- Supplementary measures: Encryption, access controls, contractual protections
Return and Deletion of Data
Upon termination or Customer's written request, Saturn will:
- Return all Customer Personal Data in machine-readable format (JSON/CSV), OR
- Delete all Customer Personal Data from production systems and backups
Timeline: Within 30 days of termination or request.
Audit Rights
Customer may audit Saturn's compliance with the DPA:
- Frequency: Once per calendar year (unless required by Supervisory Authority)
- Advance notice: At least 30 days
- Audit alternatives: SOC 2 Type II reports, ISO 27001 certification (when available)
Contact for DPA Execution
Enterprise customers: To execute a DPA, please contact:
- Email: legal@saturn.io
- Subject Line: "DPA Request - [Your Company Name]"
Annexes
The complete DPA includes the following annexes:
- Annex A: Details of Processing (subject matter, categories of data, data subjects)
- Annex B: Security Measures (technical and organizational measures)
- Annex C: Standard Contractual Clauses (EU Commission SCCs)
- Annex D: UK International Data Transfer Addendum
For the complete DPA with all annexes, signature blocks, and Standard Contractual Clauses, see website/docs/legal/dpa.md or contact legal@saturn.io.