> /data-processing-agreement
Data Processing Agreement
Last updated: April 3, 2026
This Data Processing Agreement (DPA) forms part of the Terms & Conditions and applies to all CHKDSK Labs products and services where personal data is processed on behalf of a user.
1. Roles and Scope
- User acts as Controller.
- CHKDSK Labs acts as Processor.
- Processing is limited to providing product functionality, support operations, and services requested by the user.
2. Categories of Data
| Category | Data Elements |
|---|---|
| Account identifiers | Name, email, username, user ID, avatar URL (varies by product and auth provider) |
| Authentication credentials | OAuth tokens, session tokens (encrypted/hashed at rest) |
| User-generated content | Posts, entries, reactions, follows, support ticket content |
| Product-specific metadata | Repository/PR metadata, extension settings, preferences, notification configurations |
| Payment identifiers | Stripe customer ID, subscription ID (no card data) |
| Device identifiers | Generated device ID for license lookup (browser extensions) |
| Usage and operational data | API request metrics (anonymized), usage counters, analytics data |
Applicable projects
- [x]CHKDSK Labs Website
- [x]Ridge Sight
- [x]Refresso
- [x]ConVersely
- [ ]HissCheck
- [ ]L-BOM
- [ ]GUI-BOM
- [x]CrabTalk
- [ ]Pomotok
3. Processor Obligations
- Process personal data only on documented user instructions.
- Apply confidentiality obligations to personnel with data access.
- Implement appropriate technical and organizational safeguards.
- Notify the user of confirmed personal data breaches without undue delay, and no later than 72 hours after becoming aware of the breach (GDPR Article 33).
- Support user requests for access, deletion, and correction.
4. Security Measures
- HTTPS and security headers across all web properties.
- Encryption at rest for sensitive credentials (AES-256-GCM).
- Input validation and bounded field sizes on all APIs.
- Webhook signature verification (HMAC-SHA256) for inbound events.
- Row-Level Security (RLS) on database tables where applicable.
- AI inference routed exclusively through ZDR-compliant models via the Vercel AI Gateway.
5. Sub-Processors
Current sub-processors are listed on the Third-Party Services page, which indicates which products use each sub-processor. Material changes are reflected there.
6. International Transfers
Where cross-border transfers occur, CHKDSK Labs uses recognized transfer safeguards from its infrastructure and processor providers, including EU Standard Contractual Clauses (SCCs) where required.
7. Retention and Deletion
Data is retained only as long as necessary for service delivery, security operations, and legal obligations. Retention periods are documented in the Privacy Policy. Users may request deletion of personal data by contacting jay@chkdsklabs.io or by using in-product account deletion features where available.
8. Contact and Updates
Questions about this DPA can be submitted via our support page. This DPA is updated when processing scope or processor relationships change.