KrexelHome

Legal

Data Processing Addendum.

Last updated 2026-07-14. Public summary — the countersigned version is the one you sign with us.

Roles

For the lifetime of a customer contract, Krexel acts as the data processor for any personal data you put into the service. You are the data controller. This split follows the GDPR definition: we process data under your written instructions (the ToS), and we never use customer data for our own marketing or profiling purposes.

What we process

Only what's needed to run the service:

  • Account email + bcrypt password hash (Supabase).
  • The project source files you deploy (Cloudflare R2).
  • Deploy logs and status metadata (Cloudflare KV).
  • Optional billing details tokenised by Stripe (we never see your full card).

See our security disclosure for the storage and transport details.

Where it sits

  • Supabase — Postgres + Auth — US (East) or EU (Frankfurt) depending on the customer's region toggle in onboarding. EU routing is the default for accounts with a billing address in the UK or EU.
  • Cloudflare — Workers + R2 + KV — global edge, EU-cached where possible. R2 buckets are region-pinned at creation; the default for new buckets is weur (Western Europe).
  • Vercel — marketing site hosting + anonymous analytics. No customer data passes through Vercel.
  • Stripe — billing — US; we receive a tokenised payment method reference back.

Standard Contractual Clauses

For cross-border transfers out of the EU/UK, we apply the EU Standard Contractual Clauses (Decision 2021/914) for any transfer from a customer in the EEA/UK to a sub-processor outside that region. The SCC module applies to Supabase, Cloudflare (US edge nodes), and Vercel.

For the UK specifically, we additionally apply the UK International Data Transfer Addendum to the EU SCCs. Customers in the UK can request a countersigned copy that bundles both modules as a single instrument.

Retention

  • Account data — kept while the account is active; purged 30 days after deletion (soft window for restore requests).
  • Source files — kept until you delete the project; purged within 7 days of deletion.
  • Deploy logs — kept for 90 days; then rotated to a cold archive for compliance, then deleted at 12 months.
  • Backups — Postgres point-in-time recovery for 7 days; encrypted; deleted on rotation.

Your obligations (data subject rights)

We make it operationally possible for you to act on data subject requests without our help: every customer workspace has a Settings → Members view that exposes the per-customer data subjects, and a setting to extract or delete a single subject. The deletion is replicated to KV and R2 within one business day.

If you can't use these self-service paths (e.g. a regulatory deadline that crosses multiple jurisdictions), write to privacy@krexel.com. We respond within 5 business days.

Breach notification

We commit to notifying affected controllers within 72 hours of becoming aware of a breach that puts their data at risk. Notification goes to the security contact on the account and to the legal contact if one is on file. We include: nature of the breach, categories of data affected, approximate volume of records, mitigation steps already taken, and the contact for follow-up.

Countersigning

For enterprise procurement: email legal@krexel.com. We send the countersigned PDF within 3 business days.