Data Processing Addendum (DPA)
This Data Processing Addendum ("DPA") details the technical and organizational security measures Custodia LLC employs to protect Client Data.
1. Security Measures
Custodia implements the following controls to ensure the confidentiality, integrity, and availability of data:
Encryption
- At Rest: All databases and storage buckets are encrypted using AES-256 integrity protection.
- In Transit: All data transmission occurs over TLS 1.2 or higher.
Access Control
- Least Privilege: Access to production systems is restricted to authorized engineers on a strictly need-to-know basis.
- MFA: Multi-Factor Authentication is enforced for all administrative access.
2. Sub-Processors
Client authorizes Custodia to engage the following third-party sub-processors:
| Entity | Purpose | Location |
|---|---|---|
| Vercel Inc. | Cloud Hosting & Edge Functions | USA |
| Resend Inc. | Email Delivery | USA |
| Supabase / Postgres | Database Storage | USA |
3. Data Breach Notification
In the event of a confirmed Personal Data Breach, Custodia will notify Client without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification will be sent to the primary contact email on file.
4. Audit Rights
Upon request and subject to a confidentiality agreement, Custodia will provide its most recent SOC 2 Type II report (when available) or equivalent security questionnaire responses to demonstrate compliance with this DPA.